Can Employees Have It All? Security Challenges with BYOD

More and more employees are using their personal devices at work. Bring your own device (BYOD) permits employees to use technology they know well. It allows them to be more efficient and productive in their work. It supports employees in balancing their personal and professional lives.

In a survey by Tech Pro Research, 74% of companies were using or adopting BYOD. More companies are willing to embrace BYOD. It not only helps them save on technology purchases, but clears the way for improved productivity. At the same time it creates a unique set of security challenges.

Risks Created by BYOD

Significant effort is used to keep a company’s network safe from the onslaught of security threats. With the addition of BYOD, added risks need to be accounted for and mitigation strategies need to be put into place to prevent data breaches.

With BYOD, companies feel a loss of control in protecting their network. Employees aren’t always aware of their risky behavior like accessing an unsecure Wi-Fi connection with the same device they use to access the company’s network. An unsecure Wi-Fi can expose the device to all manner of attacks including , data theft, ransomware and other malware.

Other security challenges posed by BYOD are:

• If a phishing attack is instigated from a BYOD, IT loses visibility into the origins of the attack. It makes it difficult to do any forensic investigation.
• When corporate emails are accessed via a BYOD, there is a loss of data visibility.
• If a BYOD bypasses inbound and outbound filters, it increases the risk of malware on the device.
• Employees losing their phone or having it stolen.
• Apps installed on the phone. Some apps have been found to carry malware.

Securing Company Data

Companies need to create a BYOD policy and incorporate it into the security policy to reduce vulnerabilities in the network. Contents of the policy should reflect what works best for the company and employees. Some key features of the policy that should be considered are:

• Mandatory use of passwords.
• Mandatory installation of anti-malware.
• Timeout functions enabled to ensure a BYOD is automatically locked when inactive for even a short period
• Using Mobile Device Management (MDM) to track and delete sensitive data. MDM can enable the company to create a virtual partition on the device to store corporate related data. It gives a company some level of control of the data accessed and stored on the device.
• Establish a procedure for lost or stolen devices. For example, in the case of a lost phone the company will remotely delete all corporate data.
• Create a list of acceptable devices. Not all devices available on the market will meet the company’s security criteria. Employees should be made aware of which devices the company is willing to support.
• Include and enforce other rules like forbidding the use of jailbroken phones. These are devices that had their iOS software restrictions removed allowing root access.
• Create a list of unacceptable apps.
• Develop a strategy to monitor BYOD.
• Encrypt any corporate data stored on the device.
• Provide training programs for employees on the BYOD policy, how to watch for suspicious activities on their devices and other safety precautions.
• Consider restricting app store purchases to only stores like Google Play and the Apple App Store, as some third parties app providers may sell malware compromised apps.
• Encourage employees to back up their personal data.

Conclusion

Can employees really have it all? Can they enjoy the convenience and familiarity of their own devices without inviting serious security risks? There is no question that the benefits can outweigh the risks, but only if companies resolve to board BYOD with caution backed by a solid strategy. To accommodate BYOD, companies must incorporate and re-enforce BYOD best practices and policy within the company. Once the BYOD policy is established and is in place within the organization, it will need to be routinely updated. This requires tight collaboration between employees and employers. New technology and apps are always being released. The BYOD policy will need to be revised to keep up-to-date with the latest security requirements to ensure it doesn’t become the new backdoor of choice for cybercriminals.