It shouldn’t surprise anyone when the authors of Georgia Tech’s 2014 Emerging Cyber Threats Report say that, “the vast majority of employees now bring mobile devices into the workplace and expect to be able to use their smart-phones and tablets to work from anywhere”. The “Bring Your Own Device” phenomenon is also associated with the rapid rise in data being exported outside organizations' traditional security boundaries.
The increasing use of personal devices to perform work related functions and access employer data creates unique challenges for companies and ultimately their IT staff members. I can’t think of a client I’ve worked with in the past 2 years that wasn’t concerned about, if not actively addressing, the implications of BYOD.
As BYOD is transforming the workplace; many organizations are working to implement strategies and tools that will enable all involved (employees and employers) to realize the related benefits without increasing security related exposures.
What are some of the potential exposures and how are organizations addressing them?
- Platform specific vulnerabilities – The days when Blackberry devices were ubiquitous in corporate environments are gone. Today, organizations may find themselves dealing with iOS, Android, Windows and Blackberry devices. Each device/operating system can have its own security features and vulnerabilities. (e.g. Researchers at Ben-Gurion University in Israel recently reported an active Android vulnerability that allows malicious applications to bypass an active VPN connection). Clients are minimizing exposures by not allowing some device/operating system combinations to access their network and also by requiring all traffic to be encrypted.
- Application related exposures – Vulnerabilities can come from multiple sources. Malware can be introduced via apps the user has installed for personal use. Here, Android devices are widely thought to be more vulnerable than iOS devices due to Android’s relatively open application delivery approach. Organizations are mitigating these risks by limiting the apps that can be installed on devices accessing the corporate network. Companies are also beginning to employ mobile security solutions that containerize applications; i.e. separate personal apps and data from company apps and data.
Exposure can also come from enterprise developed apps as a result of bad practices on the part of company developers. Organizations can mitigate these risks by implementing and enforcing application security policies for developers. Robust application testing protocols also help identify issues before deployment.
- User related exposures – Organizations also risk exposure as a result of bad behavior by employees, device loss and theft. Most clients we encounter have developed policies that inform employees of things they must and must not do on their mobile devices. Policies typically require things like the use of passcodes to enable data encryption, and prohibit things like modifying or removing manufacturer provided security protections (called “rooting” or “jail breaking”). However, defining policies is not enough. Policies must be enforced to be truly effective.
Our experience is that organizations are increasingly searching for and implementing automated tools to facilitate management of the devices being used to access their networks. The good news is that integrated solutions are available that provide mobile device, application and security management capabilities in a single wrapper. These tools also provide the ability to wipe data from lost or stolen devices.
- File-sharing related exposures – While cloud-based file-sharing services like Dropbox, Google Drive and Box.net are not exclusively associated with the use of mobile devices, their use has certainly increased as employees look for ways to collaborate from wherever they are on the device of their choice. It is surprising how many organizations don’t prohibit or aggressively manage the use of such services for sharing work related documents. Those who do allow and manage their use, typically opt for a business or enterprise version that provides enhanced authentication and security features, limits sharing documents outside the team and offers robust reporting capabilities.
Your employees are using their personal devices to access your network and share documents, whether you know it or not. What steps have you taken to identify and mitigate BYOD related threats?
At SAI, we want to ensure that you are supporting your users, but at the same time not increasing security related issues. Get in touch if you’re interested in learning more.