The increasing popularity of BYOD may lead to reduced costs for businesses and greater flexibility for mobile users, but security concerns are dark clouds on the horizon.
The lines between what is a work device and what is a personal gadget in a work-from-home world are becoming increasingly blurry. This puts organizations in a dangerous position. A 2020 Kaspersky survey found that 73% of employees had not received cybersecurity guidance on working remotely. Staff working from home have also increased the use of online services for work such as video conferencing and other services that IT departments haven't approved.
When crafting a BYOD policy, IT administrators must prioritize security and keep myriad considerations such as the organization's compliance obligations in mind. A BYOD-related security breach can lead to the loss of crucial information and severely compromise an organization's image. For instance, the U.S. Department of Health has put up a wall of shame listing healthcare providers' security breaches. These often involve theft, hacking or unauthorized access or disclosure, all of which could end in legal cases against companies or providers.
In an ideal world, organizations would own and secure all their own endpoints, as employee-owned devices are untethered from IT's direct control and require new considerations about employee privacy, further complicating management and security concerns. However, this will never happen, and many organizations allow employees to bring their own mobile devices into a work setting.
Why BYOD presents unique risks
Security is a multifaceted issue with any mobile device strategy. BYOD devices, however, present a more complicated security picture than corporate-owned endpoints. Aside from business data, employee-owned mobile devices often contain a user's personal information. As a result, installing applications and utilizing tools that allow organizations to manage sensitive corporate data is key to mitigating BYOD security threats.
This approach requires substantial internal enterprise security expertise and adds significantly to the corporate budget. Organizations in turn often ignore the inherent risks that come with BYOD, taking advantage of the convenience it offers without considering the potential consequences.
For example, many organizations unwittingly expose themselves to data theft by encouraging staff to use their own Apple or Google ID. These personal logins synchronize data to the cloud for all devices associated with that account unless the users or IT admins set the services to prevent this. Therefore, any employee can download corporate data onto their own device using their individual password. When employees leave the workplace, sensitive corporate and confidential client data follows them out of the building.
Failure to recognize and address this issue and other vulnerabilities can result in a costly security crisis.
Unclear security protocols
What sets BYOD apart from other mobile device policies is the control it gives employees, but putting data security into the hands of inexperienced users can cost organizations. In 2019, Kaspersky Labs reported that 90% of all security breaches involved social engineering to some extent.
In some cases, employees can compromise security by deliberately bypassing IT's supervision. Employees often say they can work faster if they are able to get around their organization's IT department, which has led to the growth of shadow IT: the use of IT devices, applications and systems without the knowledge of the actual IT department.
Surveying 800 employees and IT managers from large organizations, software company Beezy found that 40% of staff use collaboration or communication applications that aren't approved by their employer. This trend has grown during the pandemic, with many more employees working from home, out of sight of a corporate IT department.
Often, security breaches come down to organizations taking little time and effort to train and educate their employees on security procedures. Having new hires simply read a leaflet that covers security protocols may not be enough.
When users don't adhere to protocols such as strong passwords, the results can be disastrous. The unauthorized third-party breach of GoDaddy's WordPress hosting environment because of a compromised password in November 2021 exposed up to 1.2 million WordPress customers' emails. To prevent the damage that can come from a seemingly small mistake, organizations must clearly communicate and enforce strong security policies for all employees and users that may access an organization's data.
All of this goes to show that device security is device ownership, meaning organizations can only truly secure their endpoints if they own them. Despite this, the BYOD device trend will continue unabated, meaning organizations will need to monitor every device on their corporate network and alert IT staff the moment a unit is compromised.
Malware is storming Android and iPhones everywhere. Each day, smartphone users inadvertently download malicious software to their devices, allowing malevolent actors to pinpoint their location, steal sensitive data and even uninstall security programs on the fly.
The same security risks are present in the enterprise with BYOD units. Data leakage becomes a major risk when an employee shares data with a malicious third-party program hiding in plain sight on the app store. For instance, Pokémon GO came under scrutiny when the vast popularity of the game spurred hackers to upload an Android version that included a remote access Trojan (RAT), which allowed these cybercriminals to take complete control of the BYOD smartphone.
IT departments must decide whether they will allow employees to download non-work apps onto their devices, particularly as malware often hides in these innocent-looking programs on the app store. But of course, BYOD limits what IT administrators can mandate on a user-owned mobile device. There can also be preinstalled malware on devices, such as xHelper, which keeps reinstalling itself.
Device hacking, loss or theft
Organizations can deal with catastrophic consequences as a result of device hacking, loss or theft. South Korean cryptocurrency exchange Bithumb infamously ran into this problem in 2017 when a hacker accessed an employee's home computer and stole personal data on 30,000 customers.
Mobile devices are easier to lose than other endpoints, which makes mobile BYOD especially risky. The risks that come with mobile device loss or theft are even greater if workers do not follow their organization's security procedures or have weak password protection for their applications. With more sophisticated hacking tools, even strong passwords and biometric readers can be hacked by a persistent criminal.
Ideally, the user should alert IT as soon as possible when a device is lost or stolen, allowing the crew to lock down or wipe the unit right away. BYOD devices are more difficult to control and secure in these situations, however, because they often contain both business and personal data. Ensuring the separation of corporate and personal data and creating a plan for when devices are compromised is important to building a successful BYOD policy. IT administrators should address questions such as: can they wipe a lost device, how long do they have to wait to wipe it, or should they only wipe certain components of the device if the management platform allows for this.
How to manage BYOD security risks
When a BYOD device is compromised in any way, data leakage and data theft can take place. Therefore, it is pivotal that IT implements a clear and secure mobile device management policy. This should encompass encrypting BYOD device and corporate data, blacklisting unsanctioned applications, regularly backing up device data and making sure employees receive up-to-date security protocols.
To combat malware, organizations should also invest in cloud-based malware protection tools. Other mitigation tactics should focus on device authentication, including multifactor authentication via fingerprint or iris scans and ensuring passwords are up to snuff.
To eliminate data leakage between corporate apps, IT security staff should secure encrypted communications between corporate servers and the BYOD units by issuing employees a company-approved mobile app for their personally-owned iPhones, Androids and tablets.
This will be expensive and time-consuming and quite possibly limit employees who want to use their BYOD gadgets. It is, however, the only way that an organization can protect itself from financial damage and maintain good standing in its industry.