6 threats facing BYOD

6 threats facing BYOD

Summary: While there are numerous benefits to BYOD, there are also risks. It's no wonder that in security circles BYOD is referred to as "Bring Your Own Danger," or "Bring Your Own Disaster."

SHARE:

There's no doubt that the BYOD trend is gaining momentum, with more and more companies permitting employees to bring personally owned devices—in particular notebooks, smartphones, tablets—into the workplace.

But while there are numerous benefits to BYOD—for example, it's cheaper for the company, and employees take much better care of their own gear than the do of company equipment—there are also risks. It's no wonder that in security circles, BYOD is referred to as "Bring Your Own Danger" or "Bring Your Own Disaster."

See also5 excellent reasons to jailbreak your iPhone

Let's take a look at six risks that face companies who adopt BYOD.

  1. Software bugs.
    Today's revelation that the iPhone's lockscreen can be bypassed by using a few simple keypresses, giving the snooper access to a number of the handset's features, should send shivers down the spines of IT admins.
    No doubt this bug is  a bad thing, but this isn't the first such bug, and it won't be the last.
    Software bugs will be a problem facing every company considering BYOD. Because of the broad range of devices that employees might bring within the company's digital fort, this increases geometrically the amount of buggy—and possibly vulnerable—code that's being bought inside the company.
    Solution: Use Mobile device management (MDM) solutions to keep track of operating system versions and enforce upgrading when patches are released. If a serious vulnerability is uncovered in a device, then it might be wise to quarantine the hardware until a patch is made available.
    Additionally, the tech people at any firm that encourages BYOD needs to be on the ball when it comes to developments across the entire mobile devices industry.
  2. Lost devices.
    As soon as a device is lost, it should be considered a risk up until the moment it is either recovered or remotely wiped. The longer you hang around in the hope that a MIA device is recovered, the greater the chances that it has fallen into the wrong hands, and that someone is cherry-picking information off the device.
    Solution: MDM solutions are your friend. Wipe, and get on with life. Then you're down only the device, not the device and all the data that's on it.
  3. Buggy apps.
    Vulnerabilities contained in the device's operating system are one thing, but app vulnerabilities are another. Apps can deliberately or accidentally leak data, and keeping track of what's installed in a device can be quite overwhelming. Even legitimate apps can be siphoning data off devices.
    Solution: There are endpoint security solutions (ESS) and MDM solutions that can keep an eye on apps—such as Marble Security Service—and help IT staff manage what users have installed on BYOD hardware. Also, be sure to leverage the security features built into the operating system, such as those found in iOS.
  4. Malicious apps.
    Even well curated app stores such as Apple's App Store or Google's Play store can still let the odd dodgy app slip in occasionally. Fortunately, these apps are usually removed promptly.
    Move away from the legitimate stores into more shadier corners of the Web, and there's no telling what people are installing on their BYOD hardware. As for pirated apps, well, these are a cesspool of malware.
    Solution: Same as for buggy apps, with some antivirus scanning thrown in. Also, try t get employees to use common sense when installing apps.
  5. Rooting/Jailbreaking.
    Both of these procedures undo security features placed on the device by the manufacturer. While there's nothing wrong with jailbreaking or rooting per se, it's definitely not compatible with BYOD because it opens up the device to increased risk of attack.
    Bear in mind that a compromised device could be a data fire hose, pumping out keystrokes, GPS location, and network traffic. A compromised device is scary beyond belief.
    Solution: MDM solutions can be used to keep an eye on devices, but it is becoming increasingly difficult to identify rooted Android devices, and there's no shortage of rooted Android devices out there.
  6. Untrustworthy employees.
    While BYOD or no BYOD won't put off an employee who is determined to try to steal data from a company, BYOD does make it a little easier because it's a device that they own and that's primarily under their control.
    Solution: Endpoint security software can help prevent data leakage, but it can't control data that employees have legitimate access to. Tight controls, access control, logging, and encryption are a must.

Topics: Bring Your Own Device, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • The number 1 threat!

    It is predominantly a cellphone initiative and thinking it is anything else has no basis in reality!

    I for one would not use my own device because it is lowering my wages by forcing or allowing me to pay for my own data plan.
    slickjim
  • this field is required

    1: BYOD, how are you going to get people not to update to the latest versions of software when it's available? Its not your device, its there's, there's really not much they can do here, especially since this and other holes in OS can go months with out the mainstream media finding out about it or until the people who found it find a better, more robust way to do it.

    5: Again, what right do you have to ask me to not use my device the way I want? Want me not to jailbreak/root? Buy me a work phone (defeats the whole purpose of BYOD).
    icyrock
  • This is a free market

    There are no threats. Only opportunities.

    At least for market manipulation.

    Which is why I'm going to spend $99/yr for one Office 2013 lease as opposed to buying a $300 license, since it all costs the same after 3 years... assuming MS keeps putting out new versions; leasing reduces their need to actually innovate - it's easier to sit back and rake it in.
    HypnoToad72
    • Remember MS Assurance Program/License????

      Companies paid a lot of extra money, for the promise of getting free upgrades .... that were NEVER delivered.
      wackoae
  • Risks far outway benefits

    BYOD has no business in an office setting! This is a work/productivity environment where data security is paramount. Bringing in personal toys is inappropriate.
    TsarNikky
    • Blackberry has BYOD done right

      Check Balance feature
      deaf_e_kate
  • So First You Say:

    "Today's revelation that the iPhone's lockscreen can be bypassed by using a few simple keypresses, giving the snooper access to a number of the handset's features, should send shivers down the spines of IT admins."

