Cybersecurity Concerns in a BYOD World

Mike McEnaney

The enterprise is quickly discovering, and subsequently complying, with the fact that people today want to use a wide range of different mobile devices/apps to access various enterprise assets, interact with corporate data, and collaborate with their colleagues. However, when you consider mobile began as a consumer technology, many of these devices lack the security and administrative functions that IT and security teams use to manage traditional endpoints such as laptops and desktops.

A growing number of employees want to use their own devices, and enterprises want to realize the benefits of the increased productivity that comes with the BYOD. But despite the advantages this approach brings, it also presents a potentially huge problem for enterprise when you consider the vulnerability of these devices to cyber attack. 

Numbers Tell a Tale of Concern

A quick glance at what some of the major research firms are reporting with regard to this issue highlights the growing concerns:

• In 2015, Tech Pro Research reported that 74 percent of organizations allow, or plan to allow, employees to use their personal mobile devices for work.

• Twice as many employee-owned devices will be used for work than enterprise-owned devices by 2018, according to Gartner.

• 5.2 million smartphones were lost or stolen in the U.S. in 2014 according to Consumer Reports. 

•  According to a 2015 report conducted by CyberEdge Group, almost 60% of the enterprise security decision makers they polled cited mobile devices at their weakest security link

• Ernst & Young reports that 56% of enterprises admit to being unlikely they will detect a sophisticated threat. 

The numbers begin to tell a troubling story and the mobile tsunami within enterprise today shows no signs of slowing down. 

“The tools available to an enterprise to manage mobile devices are still in a growing phase. The big risks now are the company losing data or opening a new angle for attackers, and the shortcomings of some of the current systems is that when the data gets wiped remotely (to avoid data loss for example), personal communications and mementos are considered acceptable collateral damage and I’d love to see that change,” said Jon Rudolph, principal software engineer at Core Security. “Until the hardware and software get to a place where just the enterprise portion of a device can be safely wiped, even when the personal side of a device may be compromised, it’s going to be an active battleground. That’s no small task. I think you could compare this era to turn of the century urban planning, discovering that zoning some of the heavy industries in close proximity to residences is a risk not worth taking, and that evaluating what absolutely needs to be available on devices is going to save you trouble down the line.”

FTC Steps In…

In order to gain a better understanding of the growing security issues in the mobile ecosystem, the Federal Trade Commission has issued orders to eight mobile device manufacturers requiring them to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.

The eight companies receiving orders from the FTC are: Apple, Inc.; Blackberry Corp.; Google, Inc.; HTC America, Inc.; LG Electronics USA, Inc.; Microsoft Corp.; Motorola Mobility, LLC; and Samsung Electronics America, Inc.

Among the information recipients must provide under the FTC orders are:

The factors that they consider in deciding whether to patch a vulnerability on a particular mobile device;

Detailed data on the specific mobile devices they have offered for sale to consumers since August 2013;

The vulnerabilities that have affected those devices; and

Whether and when the company patched such vulnerabilities

“With the explosive growth of mobile applications in different areas, whether consumer or enterprise mobility, the need for strong security is very critical. In enterprise mobility, specifically with enterprises deploying BYOD, top concerns are related to security,” explained Smrithi Konanur, Global Product Manager - Payments, Web, & Mobile at HPE Security-Data Security. “Mobile data security, application security and data breaches are some of the top concerns to CISOs. The need to safeguard sensitive data in mobile environments throughout the data lifecycle, at rest, in motion, and in use becomes critical to ensure end-to-end data protection.”  

Doug Cahill, Senior Analyst, Cybersecurity, Enterprise Strategy Group, Inc. added, “BYOD is a manifestation of the consumerization of IT, the security risk of which is compounded when users access cloud applications that are also unmanaged, and thus not secured by corporate IT. This double whammy of Shadow IT represents a risk of data loss and creates a new attack vector for the introduction of malware. And the issue is prevalent. Gaining visibility into and applying controls for the use of these apps when accessed from non-company issues managed and secured devices requires both new methodologies and technologies.”

A Hot Topic

Allowing employee-owned mobile devices doesn’t have to mean accepting all BYOD risks. Intel’s Security cybersecurity and privacy director Bruce Snell, left us with these thoughts as well as few potential solutions.

“Mobile malware continues to grow at a rapid pace. In 2015, the number of unique mobile malware went from 6,000,000 to over 12,000,000,” Snell said. “As attackers continue to turn their focus towards mobile devices, enterprises need to take precautions to prevent cybercriminals from using an employee’s mobile device as a backdoor into the protected network. “

Some Mobile Cybersecurity Intelligence from Intel:

• To prevent an infected device from accessing sensitive information, mobile devices should have a dedicated Wi-Fi network at the office that does not connect to internal company resources. 

• Malware typically takes advantage of system and application vulnerabilities to exploit a device. Organizations wanting to provide access to company email on an employee’s device should take advantage of a mobile device management solution to make sure employees are only accessing company email from devices that have the latest OS updates and (for iOS) are not jailbroken.

• It’s also important that organizations educate employees about the dangers of clicking suspicious links in emails or text messages. Even if the email is from someone you know, they could still be sending malware without their knowledge.