Itc596 | Risks And Mitigation Assessment Answers

Answer:

Introduction

Cloud communications and wireless technologies are on the rise and are now used by most organizations. This has led to the organizations adopting bring your device (BYOD) policy. This is a logical step that makes good use of the wireless technologies and cloud tools in effectively connecting people (Bonaci, Herron, Yusuf, Yan, Kohno, & Chizeck (2015). To make a robot secure: An experimental analysis of cyber security threats against teleoperated surgical robots) .Employees are the ones who determine the capacity of the workforce to bring their own devices to the workstation for business-related purposes. Devices such as smartphones, tablets and laptops are now owned by most people who consider them as necessary to bring in the workplace as they help in carrying out their duties. They also consider the devices as personal and should have a capacity for privacy with what they do with their devices, even in the workplace (Yunfei, Yuanbao, Xuan, Xuan & Qi, 2015).

Importance of BYOD systems

The demand by employees for BYOD grows every day. Staff members can work from their devices with fewer complications of switching from one machine to another. This also allows them to virtually work from anywhere. Employers also benefit from users working with their own devices as they do not incur the costs of providing mobile devices for their staff members and still have them connected to the organization's network remotely. Employers also benefit as maintenance of the devices and software upgrades are done by the users themselves, driving down the cost for the organization's management (Rid & Buchanan,2015).

Despite the security risks of having employees working from their gadgets, employees have been enjoying the benefits of bringing their own devices to the workplace for the last several years. Having an employer who will put an end to the practice which has now become a norm for most staff members seems unlikely. It will lead to a reduction in productivity for the organization as staff members will require time to adjust to the new system that requires one to leave their devices behind when coming to work. The challenge remains to find out the security risks linked with BYOD and coming up with the best solutions that moderate the risks.  All organizations have their own strategy to BYOD that determines the security measure approach that will be put in place. The Way BYOD is practiced in the workplace, the devices that are in use, the individuals using them plus the environment and time they are using the devices are the first considerations in setting rules for security measures. Considering this factors will help in achieving a balance of the benefits BYOD brings to an organization and staff members against the risks of the same.  The benefits of BYOD are substantial. Increased employee satisfaction and more productivity are the main advantages that are brought about by the policy. During the period when BYOD was a new trend for companies, the practice was smart and practical saving IT departments from spending lots of money on devices, Increase in cyber-attacks in recent years has however created an uncertainty towards BYOD(Meredith, I. T., Walters, Dumonteil, N., Worthley,Tchétché, Manoharan, & Lefèvr,2016).

Risks of BYOD to Gigantic Corporation

BYOD leads to technical challenges, but the primary risks that are brought by this approach are privacy and security. Connecting to wireless networks such as Wi-Fi and Bluetooth, gaining access to the network resources like printers and files that are shareable and addressing machine integration issues are among the technical problems that arise from BYOD risks.

Privacy and security are the risks that face the corporation and staff members. Both are exposed to these risks but in ways that are different. The firm might be more concerned about the security of the corporate data on how the behaviors of the users expose it to risk. Employees, on the other hand, might be more concerned about their data. The confidentiality and privacy of their personal data on the firm’s network is their main issue, plus the authority that their employers have to access it (Joinson, & Steen, 2018).

Security issues

The following are some of the security Issues:

One of the security risks that the corporation or any other institution faces from using BYOD policy is local exposure. The firm’s  Data which is being transferred, processed and stored on personal devices is vulnerable to lose of control and visibility. Studies have shown that close to 22 percent of mobile devices manufactured end up being lost or stolen. Majority of the devices are never recovered by the users. Most of the devices are stolen for the value of the gadget but gaining access to the information stored in them is also a growing factor. Users’ personal information together with the corporation’s data risk getting out in the open if the information stored in the devices is retrieved (Cintuglu, Mohammed, Akkaya, & Uluagac, 2017)

Another risk that exposes the firm to a cyber-attack from implementing the BYOD policy is the lack of a password protection mechanism on the personal devices. Most users find it tasking to protect their devices and the applications running in the devices with a password. The few that choose to do so create a weak password to avoid inconveniences. The devices are therefore easy to compromise in the event of a hack or theft (Abomhara & Køien, 2015).

The corporation also faces the risk of mobile app breach. There are numerous apps whose aim is corrupting the software of the devices. Not only do they destroy the software components of the devices, but they also gain access to personal information in the device. Users of personal devices risk exposure to these applications. As the users browse through the internet via their devices, they might be prompted to click on a link that directs them to the malicious applications. Users who are not really keen will follow the link allowing the applications to gain access to their devices. Personal and company information stored in the devices, therefore, fall in danger of ending up to unscrupulous people. Applications released by the corporation also face a problem as they may be attacked if they do not include a safeguarding feature incorporated within them (Gupta, Agrawal, & Yamaguchi, 2016).

