Bring-Your-Own-Device (BYOD) Best Practices and Tips

 

What is a Bring-Your-Own-Device Policy?

A Bring-Your-Own-Device Policy (BYOD) policy establishes security rules for employee-owned devices that are used for company tasks. Whether cell phones, personal laptops, or tablets, all these devices interact with your network. BYOD offers many advantages for an organization, such as cost-effectiveness and ease of information access; however, outside devices can also present possible security threats.

What are the Data Risks of BYOD?

Security risks of BYOD can take several forms, such as:

    1. Lost, stolen, or unauthorized access to devices.
    2. Attacks through malware, phishing, and scams.
    3. Lack of security compliance for employee devices that are accessing the company’s network.

Best BYOD Practices

    1. Have employees report a lost or stolen device immediately. This will allow remote locking and erasing of data that may be compromised.
    2. Educate, educate, educate! Promote safe device usage through up-to-date employee trainings on subjects such as phishing and mobile device security. If you do not know where to start, take a look at your company as a whole and identify the weakest points in your current system. Are there gaps in security when it comes to password protection of employee-owned devices? Identify these weak points when it comes to BYOD and create training around that.
    3. Implement a device exit strategy. If you have an employee leaving the company or they are replacing a current device, your organization should have a strategy for devices leaving the organization, so they do not take any confidential information with them.
    4. Have a written BYOD policy, which includes requirements and security policies regarding personal devices at work. It forces you as an organization to think some policies through before allowing employees to use their own devices. A written policy should reflect your unique organization, but make sure to include:
        • Acceptable user policies for devices connected to the company network – what should and should not be tolerated when connected to company network or when using a personal device for work purposes.
        • Acceptable types of devices and support. This could include cell phones, laptops, tablets, or other devices depending on what is best for your organization.
        • Security requirements for employee-owned devices. Make sure to include that devices must be password-protected!
        • Risks, liabilities, and disclaimers for utilizing personal devices for company projects.
        • A signed agreement from your employee.

BYOD… One Piece to the SASE Puzzle

Protecting employee-owned devices is one way to comply with “Secure Access Service Edge,” otherwise known as SASE.

SASE is a term coined by Gartner in 2019 and is an emerging security and network framework. Today’s environment shows that more users, devices, and data are outside the network perimeter instead of on the inside (such as BYOD). What is the solution for protecting everything outside that perimeter? Cloud-based security.

Learn more about SASE and cloud-based security.

Securing your BYOD Environment

The way you do business is unique to you, and your security existence should reflect that. No matter where you are in the world or whether you have employees on-premises, hybrid, or remote, we work with a variety of partners so we can apply the best products and solutions for you.

Reach out to us today to learn how Braxton-Grant can find the best solution for your organization.

 

5 Steps to Better Protect your Company’s Data

With certain trends in cybersecurity continuing to rise, data protection is more important than ever. An organization’s data is the bread-and-butter of their operations. To ensure your business is protected, here are five steps to safeguard your company’s data:

  1. Ensure Firewalls are Secure – A firewall is a network security device that monitors incoming and outgoing network traffic. It then permits or stops data packets based on a set of security rules. Quite simply, a network firewall creates a barrier between a trusted network and an untrusted one. There are several types of firewalls, but the one best for you depends on your business and your operations. Establishing and securing firewalls are important because attackers look for vulnerable devices connected to the internet; so, a firewall can not only protect your computer from unwanted access, but block unwanted content, create a secure network for multi-device environments, and keep private information secure.

Learn more about the different types of firewalls from one of our partners, Forcepoint.

  1. Encryption – An essential part of securing company data should always include encryption, which is just a way of randomizing data so that only authorized parties can understand the information. Data that is encrypted securely and complex enough will make it very difficult for the wrong hands to decrypt the data, even if data is stolen or duplicated. Encryption is equally as important for your primary data as it is your backup data.
  1. Backup & Recovery – Backup and recovery is exactly as it sounds: the process of storing extra copies of data that can be used in case of stolen or lost information. Similarly, recovery refers to the location where it can be used in place of the lost or damaged data. With backup and recovery in place, even if a device is lost or data is stolen, the information is not gone forever. Backups are important because data failures can be caused by hardware of software failure, data corruption, or human error.
  1. Educate Employees – Your employees are your best asset; however, they can also be a major liability when it comes to protecting your data. Keep your employees updated on cybersecurity topics by offering training and resources when needed to minimize this risk. Covering topics such as phishing scams and the use of public file-sharing are great topics to include directly in their onboarding training. Additionally, the BYOD (Bring Your Own Device) trend allows for possible unauthorized access to sensitive data, so additional training for remote workers may be needed.

