Information Systems Security Management

COMPANY REPORT PRESENTED TO SENIOR MEMEBERS OF MTN NIG PLC

CHAPTER ONE

INTRODUCTION

 This report reviews the impact of the BYOD which was policy implemented in June at Mobile Telecommunications Network (MTN ). This report evaluates the risks , benefits and provides recommendations on the BYOD Policy within MTN.

According to IBM( n.d.) BYOD is an abbreviation of bring your own device which is a IT Policy where employees are permitted or encouraged to bring their personal mobile devices e.g. (tablets and smartphones) to their place of work and use those devices to access privileged company’s information and application.

According to Maxwell (2013)The term is also used in academic environment when institutions allow students to operate their own mobile devices to access school and college networks.

Seemingly, the introduction of BYODhas many decisive impacts. It is important for businesses because it saves money on the purchase of s computing equipments and eradicates the need for extensive IT Support, thus allowing companies to focus on extensive issues.  According to Lucas (2016) Organisations can cut their IT cost as employees invest in their own mobile working devices. In the consequent paragraphs , I will be discussing the impacts of BYOD policy to the company , the risk assessment , limitations and my recommendations to improve this policy.

CHAPTER 2

THE IMPACT OF THE BYOD POLICY TO MTN

An analysis of MTN’s BYOD policy reveals that several benefits have emerged upon which the company will be able to capitalise on. These include the reduction of technology expenditure, a sense of ownership  , increased productivity and user efficiency .These benefits are discussed in greater details in the section below :

REDUCED COST OF TECHNOLOGY

 According to Lucas (2016) .BYOD Policy has saved a lot of money for the company by eradicating the need to purchase specific devices that will suit the taste of each employee. Because of this, budget has shifted to each user and the company only must pay for those employees without mobile devices.

This has given MTN the opportunity to shift a large part of the budget to training of staffs and has reduced the long-term contracts with suppliers which has indeed saved the company a literal fortune. (Beauchamp, 2017)

A SENSE OF OWNERSHIP

According to Lucas (2016) there is always a sense of ownership when using a device that belongs to you. The acceptance of BYOD has permitted employees to use their mobile devices and this has also made employees to become more vigilant.

INCREASED PRODUCTIVITY AND EFFICIENCY

According to Lucas (2016) .With the introduction of BYOD, employees become more satisfied and very happy. They work with the comfort and freedom of using their personal device which has ultimately results into higher productivity levels

According to Anon(2012)one of the predominant ways in which BYOD has assisted users is by making them more well organized .Users have more access to every document from any platform or web browser and this enables them to get the job done quickly.

CHAPTER 3

BRIEF RISK ASSESMENT ON THE BYOD POLICY

RISK ASSESSMENT

Through the usage of only emails and the company’s internal messenger, the privacy of every employer will be invaded because they will be online always, thereby invading their privacy. This happens when they get offline messengers from the company’s internal messenger from their superiors at work which they they have to attend to. Whilst the first issue may be approipately dealt with through the IT department , the latter would have to be addressed by an IT policy as well as an HR employee in order to promote worklife

  Furthermore, the company’s internal messenger is susceptible to hackers and if this vulnerability is exploited, all the company’s data shared between users will be utilized.

 Through the sharing of emails, there could be leakage of vital company information to the public accidentally. Majority of the staff share information to other users and in the cloud. The automated backup of device data to cloud-based accounts can lead to business data being diverged. There are certain limitations to the BYOD Policy which would be further discussed in chapter four.

CHAPTER FOUR

RISKS OF BYOD POLICY

   As highlighted in the previous sections, the introduction of BYOD carries many benefits as well as potential risks for organisations . However there are some of the  reasons why BYOD shouldn’t be used implemented in the company. They are highlighted below:

• High Risk of Data Exposure
• Unprotected Vulnerabilities
• Combination of both Personal and Corporate Data

HIGH RISK OF DATA LEAKAGE

According to Morufu O (2015) This occurs when employees have access to company data anywhere and anytime. The company has minimal control over corporate data because corporate data are now stored by personal mobile devices. As a result of this if corporate data is available in a lost personal device  , the data could be publicly made available by the individual in possession of the device

ACCESSING UNSECURED WIFI

According to (Beauchamp, 2017)Majority of employees often utilize their devices outside the company and there is a high probability that they access unsecured WI-FI connections at different public environments like airports, coffee shops etc.

