When it comes to BYOD, different verticals have different security concerns. Financial services and healthcare organizations must worry about regulatory compliance and the often disastrous financial and public image consequences that can result from a data breach. Concerns around BYOD in the public sector, meanwhile, revolve around the very real risk of private information disclosure, whether that be private citizens' confidential data, or government documents not meant for citizens' eyes—as Edward Snowden so aptly demonstrated. In extreme cases, national security may be put at risk through the leaking of sensitive information.
The security risks of BYOD in the public sector demand a focus on policy, with the implementation of the technology to enforce that policy and detect and shut down violations.
You know that hoary old cliché about being on a "need to know" basis? When it comes to BYOD in the public sector, employees and their devices must be classified and their access to data granted on as strict a "need-to-know" basis as possible. When it comes to any sensitive information, the fewest people possible should have access. Therefore, the first step to securing BYOD in the public sector against private information disclosure is cataloguing all data to which employees have access, and classifying or ranking that data according to sensitivity and risk. Public sector organizations and the VARs that sell to them must have a thorough and intimate understanding of all the data assets they hold before they can develop an effective strategy for keeping that data safe.
Once data is catalogued and classified, organizations need to examine which employees have access to what data and lock it down as much as possible. No employee should have access to any data that isn't necessary to perform their job functions. Remember, keeping workers on a "need to know" basis is critical to preventing data leaks.
Technology to back it up
Once an organization has a policy in place limiting data access to the fewest people possible, it's time to look at how to enforce that policy. BYOD in the public sector can complicate matters and create new risks if not handled correctly.
Access control and authentication are vital, both at the device and network level. Even the most trustworthy employee may lose a device or fall victim to theft, and if the lost or stolen device can access sensitive data but lacks adequate authentication settings (isn't password-protected, for example), then anyone will be able to access whatever information the employee was privy to. BYOD public sector organizations need Mobile Device Management (MDM) solutions that can validate and, if necessary, configure device settings to ensure compliance. These MDM solutions can also remotely wipe lost or stolen devices to further prevent data leaks. Network Access Control (NAC) technologies, meanwhile, can ensure that only authorized devices access organizations' networks and data.
MDM and NAC can help protect against outside threats, but BYOD in the public sector also creates issues around insider threats, too. Think again of Edward Snowden and his decision to release confidential government documents to the public.
To mitigate the risks of insider threats taking advantage of BYOD in the public sector, organizations need detailed, real-time user activity monitoring and the use of sophisticated Data Loss Prevention (DLP) tools. The best of these can detect and either generate alerts for, or immediately shut down, suspicious activities such as the downloading of large files onto personal devices or attempts to upload or email sensitive files to destinations outside the organization. BYOD in the public sector must be secured with DLP and activity monitoring solutions and actively monitored by admins trained to recognize unusual behavior.
Measures like these will go a long way towards securing BYOD in the public sector, preventing private information disclosure. What other methods should public sector organizations use to secure their BYOD initiatives? Tell us your thoughts in the comments.