Another disadvantage of the BYOD policy is that the corporation racks up charges for purchases made by the users for personal reasons. In most instances, the personal devices' users pay for their own mobile devices and in-app purchases. This might not be the case for Gigantic Corporation. The firm might foot the bill for the purchases made by employees through user triggered charges if the users conduct the transaction through the company's network. Eventually, the management ends up spending more on resources that bring minimum value to their organization (Taylor, Fritsch, Liederbach, Saylor& Tafoya, 2019).

The policy also leads to cross contamination that leads to the risk of users accidentally deleting corporate data. One of the risks of having personal data and work information hosted on the same device is the cross-contamination leads to users mixing files and may fail to trace work files or possibly delete them (Korstanje,2016).

Users of Personal devices apply unlocking and rooting procedures to customize their operating systems. Some of these procedures bypass vendor configuration limitations exposing device sensors to insecure applications. This creates a loophole for the application to gain access or retrieve the corporates data (Khurana, Guralnik & Shanley, 2014).

Privacy Issues

BYOD devices allow for the corporate network to legally access the data in the devices. Initially, the main concern was big brother type whereby the staff were worried the company might be able to access their private internet browsing sessions. The company would find out what they did on their social media accounts (Buczak, & Guven, 2016). The firms' main interest, however, is the exposure of their activities while browsing the internet in compromising the company's security.  The corporation is worried that their spare time browsing can be a vulnerability to the system (Watters, Doyle, (Peltokangas & Keane, 2017).

 Organizations can dig deep into personal data in the event of a security breach. The devices of the employees may be requested for investigation in the context of litigation that involves the corporation (Beaumont, 2018).

Users also risk losing all their data in the event of a sweep after a security breach. Certain BYOD systems do not recognize the difference between personal and corporate data. The systems are designed to automatically delete all data stored in the system when a security breach event occurs. Employees who might have failed to back up their personal data in other devices lose it .

 The company will also be able to track the physical location of the users who connect with the BYOD system of the network. This might not be the intention of the company's IT infrastructure but the setup of the system most certainly can track the devices connected (Amsler, Allen, Messer & Healy, 2016).

Recommendations in Security Technologies That assist in reducing risks of BYOD Policy

The risks and vulnerabilities that expose the corporation and personal users’ data to cyber-attacks from the BYOD policy have minimal solutions. The firms, however, have several options in mitigating the threats (Ayyagari, Aldrich, Corman, Gutt,& Whelan, 2015).

Mobile device Management (MDM) is among the considerations that the corporation should consider in implementing on their BYOD system. The management system incorporated with Mobile Application Management(MAM) involve software companies that assist in securing BYOD systems The firm can purchase the third party software services whose activities involve remotely wiping data from missing devices and tracking the missing devices too. MDM also helps kin data segregation, the services separate work and personal files and records such as contacts and places them in different addresses. This reduces the exposure of data leakage for personal records of the users in the event of litigation of the corporation’s data. The segregation also reduces the mix up of selecting a personal contact address as the recipient for sending the corporation’s information (Anwar, He, Ash, Yuan & Xu, 2017).

Enterprise Mobility Management (EMM) is also another way that the corporation can mitigate BYOD risks. The technique is similar to MDM, but it manages the whole device. EMM regulates the applications available for the users to download. The service checks if the applications have installed necessary security encryption measures. If the applications do not meet the minimum standards, EMM adds its layer of encryption and control mechanisms. The EMM services, however, require the app developers’ permissions and design files to add the patches. Most developers do not like sharing this information limiting EMM services (Abdi, Chen, Hasan, Liu, Mohan, & Caccamo, 2018).

Next Generation Network Access Control (NAC) techniques can also be used to mitigate the risks of Incorporating BYOD systems for the corporation’s data. The NAC software creates an authentication procedure for users with personal devices on the system. The NAC also creates firewalls and antiviruses as security applications on the network. This creates restrictions for endpoint devices to access certain areas within the network as stipulated in the security policy. The policy allows the administrators to dig deep into the who, what, where and when a data breach occurred through a person’s device. NAC allows for the network administrators to add strict rules. The management might decide to allow a user to access certain network services during working hours but automatically limit their access beyond the working time for personal use (Canedo, Dalloro, Wei, & Collar, 2018)

Data Loss Prevention (DLP) tools is also a strategy that can be utilized in minimizing exposure of corporate data to secondary parties. As users create information on their devices, the DLP tools apply a usage policy for the information. The information could be a file, an email or even an application. For example, the tools could recognize data containing social security numbers or credit card information. DLP just like NAC applies features that follow security policies and rules. The tools can place a watermark or memo on the sensitive data helping the administrators in following up the information. It monitors the people accessing the data followed by tracing the transmission of the information by the users. The feature, however, has the limitation of leading the staff members using the system having a negative experience in using the system (Legg, 2015).