If employees download information from public Wi-Fi spots without a secure protection measure, the data on their mobile devices are automatically exposed and could be exploited by attackers. Furthermore, if employees refuse to install the latest anti-virus on their mobile phones and other robust security applications, there is a tendency that attackers would encroach on their devices.

Due to this, employees should install reliable decent security programs on their personal devices and should always be provided with quality technical support which will ensure al the security measure are timely executed.

COMBINATION OF BOTH PERSONAL AND COPORATE DATA

The introduction of BYOD makes it difficult to differentiate between intimate information and corporate data because they are both kept on the same mobile device. In the event an employee’s phone get stolen , all the information could be assessed  by an individual who retrieves the device.

(Rainey, 2018)To address this issue, employees should be educated on how to use sandbox or ring-fence data which will assist employees to keep corporate data in a specific application. This will safeguard the data stored and it can also be recovered in case the device is stolen through a backup facility.

RAPID PENETRATION OF MALWARE

Malware are mischievous software’s that could compromise the security of BYOD. Devices could be compromised by malware leading to loss or disappearance of confidential information This could make a whole device unstable

If installed ignorantly, it could reproduce by itself and affect the entire network of the company. The company should invest in more security software’s which can be used in scanning and analysing the threats posed by malwares before they cause extensive damages.

(Anon., 2018) Another method in which an employee credentials could be tampered with is through key-logging. This tool is used to record the login details and password of a user and apply the details to cause damages to the company.

 CHAPTER FIVE

RECOMMENDATION

Here are a few suggestions that could improve BYOD Policy to help in maintaining the security of the company (Paganini, 2013)

      Previous security policies that are related to mobile devices should be reviewed.

      Create policies before procuring technology. (Klinger, 2016)

      The manager should take a consensus among the staff to determine which of their devices meet the security requirements of the company.

      Personal information should be kept private. (Klinger, 2016)

      Clear policies should be written to govern the use of mobile devices by employees. Terms of use must be defined by each category of mobile devices, including data and application recommended by the employee.

      The integrity of each device should be verified to confirm that they havent been rooted by an employee.

      Devices should be monitored constantly for non-compliance. (Klinger, 2016)

      IT Help /Service Desk should oversee the management of data usage and constantly monitor devices for not following the rules.

      Policies should be reviewed quarterly, installed applications and mobile devices should be audited.

      The employees should be trained on the proper use of mobile devices and the way they access internal network devices.

        Paganini (2013) It is the responsibility of the following departments to administer the above rules:

      IT Help/Desk is responsible for providing limited support for BYOD to the employees.

      All employees are responsible for complying with the policies prepared by the management.

      Quality and Internal Audit Department is responsible for assessing the activities and to ensure all staff follow the rules.

      Corporate IT Security Management is responsible for identifying security, maintaining the company’s BYOD Policy and taking charge of the problems that arise from its introduction

      IT Department is responsible for managing the security of corporate infrastructure.

      IT Human Resources Department is responsible for running educational programs and raising awareness of the BYOD Policy to all employee.

MOBILE MONITORING

The use of monitoring devices should be applied to effectively administer our BYOD policy. One of the monitoring device the company should use is called MDM.

MDM is a mobile device management that interpret policies across multiple operating systems which will in turn validate the device to the network and secure information. It is a tool responsible for the overall control of mobile devices. Mobile device manager performs the following functions:

      MDM locks down devices, enforce policies, encrypt data and wipes out data remotely.

      MDM monitors, controls and protects a mobile device.

      MDM can force an application to be installed on a device, enforce policies for the usage of that application and even uninstall applications.