 5. Maintain your IT Infrastructure – Ultimately, your overall IT infrastructure keeps your organization safe. Between evaluation, installation, and support, Braxton-Grant is your trusted advisor for various IT solutions. Schedule a Cyber Hygiene Assessment with one of our engineers today to kick off the process of evaluating your organization’s cyber wellness.

Schedule a Cyber Hygiene Assessment with us 

This Year in Cybersecurity: How to Be Proactive Against Attacks in 2021

2020 certainly has shown us the importance of cybersecurity and how vulnerable our systems can be in a 100% virtual world. With no doubt, 2021 will continue to bring various challenges when it comes to keeping your organization’s data safe online.

Here are six areas of cybersecurity to stay alert for this year:

  1. Continued Phishing Attempts: Phishing attempts are continuously being refined, as hackers devise sophisticated ways to intrude into organizations. One of the most common examples is email impersonation. Attackers are learning how to analyze a corporate hierarchy and forging emails in an executive’s name. Pay close attention to the sender’s email address to ensure that it came from your organization.
  2. Remote Work Safety: A large portion of United States workers are still working from home, and these individuals will be the focus of cybercriminals. Whether this is due to lack of physical security in remote workers’ homes or other locations or the use of personal devices, not all remote work is secured the same way if an employee was on-premises. The safety of remote workers should continue to be a major focus for organizations.
  3. NIST 800-171: If your organization handles government-controlled unclassified information (CUI) or works with the US Government, the new Interim Rule change to the DFARS went into effect on November 30, 2020. Now Contractors have contractual obligations to meet DFARS 252.204-7912 (DoD) and NIST SP 800-171r1 or FAR 52.204-21 (Federal). Prime contractors flow down the requirements to partners and subcontractor.
  4. CMMC Assessment & Mitigation: If your company is on a DoD contract, you will be held accountable for security assessments under the Cybersecurity Maturity Model Certification (CMMC) program. While the Government will take through 2025 to completely roll out the program, the requirement has already started to appear in DoD contracts. Many Prime Contractors have begun to levy the requirements on their subcontractors as the rule applies to both Primes and Subcontractors. 

Learn more about specific requirements of the NIST 800-171 & CMMC and how Braxton-Grant can help here.

  1. Cloud Security Breaches: Due to the remote and hybrid IT environments in today’s corporate world, cloud security breaches are currently at an all-time high. In fact, a study by Rebyc found that 35 percent of companies surveyed said they plan to accelerate workload to the cloud in 2021. Threats such as account hijacking, data breaches or insecure application programming interfaces (APIs) can compromise your cloud systems.
  2. Online Cybersecurity Training: With work from home trends not slowing down anytime soon, cybersecurity training is now being addressed remotely and online more now than ever, and it is a good possibility this transition is here to stay. Stay alert for videos, live webinars, or one-on-one virtual meetings with cybersecurity experts without having to leave your desk.

Check out the remote training Braxton-Grant conducts with various partners here.

While all the possibilities of cybersecurity threat can be daunting, the best solution is to be proactive now and assess your organization’s cyber hygiene. A basic cybersecurity assessment can indicate whether your business has a strong cybersecurity posture to meet existing and future customer, industry, and government security requirements. Every company with an information technology system needs good cyber hygiene regardless of whether you have a government requirement for certification. Braxton-Grant offers cybersecurity assessment tailored to your specific needs. We can provide:

  • A cybersecurity health grade.
  • Guidance to understand current security risk.
  • Recommendations for improvement through a Hygiene Assessment Report, customized to your environment.
  • Mapping to key cybersecurity frameworks and controls (e.g. NIST SP 800-171, NIST SP 800-53, CIS 20, GDPR, and HIPAA).

For government contractors, we also offer NIST 800-171 and CMMC Assessments.

You can learn more about our Cyber Hygiene Assessments and sign up for a meeting with one of our engineers here.

DoD Ruling Effecting All DoD Contractors Now!

Attention all DoD Suppliers & prospective CMMC Clients:
On 9/29/2020 an interim rule was posted in the Federal Register which states that The Department of Defense (DoD) now has a requirement for all suppliers to complete a self-assessment to NIST SP 800-171 within the past three years, no later than November 30th, 2020.

That is just SIX WEEKS from now!!

Braxton-Grant Technologies is pleased to be able to offer a Self-Assessment Preparedness Program to help your organization successfully prepare for the required self-assessment; please inquire for pricing and details!