Updating the operating system, applications, firmware and software also offers a security measure that minimizes exposure of corporate data through personal devices. Most applications and operating systems have regular updates released by their developers. The updates are important as they have the latest security patches that keep users protected from the new threats and risks. Users should ensure that they upgrade to the latest software release to help increase the security of the corporation’s network and data.

The corporation also needs to ensure that their data is stored in a secondary database. This could be a central server within the organization or even cloud services whereby the corporation seeks cloud computing services from external vendors to store their data. This will offer a backup plan for the corporation’s data. If a user loses a device that contained work files and data, the data is retrieved from the back up storage

Conclusion

BYOD systems are here to stay in this current times. Firms and organizations will have to find ways to deal with employees devices connecting within their network framework. There are several measures that the corporation can use to mitigate the risks. A comprehensive approach could be used to take control of the firms BYOD system. The strategy involves incorporating a pair of solutions that best fit the company's operations. For example, a firm may opt to choose MDM and NAC tools and services as the best solution for their firm. Gigantic Corporation being an IT firm may go for DLP tools and NAC techniques. The DLP tools will allow the administrators to track the usage of data by individuals within their network. NAC services will create restrictions on users in accessing data beyond their authorization. NAC services generate an authentication hierarchy system that allows users to access only the applications and information on their level (Bonaci, Herron, Yusuf, Yan, Kohno & Chizeck, 2015)

Remotely wiping data is also a proper mitigation technique that can be used to regulate BYOD policies. The technique allows the corporation's network administrators to remotely erase data from a device. This also involves overwriting data stored in the device preventing forensic retrieval or returning the device to the manufacturers hence no one will gain access to the information on the device in future.

The corporation needs to come up with a solution that creates a balance between personal use and work use by users of BYOD devices. The technique employed should be such that when the system comes across a security breach, the administrators physically confirm if the device was stolen or missing rather than automatically deleting all the data. This can be done by easily making a phone call to the user of the device and finding out if they are aware of the operations of their devices (Nicolaou, Eliades, Panayiotou, & Polycarpou, 2018)

The corporation could also conduct a risk profiling to determine the vulnerabilities of their information systems. This will help them in coming up with their own requirements for protecting their data. Environments that require compliance will be established depending on the risk profile of the environment. This will help in coming up with security policy measures for use of personal devices within the workplace (Mead, Vasatka, & Craig, 2017).

Creating a BYOD policy that helps in regulating the use of personal devices in the workplace should be done. The policy assists in addressing simple considerations such as the objectives of the BYOD system, the staff members allowed to carry their own devices and the devices plus operating systems that the corporation’s network supports. The policy should stipulate the persons responsible for paying the charges incurred in using the personal devices under the firm’s resources. The policy should also contain details on the privacy that users are guaranteed when using their gadgets in the workplace. It should also stipulate the consequences of violating the BYOD policy and the safety measures used once a device has been compromised. With the policies in place, the effectiveness of the BYOD approach will be determined by the corporation’s ability to educate their employees. Employing effective ways of managing and supporting devices plus enforcing the BYOD policies will also increase effectiveness of the BYOD approach.

The management of gigantic corporation should not shy away from allowing their staff members to bring in their own devices in the workplace. Instead, they need to embrace it and encourage them to do so. This will increase the employee satisfaction and lead to an increase in productivity in the services of the corporation. The company will also learn new methods of mitigating cyber-attack threats. Allowing people to access the firm’s network through their devices will lead to the management employing different strategies in mitigating new risks that arise with emerging technologies. BYOD is a trend that will stay and grow as users cannot pass by the advantages that come with the policy. The sooner corporations embrace it the better (Mussington, Arnold, Dupont, Hilts, Grayson, Leuprecht & Tupler, 2018).

References

Abdi, F., Chen, C. Y., Hasan, M., Liu, S., Mohan, S., & Caccamo, M. (2018, April). Guaranteed physical security with restart-based design for cyber-physical systems. In Proceedings of the 9th ACM/IEEE International Conference on Cyber-Physical Systems (pp. 10-21). IEEE Press.

