Emily
Brown

A device admin’s guide to auditing and risk management

Emily Brown

Jul 2, 2021

9 min read

If you own a company, or even if you simply work at one, you must be aware of the complete dependence of the company’s functioning on the devices used. It could be those MacBooks or Windows PCs, or it could be an array of mobile devices including iPads and Android smartphones. These smart devices provide the users with a wide range of benefits such as the ability to do remote work, get connectivity on the fly, use different apps to increase productivity and much more. Some organizations may even require or allow employees to bring their personal devices for work. As you may already know, this is Bring Your Own Device or BYOD.

The cyber boom in 2019-2021 has only increased our dependence on devices and virtual experiences even more. When the number of devices increases, the risks associated with them also increase exponentially. Auditing and risk management is something that no organization can ignore, and rightfully so. The IT managers also need to move on from the traditional risk management methods to successfully mitigate any possible risks.

What is Auditing and Risk Management?

Auditing and Risk Management
Let’s audit! 
 

Simply put, auditing is the process of examining something. In this blog, we would be talking about auditing the devices in your organization and managing the risks associated with them.

Auditing comes with many benefits:

  • Confirm that your organization is compliant with regulations like GDPR, HIPAA, SOC2, PCI DSS etc.
  • Identify and resolve the security vulnerabilities in your organization.
  • Formulate or improve your security strategy.
  • Get rid of the extra weight – dispose the hardware or software that is not currently used by your organization. This helps in reducing the expenses.
  • Monitor and report the risks your company can afford to take.

Now, let us have a look at risk management. Risk management is the complete process of identifying, analyzing and monitoring or treating the risks to the organization. For managing risks, you need to know what the risks are.

Risks to look out for

Security Risks
Device security should be as simple as locking up! 
 

The risks or threats to the organization can come in many forms and factors. We have broadly classified the risks under three categories:

1. Privacy Risks

When the employee knows that their devices are being managed and monitored by the organization, it is quite normal to have some privacy concerns. This is especially relevant when the employees are bringing their own personal devices for work purposes. So, how can you alleviate privacy risks in such cases?

How Hexnode helps…

Hexnode is an award-winning UEM solution that is being used by organizations in over a hundred countries. The privacy risks for BYOD are addressed by Hexnode admins by providing a clear segregation between personal and corporate data.

A separate business container in the device ensures that the admin does not have the power to modify or control any personal data or settings of the user. For example, if the employee leaves the organization, the admin can simply erase the data in the business container.

2. Security Risks

Security risks can come in all forms and factors. The device could be lost or stolen, or the employee may leave the organization without the corporate data being erased. There could be a network security risk or the device may be running on a non-updated version of operating system making it susceptible to more attacks. These security risks can be broadly classified into physical security risks and information security risks.

Physical Security Risks

The physical security risks include the devices being lost or stolen. Smart devices are mobile, and we love them for their mobility. But it also means that they are at a higher risk to be misplaced. This is a huge concern, especially if the lost/stolen device stores some sensitive data related to the organization.

How Hexnode helps…

Handling lost/stolen devices is easier for a Hexnode admin. Hexnode admins have the option of tracking the location of the managed devices. All they need to do is enable the location tracking policy and apply it to the device. For lost or stolen devices, the admin can track the device location from the Hexnode Web console remotely. The admin can also do one of the following:

Remotely lock the device with a custom message for the finder. The message can include the phone number with a “Please return” header. In the best-case scenario, where the device is merely lost and finds itself in the hands of a good Samaritan, the device will find its way back with this action itself.

Wipe the device completely to erase any sensitive data or apps that may be present in the device. If the device encryption is enabled, for instance, FileVault in macOS or BitLocker in Windows, then the admin doesn’t need to worry about any unauthorized access to important data.

Information Security Risks

Data security, network security, application security – all these have to be ensured by the admin to decrease informational security risks.

Data security

This involves the process of identifying all the risks that could possibly result in data leakage or data corruption and removing such risks. Data security is the process of protecting organizational data from any possible attack, breach or leakage.

How Hexnode helps…

1. Password security – The first step in securing data in any device is configuring a strong password. Users may opt for an easier password to make access simpler for themselves. However, this practice would also make the process of cracking the password simpler for possible hackers. Hexnode allows admins to configure strong password policies that force the user to configure a password that satisfies these policies.

2. Data Leakage Prevention policies – There are a number of ways in which a Hexnode admin can protect the devices from possible data leakage.

  • Enable and enforce device encryption to prevent any unauthorized
  • Prevent the flow of data between business and personal apps
  • Configure the device as a kiosk
  • Restrict or stop USB transfers to reduce any data loss risks.

Network security

The secure company network would not be the only network that your employees would connect to, especially not when the devices are always on the move or the employees are working from the comfort of their homes. How can you mitigate the network security risks?

How Hexnode helps…

  • Configure and push a secure VPN connection to the managed devices.
  • Use web content filtering policies to block access to potentially dangerous websites.
  • If using the corporate network, configure the Wi-Fi network in the Hexnode web console and push it to the devices so that the user can connect without entering the password. In this case, the admin does not have to share the network password with the user.

Application security

Apps rule. We have an app for almost everything we do. They are useful, they increase productivity and they are simply great. However, not all apps are good. Some apps pose security risks and some apps distract the employees from their work (YouTube!!). As an IT admin, you would not want either.

How Hexnode helps…

  • Blacklist or whitelist applications to block access to unwanted apps.
  • Deploy enterprise apps from the Hexnode portal and block app downloads by the user.
  • Configure a custom app store with the required applications so that the user doesn’t need to download apps from external sources.

3. Compliance Risks

Compliance means that the device users are adhering to certain rules. For example, let’s assume you have deployed a stringent password policy to the devices, but a user keeps putting off setting the strong password. Or, you blacklisted an application but the user found a way to install it on their device. Or, the device got lost but the user didn’t report the loss and now the device has been inactive for a while now. In all these cases, the device is non-compliant with the rules you specified.

How Hexnode helps…

  • Configure custom compliance rules for your organization.
  • Get notified in your email whenever a device goes out of compliance.
  • Schedule regular compliance reports that are delivered into your inbox.

Now that we know the risks and an idea on how to manage those risks, let’s go back to the auditing part of auditing and risk management.

How to audit the devices in your organization?

Audit process
Audit Audit Audit! 
 

The auditing process can be summarized in four steps:

1. Identifying the subjects to be audited

Here, you have to determine what exactly you want to audit. For instance, it could include all the smartphones, laptops, desktops, and tablets deployed in your company.

2. Defining the audit objectives

Why are you conducting this audit? What are your objectives? What are the risks you hope to solve with this audit? Try and find answers to these questions.

3. Set the audit scope

In this step, shortlist the actual devices to be audited and the security policies they should adhere to. For example, the scope may include all the BYOD devices that also has device encryption. Define and set your own audit scope.

4. Define the auditing process

Now that the objectives are clear and the scope is set, all you need to do is to define the auditing process. Define the key testing processes, decide where to get the data from, and so on. Now, it is not necessary to strictly follow the defined auditing process. It should be adjusted according to the risks assessed and the changing criteria of your organization.

How Hexnode helps…

  • Controls like remote wipe, location tracking and more.
  • Details reports for devices and users for easier audits.
  • Clear data on compliant and non-compliant devices.

At the end of the day…

Auditing should not be seen as a solution for risk management. It is only a starting point in the never-ending process of securing your organization against threats. However, we cannot underestimate the importance of auditing and risk management. After all, what begins well would also most probably end well.

Share
Emily Brown

Reading is therapy and writing is healing...sincerely, a cool nerd.

Share your thoughts