BYOD vs. enterprise security: Is it possible to have both?
Weighing the advantages of a BYOD policy against the potential security risks can prove challenging.
The popularity of BYOD—the policy of allowing employees to use their own devices to connect to corporate networks—has grown dramatically since the idea first emerged around 2009. As the popularity of smartphones and tablets has grown, some say businesses would be unable to stop employees from bringing personal devices into the workplace, even if they wanted to. As a result, many businesses have adopted flexible practices that cater to the mobile culture.
BYOD holds several advantages for the enterprise. It’s convenient for employees, enables workplace flexibility, improves workflows and can save the enterprise the cost of buying mobile devices for the staff that need them.
“BYOD enhances business productivity by allowing employees to use the OS environment and tools they are most comfortable with, from locations that they are most productive from,” said Elias Manousos, CEO and co-founder of RiskIQ.
But BYOD can also be a challenge for IT and security departments, because it essentially puts corporate security into the hands of employees. Any decisions an employee makes about that device—from failing to keep the software up to date to using unsecured Wi-Fi networks—ultimately puts the enterprise and its data at risk.
“These mixed use devices get exposed to attacks that may be targeting the employee's financial or personal information and not necessarily the organization they work for,” said Manousos. “This dramatically increases the potential attack surface, and hence the IT security risk the enterprise faces.”
Even worse, several studies have found people generally have a lax attitude toward mobile security. Avast, a Czech-based security and antivirus firm, conducted a test in February to see how many people would log on to free, unsecured Wi-Fi hotspots at the Barcelona Airport. Despite the lack of network security, more than 2,000 users connected over the course of a few hours, Avast said. In almost two-thirds of the cases, researchers could see the identity of both the device and the user.
A February study from Allot Communications found that mobile business users have the highest chance of incurring malware. The study analyzed the mobile data records from a random sample of 500,000 mobile users over the course of seven days and found that 79% of businessmen and 67% of businesswomen use risky apps every day. And even though the user's applications were protected when they were downloaded, the employees ongoing use made them vulnerable to malware.
“In a BYOD world, employees need to be fully aware that their personal mobile activities, such as accessing pirated content, can materially impact the security of their employer,” said Manousos.
RiskIQ recently undertook their own study of piracy sites for the Digital Citizens Alliance, revealing that individuals who stream or download pirated content online are 28 times more likely to get malware than those who obtain content using legitimate services. That also means there is a 28 times higher risk of malware making its way into the corporate network from employees' own devices.
From the piracy sites studied by RiskIQ, 33% had at least one malware incident within the four week period studied, while 20 of the piracy sites exposed 75% of visitors to malware. Of the malware found, 45% were drive-by downloads, which infects users silently, as these users do not need to click on anything after arriving on a malicious page. Drive-by downloads often go completely undetected. The remaining 55% of malware lured users with prompts to download flash or anti-virus updates, according to the study.
Here comes IoT
Meanwhile, the Internet of Things (IoT) has begun to take shape over the last year or so, and appears ready to explode. Gartner predicts there will be 25 billion or more IoT devices connected to the Internet by 2020. As it evolves, IoT may escalate BYOD security concerns.
“As IoT takes off, and every connected device employees bring in are either directly or indirectly accessing the company’s wired/wireless IP network, the company may not own or even manage the device the employee brought. This can mean new challenges for IT,” said Jean Turgeon, vice president and Chief Technologist, Software Defined Architecture at Avaya.
“The IT department is accountable to ensure smooth onboarding of said device while protecting the network from it,” Turgeon said. “ And if a security breach occurs, IT takes the heat.”
It’s unlikely that the blurred line between work and personal devices will change anytime soon, so what can enterprises do to help protect themselves in the new world of BYOD and IoT?
Manousos suggests organizations start by educating their employees.
“Educate employees on threats like phishing, drive-by downloads, exploit kits and malware targeting them, and the potential consequences to the enterprise,” he said.
Turgeon said enterprises should also attempt to simplify and protect their networks as best they can.
“The number one barrier to adopting stronger security as it relates to BYOD is the complexity it brings with it,” said Turgeon. “Therefore, it is imperative that we simplify network architectures, implement smart, multilayer security capabilities that overcome the inherent vulnerabilities in traditional IP networks, simplify policy-based access control, and enable fine granular levels of network segmentation and isolation."