Abomhara, M., & Køien, G. M. (2015). Cyber security and the internet of things: vulnerabilities, threats, intruders and attacks. Journal of Cyber Security, 4(1), 65-88.

Almehmadi, A., & El-Khatib, K. (2017). On the possibility of insider threat prevention using intent-based access control (IBAC). IEEE Systems Journal, 11(2), 373-384.

Amsler, D. B., Allen, N., Messer, S., & Healy, T. (2016). U.S. Patent No. 9,258,321. Washington, DC: U.S. Patent and Trademark Office.

Anwar, M., He, W., Ash, I., Yuan, X., Li, L., & Xu, L. (2017). Gender difference and employees' cybersecurity behaviors. Computers in Human Behavior, 69, 437-443.

Ayyagari, A., Aldrich, T. M., Corman, D. E., Gutt, G. M., & Whelan, D. A. (2015). U.S. Patent No. 9,215,244. Washington, DC: U.S. Patent and Trademark Office.

Beaumont, P. (2018). Cybersecurity Risks and Automated Maritime Container Terminals in the Age of 4IR. In Handbook of Research on Information and Cyber Security in the Fourth Industrial Revolution (pp. 497-516). IGI Global.

Bonaci, T., Herron, J., Yusuf, T., Yan, J., Kohno, T., & Chizeck, H. J. (2015). To make a robot secure: An experimental analysis of cyber security threats against teleoperated surgical robots. arXiv preprint arXiv:1504.04339.

Buczak, A. L., & Guven, E. (2016). A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Communications Surveys & Tutorials, 18(2), 1153-1176.

Canedo, A. M., Dalloro, L., Wei, D., & Collar, B. (2018). U.S. Patent Application No. 10/044,749.

Cintuglu, M. H., Mohammed, O. A., Akkaya, K., & Uluagac, A. S. (2017). A Survey on Smart Grid Cyber-Physical System Testbeds. IEEE Communications Surveys and Tutorials, 19(1), 446-464.

Gupta, B., Agrawal, D. P., & Yamaguchi, S. (Eds.). (2016). Handbook of research on modern cryptographic solutions for computer and cyber security. IGI Global.

Joinson, A., & Steen, T. V. (2018). Human aspects of cyber security: Behaviour or culture change? Cyber Security: A Peer-Reviewed Journal, 1(4), 351-360.

Khurana, H., Guralnik, V., & Shanley, R. (2014). U.S. Patent No. 8,793,790. Washington, DC: U.S. Patent and Trademark Office.

Korstanje, M. E. (Ed.). (2016). Threat mitigation and detection of cyber warfare and terrorism activities. IGI Global.

Legg, P. A. (2015, October). Visualizing the insider threat: challenges and tools for identifying malicious user activity. In Visualization for Cyber Security (VizSec), 2015 IEEE Symposium on (pp. 1-7). IEEE.

Mead, J., Vasatka, J. E., & Craig, J. A. (2017). U.S. Patent Application No. 14/872,698.

Meredith, I. T., Walters, D. L., Dumonteil, N., Worthley, S. G., Tchétché, D., Manoharan, G., & Lefèvre, T. (2016). 1-year outcomes with the fully repositionable and retrievable lotus transcatheter aortic replacement valve in 120 high-risk surgical patients with severe aortic stenosis: results of the REPRISE II study. JACC: Cardiovascular Interventions, 9(4), 376-384.

Mussington, D., Arnold, B. J., Dupont, B., Hilts, S., Grayson, T., Leuprecht, C., & Tupler, J. (2018). Governing Cyber Security in Canada, Australia and the United States.

Nicolaou, N., Eliades, D. G., Panayiotou, C., & Polycarpou, M. M. (2018, April). Reducing Vulnerability to Cyber-Physical Attacks in Water Distribution Networks. In 2018 International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater) (pp. 16-19). IEEE.

Rid, T., & Buchanan, B. (2015). Attributing cyber-attacks. Journal of Strategic Studies, 38(1-2), 4-37.

Taylor, R. W., Fritsch, E. J., Liederbach, J., Saylor, M. R., & Tafoya, W. L. (2019). Cyber Crime and Cyber Terrorism.

Watters, J. P., Doyle, F., Peltokangas, H., & Keane, M. (2017). U.S. Patent No. 9,749,344. Washington, DC: U.S. Patent and Trademark Office.

Yunfei, L., Yuanbao, C., Xuan, W., Xuan, L., & Qi, Z. (2015, August). A Framework of Cyber-Security Protection for Warship Systems. In Intelligent Systems Design and Engineering Applications (ISDEA), 2015 Sixth International Conference on (pp. 17-20). IEEE