Holding off from adopting a BYOD policy is an uphill battle. In the past five years alone, we’ve seen a number of significant shifts in technology and workplace culture. With these new changes come new security risks, so how do we address them?
With the rise of cloud computing, the proliferation of personal smart devices, and a rise in work-from-home policies, BYOD policies (Bring Your Own Device) have gained incredible popularity. These policies let employees use their own preferred mobile devices (laptops, smartphones, etc.) for work purposes instead of being restricted to company provisioned devices. Needless to say, there are lots of benefits to these policies… they keep your people happy, and they often eliminate the need to provision (and purchase) new devices, especially cell phones. But, as with all things, there’s good and bad. The BYOD trend has also introduced its fair share of security concerns. Below we’ll take a look at the top security concerns and how enterprises can shape their BYOD strategy to address them.
What is BYOD and How Does it Work?
BYOD is the relatively new practice of organizations allowing their employees to use their own personal devices for business use. While smartphones are the most common example of this practice, the BYOD movement also extends to laptops, tablets, and even wearables. BYOD is part of the larger trend of what is known as ‘IT consumerization’ in which consumer software and hardware are being used in the enterprise environment. Within BYOD, employee-owned devices are often sanctioned by an organization alongside corporate provisioned devices, while other businesses opt for a ‘shadow IT’ approach. With ‘shadow IT’, hardware and software is used within an enterprise but is not supported by the organization’s central IT department.
What are the Benefits of BYOD?
For BYOD users, the freedom to work from their choice of personal devices, as well as the ability to work from anywhere and anytime has been a game-changer. On the other end of the spectrum, employers have the benefit of not needing to provide mobile devices to their employees while still being able to keep personal devices connected to the central communications system, saving thousands.
What are the Risks of BYOD and How can Enterprises Address Them?
With all the benefits of BYOD policies come some serious challenges as well. IT teams need to take care to acquaint themselves with the wide range of security challenges that accompany BYOD. Below are some of the most pressing concerns related to BYOD and how organizations can protect themselves.
Managing Lost or Stolen Devices
Think about all the times you’ve needed to turn back because of you’ve left your phone in a restaurant booth. Now imagine you don’t find it there—it’s been stolen. Really gets your anxiety going right? Now imagine that your phone holds sensitive business data and the stakes rise two-fold. While mobile devices are often stolen for their value alone, it’s becoming increasingly common for personal data to be accessed and sold or used after a theft. With the combination of personal and private corporate data on one device, the risk of information leaking becomes a very real possibility.
To combat the risks associated with losing a BYOD device, users should enroll in ‘Find my Device’ and remote wipe services. With these services, users can not only track a lost device if they were to forget it somewhere, but they can have their device’s data wiped as a last resort. That being said, all enterprise users should back up their data on a regular basis. Having backup and recovery procedures in place should greatly reduce the fallout of a lost or stolen device.
Many users fail to use basic common sense when it comes to securing the smart devices. Strong password protection is something that should be applied to all devices, whether corporate or private. While many individuals don’t use password protection on their devices, many that do often fail to meet best practices, employing simple passwords for their convenience. Think about it; a password with the digits ‘1-2-3-4’ isn’t that hard to guess if you’re a thief. In fact, they might be the first four digits a thief tries to enter. By setting a strong password/access code on a device, organizations have set-up the first and more important obstacle for stopping an attack. What’s more, biometric access controls, such as fingerprints or facial ID, are even more secure.
Network Monitoring and BYOD
BYOD, when implemented in a thoughtful way, can be liberating for employees. However, when implemented poorly, the policy can be burdensome for IT teams as they race to keep up with changing capacity requirements, application and network usage, and more. With a network monitoring tool, IT teams have access to all this information with additional information such as BYOD and location. Having access to these metrics allows IT teams to implement better security, plan for improved wi-fi, and more.
Securing Devices through Mobile Device Management
An organization with a BYOD policy should employ a robust mobile device management (MDM) solution to secure user devices. Enterprise Mobility management software can enforce certain company security policies and guarantee that only approved devices are able to access the corporate network.
MDM software is also capable of protecting a device from downloading malicious mobile applications. There are a number of dangerous mobile applications out there with the sole purpose of corrupting device software and accessing private information stored on the device. With both company and personal data being stored on a device, this can be a real concern for organizations using a BYOD program at their office. With an MDM solution, organizations can ensure that only trusted applications can be downloaded onto a device. It should be noted that even if the company has developed an application in-house, it may still be vulnerable to attacks. Enterprises should ensure that their mobile apps meet security certain standards to prevent data breaches.
The Importance of Encryption
Encryption is absolutely essential for device security. Without encryption, data can be intercepted with ease while it is in transit or at rest. Encryption is capable of doing much more than just keeping an attacker from accessing private information on a mobile device. While a password may present one obstacle to keep an attacker from accessing your device, encryption technology takes into account the possibility that the attacker may still bypass the password. With multiple layers of security, known as “defense in depth”, organizations can be more certain that BYOD devices remain fortified. Data is often at its most vulnerable when it’s in transit. By investing in heavy encryption tools, organizations are able to protect their network infrastructure and all the company data passing through public wi-fi networks.
Mobile Devices Can Make DDoS Attacks Easier
Mobile device APIs rarely include sufficient rate limits and they’re often vulnerable to DDoS attacks. As the requests generated in a DDoS attack are made from within the network, they can be harder to detect. Future DDoS may look use mobile devices to enter specific application-layer resource bottlenecks. Security teams should keep an eye out for this approach as it’s more difficult to out than ‘outside DDoS attacks’ because they often fit-in with typical queries.