      MDM can enforce security settings, manage passwords and install digital certificates for authentication.

      MDM can restrict a user to download/install an application.

      MDM configures devices on the remotely.

      MDM helps in the blacklisting of applications.  Anon( n.d.)

      Assigning commercial and enterprise applications to required devices.

      Wiping of corporate data or an entire device remotely.

      Nullifying application licenses when users don’t need them.

      Restricting interaction between applications.

The following steps highlights how a device is configured to work with MDM. (Anon., n.d.)

      Enrols the device connected to the company network with a device manager to provide a strong authentication process and verifies that the device is genuine.

      The MDM device communicates with the Server and a secure network is granted connection.

      The application of the MDM device is then connected with the mobile device manager

      Encryption takes place between the Virtual Private Network and Gateway server.

      The device is connected by the server it ensures Group policy settings on the device.

      And finally, the MDM Device is then authorised to access the services on the network.

SECURITY INCIDENT PLAN

The IT department should ensure that there is a plan, to deal with security issues such as malware, stolen devices and data breaches. Users should be told to bring n their devices to the IT department if the believe they have been compromised .This will promote  trust and co-operation between co-workers rather than threats .

Secondly, a rule should be enforced to prevent any worker from storing any company data inside their BYOD-related devices. File synchronization such as a corporate drop box should be utilized to reduce the impact of the damages the company will incur if devices are stolen or exhorted.

STANDARD SECURITY SETTINGS PROTOCOL

 I implore the company to apply security settings on all BYOD devices.  Security should be prioritized. Terminating the misuse of data is one of the fundamental concerns of the IT administrators in this company. The IT administrators should be provided with enterprise-security features such as:

     Strict password settings.

     Detection and notification of non-compliant devices.

     Geo tracking and remote locking of compromised devices.

     Uninterrupted scanning of security and policy settings.

MANDATORY OPERATING SYSTEM UPDATES

   This will in a long way reduce the threat posed by malwares and hackers to the company. Each operating system could be exploited, and vital company data could be stolen if vulnerabilities in applications arent identified. Devices should be automatically configured to check for updates on daily basics and installed as soon as they are available.

STATE THE RULES BEFORE AN EMPLOYEE AGREES TO USE THEIR DEVICE

Employees must be informed from the beginning that ANY classified information found on their devices will be wiped off once they quit the job or are dismissed. This must be signed and documented before they agree to use their equipment’s for work.

This is very important because we need to regulate how restricted information of the company should be handled before it gets exposed.

CONCLUSION

Now we must ask ourselves these questions, Is the BYOD Policy right for MTN? Should we continue to use the policy or terminate it? Has the Policy had an impact on our business positively? and do our employees like it?

BYOD has efficiently added to our effectiveness in competing with industries. It has also given us an efficient customer service which has increased the customer satisfaction. BYOD has brought so many positives to this company.

Employees now have a better work life which has improved their efficiency at work. Nevertheless, the downside of BYOD have refused to go away, the financial responsibility is still there, and the IT department must always be at alert in case of an unforeseen loss, theft or damages.

However, for a complete successful implementation of BYOD, devices must be protected with screen lock passwords, a mobile security management suite must also be in place to integrate our environment such that no user device may have access to our corporate assets. Devices must be updated regularly with the latest OS. Company data must be encrypted, and it shouldn’t be mixed with personal data and they must be kept separate.

Although BYOD has been very favourable to MTN, it also has several cyber security risks which needs to be properly handled.

The company needs to broaden her security guidelines and educate employees on how to protect their devices and constantly monitor any security breaches.

