I have had a tremendous reaction to my previous blog posts on BYOD. In the first I looked at the basics of putting a BYOD policy together for your network, and my last blog post looked at remote access technologies in a BYOD era. A common question that I have been asked is what happens when BYOD goes wrong? It is inevitable that mobile devices will be lost, and in some cases they may fall into the wrong hands. When this happens you need to ask three questions.
- Can the device be locked down remotely?
- Do you have the tools and data available to identify what may have been on the device?
- Do you have an incident response plan?
If a device is stolen by someone who knows what they are doing, they will get access to the data on it unless you are somehow able to wipe it first. Previously, I have recommended that you provide portal access to applications and systems which avoid the need to store sensitive data on mobile devices. However, by definition there is no secure remote access solution that prevents sensitive data from leaving your network. Some vendors claim to solve this problem by providing the ability to lock down or delete data remotely. It is never guaranteed that you can remote wipe a device when it is lost. There are many techniques which can be used to prevent remote wiping; an example of this is switching on airplane mode on the device.
Once a device has been lost you should disable any VPN or remote access accounts associated with the owner or user of the device. Most users will have some idea as to what data they stored on their device but relying on them directly for this information is risky. You should have systems in place that allow you to find out who is doing what on your network. These can be simple things like capturing logs of who is logging on, or more complex strategies such as deploying deep packet inspection systems to track of what files are been accessed on file shares. These types of investigations are often referred to as network forensics. The more detail you can gather about a specific event, the better prepared you are to take the appropriate actions.
If you are considering a cloud based VPN or MDM service, I would suggest that you check if the service provides you with access to log files which track when users are logging onto your network. You should have a record of when users connect but also when there are failed logons as this can be a sign that someone is trying different passwords. If you host your own VPN equipment you, should check if you have access to logs which show when users are connecting to your network. Don’t rely on logging on the end user devices as it is unreliable and will be lost if the device is mislaid.
Once you have completed your investigation and you have determined that there was sensitive data stored on the lost mobile device, you should then invoke an incident response plan. I would recommend that most organisations look a putting a plan together sooner rather than later. This is because BYOD is a user-driven movement, not a secure mobile device strategy. Proper management of an event can reduce the negative publicity and costs associated with it. In other cases you may be legally compelled to disclose that certain data was lost and this should be documented in your response plan. Users should also be educated on what is contained within the incident response plan. Once they realise that their device is missing they should know who to inform and what initial actions they should take.
Do you have any horror stories of when BYOD went wrong on your network? Comments welcome.