See www.braxtongrant.com , email pmoffice@braxtongrant.com , or call 443-545-2052 ext. 7032

For our friends in Maryland, did you know that there may be funds available to help you comply with this deadline…

The Maryland Defense Cybersecurity Assistance Program (DCAP) provides funding and assistance for Defense Contractors to comply with the DFARS and NIST 800-171 Standards for cybersecurity. The program which provides funding and resources for companies to comply with the cybersecurity standard is funded by the Department of Defense’s Office of Economic Adjustment (OEA) through the Maryland Department of Commerce and is being coordinated by the MD MEP.

PROGRAM REQUIREMENTS
• Must be a Defense Contractor with a physical location in Maryland
• 10% or more DoD related business OR a contract/procurement request for compliance

For more information on this program, go to:

Maryland Defense Cybersecurity Assistance Program

*********************************
DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements

This new DFARS clause notifies the contractor that they are required to maintain a record within the Supplier Performance Risk System (SPRS). Each contractor will be required to maintain a current DoD Assessment within the system. This means that each contractor will need to have a Low, Medium, or High assessment completed at least every three years and ensure that it is properly reported within SPRS.

Click here to access the SPRS. If you do not have an account with SPRS, you will need to request access through the Procurement Integrated Enterprise Environment (PIEE). Click here to access the PIEE. You will need a certificate to register /authenticate to PIEE / SPRS.

8 Ways To Identify Phishing Attempts

What is phishing? 

Phishing is a cybercrime that uses electronic communication to take advantage of users. Attackers attempt to gain sensitive or confidential information, such as usernames and passwords, credit card information, and more by posing as legitimate organizations or individuals. They use social engineering to manipulate victims into clicking on malicious links and entering this information. Below are eight ways to identify a phishing email. 

Types of Phishing 

Spear Phishing 

These attacks will not look random, like a general phishing attempt. Attackers will gather information about the victim to make the email feel more authentic. 

Clone Phishing 

Attackers will make almost identical copies of previously delivered email messages and change an attachment or link to something malicious.  

Whaling 

Specifically targeting high profile and/or senior executives at organizations, they will often present themselves as legal communication or other high-level executive business. 

Methods of Phishing 

Requests for Sensitive Information.  

A legitimate organization will never ask you to enter any information that is sensitive by following a link. You will usually be asked to go to the official website or app to enter your credentials and any other information that is required. 

Generic Salutations.  

Most hackers will greet you with a “Dear valued customer” or “Dear account holder”. Sometimes, ads will not even include a greeting. These are clear signs that this might be a phishing attempt. Genuine organizations will use your full name.  

 Check the Domain.  

Don’t just check the name of the sender. Check the email address attached by hovering over the ‘from’ address. If you see any changes from what you were expecting, like numbers or letters added, this might be a phishing attempt.  

 Bad Grammar.  

Legitimate organizations will send emails that are well written. There are no spelling errors or bad syntax. Hackers believe their prey are less observant and easier targets, so they tend to have spelling errors and grammatical mistakes in what they send out.  

 Forcing You on to Site.  

If in doubt, don’t open the email. A lot of the time, emails can be coded entirely as a hyperlink so any accidental click anywhere in the email can lead you to a malicious site or start a spam download on your computer. 

 Unsolicited Attachments.  

Authentic organizations will seldom send you attachments. They will usually direct you to their website to download what you need from there. It’s not foolproof because there are times when they will send you information that you need to download, but this isn’t very common. 

 Hyperlinks.  

Always hover over any links in the email because it may not be all it appears to be. When you hover over the link, it will show you the actual URL it will direct you to. 

 Sense of Urgency.  

One of a hackers favorite methods to hook a victim is asking them to act fast, either by offering a one-time deal for a limited time or stating that your account has been compromised. It is usually best to ignore these communications. 

Email Security 

Why is email such an easy target? Because while most people know how to send and receive emails, the same cannot be said about the understanding of how emails are sent or received. This lack of understanding also make gaining access to emails so simple, that hackers just can’t resist.  

The simplicity inherent to modern email interfaces lulls users into a false sense of security. “Of course the email is secure, how could it not be?”. We can check it anywhere. Send communication from anywhere at any time with a click of a button. However, a potent combination of human error and malicious agents can make emails one of the most dangerous threats to an organizations security. Email-based threats account for 25% of all data breaches within the US and causes major losses numbering in the billions of dollars annually.  

As with all cyber security, email security starts with employee training, helping employees understand how to identify and question suspicious looking emails. Alongside this training, organizations need to make sure that they have the right tools to fight against this data theft; anti-virus filters, email filtering, email encryption and more.  

Need more info? The Federal Trade Commission can help you identify and avoid phishing scams. Also make sure your employees follow the Braxton-Grant Technologies guide on the fundamentals.