References

• Anon., 2012. An Osterman Research white paper. [Online]
  Available at: https://www.portalcms.nl/publicfiles/5/office/downloads/byod-whitepaper.pdf
  [Accessed 6 November 2018].
• Anon., 2018. FossyBytes. [Online]
  Available at: https://fossbytes.com/effects-of-bring-your-own-device-byod-cyber-security/
  [Accessed 8 November 2018].
• Anon., n.d. [Online].
• Anon., n.d. [Online]
  Available at: https://dm.comodo.com/
  [Accessed 8 November 2018].
• Anon., n.d. MobileDeviceManager. [Online]
  Available at: (https://www.manageengine.co.uk/mobile-device-management/bring-your-own-device-byod-management.html?msclkid=2451fa6b16be1efea4b2a18f465ebabe&utm_source=bing&utm_medium=cpc&utm_campaign=MDMP%20Search%20-%20UK&utm_term=byod&utm_content=BYOD, n.d.)
  [Accessed 8 November 2018].
• Beauchamp, P., 2017. [Online]
  Available at: https://www.huffingtonpost.com/parker-beauchamp/byod-in-the-workplace-ben_b_10973342.html
  [Accessed 8 November 2018].
• Beauchamp, P., 2017. [Online]
  Available at: https://www.huffingtonpost.com/parker-beauchamp/byod-in-the-workplace-ben_b_10973342.html
  [Accessed 8 November 2018].
• by Kerry Maxwell, a. o. B. N. W., 2013. © Springer Nature Limited. 22nd January.
• https://www.manageengine.co.uk/mobile-device-management/bring-your-own-device-byod-management.html?msclkid=2451fa6b16be1efea4b2a18f465ebabe&utm_source=bing&utm_medium=cpc&utm_campaign=MDMP%20Search%20-%20UK&utm_term=byod&utm_content=BYOD, n.d. MobileDeviceManager. [Online]
  Available at: https://www.manageengine.co.uk/mobile-device-management/bring-your-own-device-byod-management.html?msclkid=2451fa6b16be1efea4b2a18f465ebabe&utm_source=bing&utm_medium=cpc&utm_campaign=MDMP%20Search%20-%20UK&utm_term=byod&utm_content=BYOD
  [Accessed 8 November 2018].
• IBM, n.d. [Online]
  Available at: https://www.ibm.com/mobile/bring-your-own-device
• IBM, n.d. A IBM Web Page. [Online]
  Available at: https://www.ibm.com/mobile/bring-your-own-device
• IBM, N.D. IBM. [Online]
  Available at: https://www.ibm.com/mobile/bring-your-own-device
• Klinger, J., 2016. Mobile Business Insights. [Online]
  Available at: https://mobilebusinessinsights.com/2016/11/create-a-secure-and-productive-byod-policy-today/
  [Accessed 8 November 2018].
• Lucas, S., 2016. The Balance Careers. [Online]
  Available at: https://www.thebalancecareers.com/bring-your-own-device-byod-job-policy-4139870
  [Accessed 8 November 2018].
• Maxwell, K., 2013. MacMillanDictionary. [Online]
  Available at: https://www.macmillandictionary.com/buzzword/entries/byod.html
  [Accessed 8 November 2018].
• Maxwell, K., 2013. Springer Nature Limited. [Online]
  Available at: https://www.macmillandictionary.com/buzzword/entries/byod.html
  [Accessed 8 November 2018].
• Morufu O, M. T. R. M. A. A., 2015. A Review Of Bring Your Own Device On Security Issues. Sage Journals, 10 April.
• Paganini, P. .., 2013. SecurityBlogger. [Online]
  Available at: http://www.thesecurityblogger.com/the-importance-of-a-byod-policy-for-companies/
  [Accessed 8 November 2018].
• Prashant, K. ,. G. A. S. ,., 2013. BRING YOUR OWN DEVICE(BYOD) SECURITY RISKS AND MITIGATING STRATEGIES. Journal of Global Research, Volume 4, p. 67.
• Prashant, K., G, G. .. & R, S., 2013. BRING YOUR OWN DEVICE (BYOD): SECURITY RISKS AND MITIGATING STRATEGIES. Journal of Global Research In Computer Science, IV(4), p. 67.
• Rainey, D., 2018. Effects Of Bring Your Device On CyberSecurity. [Online]
  Available at: https://fossbytes.com/effects-of-bring-your-own-device-byod-cyber-security/
  [Accessed 7 November 2018 2018].