    Then You Say: " Also, be sure to leverage the security features built into the operating system, such as those found in iOS."

    Isn't the 'lockscreen' a function of the OS?
    Mujibahr
    • Only on STOLEN phones

      Yup there is a bug that means stolen phones can get passcode-bypassed. The bug will no doubt be promptly patched. And iPhones can be easily be remotely wiped if stolen anyway.
      Allen_Wentz
  • I'm still trying to find the supposed benefits of BYOD.

    I'm still trying to find the supposed benefits of BYOD.

    And the people who aren't bloggers who actually want such a policy.

    Frankly, if I am gonna be working for a company that has a BYOD policy, I'm gonna buy a separate device for work. There's no way I'm using my own personal device for business, especially if the business wants to be able to remote wipe it or install their own "we control your device" apps on it.
    CobraA1
  • APPLE BYOD

    Stands for Bring Your Own Debacle
    Master Wayne
  • What are the numerous benefits for BYOD?

    I can understand wanting to check email or use RDP on a personal device but why on earth would I want to mix personal and business on my device? I've always kept them separate.

    All six of your points are addressed by the company providing the tools to do the job and the device is maintained by the company. I'm not an administrator of the machine/device, I can't install software and if I'm no longer trusted my account/device is disabled. The company is protected and I don't have to worry about the company wiping my personal data or telling me what I can/cannot do on my own device.

    BYOD in my opinion is a way for people to justify playing games and wasting company time for personal use.
    relwolf
  • BYOD & Security

    I can't see the difference between any of the security issues you are mentioning on BYOD and giving your employees laptops. You will have the same security issues then, and if you haven't locked down your usb ports, even bigger security issues. If any company only start to look at their mobile security policies because of employees wanting to use their own device, then they are already vulnerable and probably leaking data.

    To make BYOD secure is simple, install a virtual machine on the device, there is already options available to do this. You have a complete seperation between personal and company data, and the virtual machine can be wiped remotely.

    There are many advantages to the BYOD movement, from cost savings to the company to more productive employees. BUT, you will have to redesign your entire environment to actually have any of these benefits. To just focus on security is short-sighted.
    nicopretorius
  • One sided perspective

    There are some employee side of things that will lessen the appeal of BYOD.

    We've had a BYOD program for almost two years and these are the three big reasons employees do not participate:

    1. Privacy concerns. Once employees read the BYOD policy and controls that will be enforced on their device it quickly loses appeal. To make a device fully corporate compliant you are going to compromise some of your personal usage as corporate WILL have insight into your device you might not like them having. To many this is not going to fly and they will use a corporate provided device and keep their personal device seperated from work. (my recommendation to anyone who asks me)

    2. Cost shift. Unless your company is going to subsidize some of the data plan cost, the employee is going to foot the bill for this "priviledge". Considering subsidies have tax implications most companies will shift all costs for mobile onto the employee. This really hurts if you decide to use your mobile devices when traveling. Data roaming costs are still quite high. If your required to do work on vacation ask for a loaner device or corporate MiFi to cover data costs. If denied, state your on vacation and not reachable.

    3. Support. Another cost related item but one some employees find lacking. If it's your own device don't expect help when it breaks. Employees now have to deal with OS updates, backups, troubleshooting, device life cycle etc. Most companies will only support the corporate Applications used on the device. This impacts the non technical employees. Sure you could have crowd sourcing and user forums but the hands on IT help of the past isn't going to be there if your device acts up at 4pm right before an important business trip. Another reason employees stick with the corporate provided (and supported) device.

    Frankly after being in this space for the past 10 years or so, BYOD is fully created and hyped by vendors that all have solutions to help manage BYOD. The majority of employees who liked using their own device were doing so when there were not robust controls and management of other mobile devices. Now that you can get a good handle of these devices they are forced with accepting these controls and restrictions or going back to the two device model (corporate and personal).
    MobileAdmin
  • What no MAM ?

    Mobile Device Management only manages the device itself and is limited by the OEM as to what they can access, Mobile Application Management is a far stronger strategy if you're looking to take the organization into a BYOD territory. Why is everyone so fixated on it ?

    http://bpmredux.wordpress.com/2013/02/14/how-mobile-app-management-can-help-avoid-a-byod-headache/
    TheoPriestley
  • Sandbox

    Most of these "problems/threats", if not all of them can be solved by using a sandbox solution which is what any company that is considering a BYOD policy should be using anyway.
    el_felipe_1982
  • New Technology for Mixed Use Devices

    This is an excellent article highlighting the very real problems associated with BYOD and mixed use mobile devices. The increasing battle between the employee and the enterprise, which is necessary, but complicated and expensive, can be effectively solved with the new WorkPlay Tablet, www.workplaytablet.com. It's different than RIM or Samsung's approach, which is really their MDM on their device. This is a specialty mobile device designed to support any security software solutions (MDM, authentiaction, VPN, etc.) for enterprise protection, but also allows a fully open personal experience for the user with no compromise required on either side. The "balancing act" referenced in the article can finally be achieved, providing privacy and security for both the enterprise and the employee. One device, no sacrifices. With further development the technology will be applied to smartphones as well.
    quinnbrent