There's no doubt that the BYOD trend is gaining momentum, with more and more companies permitting employees to bring personally owned devices—in particular notebooks, smartphones, tablets—into the workplace.
But while there are numerous benefits to BYOD—for example, it's cheaper for the company, and employees take much better care of their own gear than the do of company equipment—there are also risks. It's no wonder that in security circles, BYOD is referred to as "Bring Your Own Danger" or "Bring Your Own Disaster."
Let's take a look at six risks that face companies who adopt BYOD.
- Software bugs.
Today's revelation that the iPhone's lockscreen can be bypassed by using a few simple keypresses, giving the snooper access to a number of the handset's features, should send shivers down the spines of IT admins.
No doubt this bug is a bad thing, but this isn't the first such bug, and it won't be the last.
Software bugs will be a problem facing every company considering BYOD. Because of the broad range of devices that employees might bring within the company's digital fort, this increases geometrically the amount of buggy—and possibly vulnerable—code that's being bought inside the company.
Solution: Use Mobile device management (MDM) solutions to keep track of operating system versions and enforce upgrading when patches are released. If a serious vulnerability is uncovered in a device, then it might be wise to quarantine the hardware until a patch is made available.
Additionally, the tech people at any firm that encourages BYOD needs to be on the ball when it comes to developments across the entire mobile devices industry.
- Lost devices.
As soon as a device is lost, it should be considered a risk up until the moment it is either recovered or remotely wiped. The longer you hang around in the hope that a MIA device is recovered, the greater the chances that it has fallen into the wrong hands, and that someone is cherry-picking information off the device.
Solution: MDM solutions are your friend. Wipe, and get on with life. Then you're down only the device, not the device and all the data that's on it.
- Buggy apps.
Vulnerabilities contained in the device's operating system are one thing, but app vulnerabilities are another. Apps can deliberately or accidentally leak data, and keeping track of what's installed in a device can be quite overwhelming. Even legitimate apps can be siphoning data off devices.
Solution: There are endpoint security solutions (ESS) and MDM solutions that can keep an eye on apps—such as Marble Security Service—and help IT staff manage what users have installed on BYOD hardware. Also, be sure to leverage the security features built into the operating system, such as those found in iOS.
- Malicious apps.
Even well curated app stores such as Apple's App Store or Google's Play store can still let the odd dodgy app slip in occasionally. Fortunately, these apps are usually removed promptly.
Move away from the legitimate stores into more shadier corners of the Web, and there's no telling what people are installing on their BYOD hardware. As for pirated apps, well, these are a cesspool of malware.
Solution: Same as for buggy apps, with some antivirus scanning thrown in. Also, try t get employees to use common sense when installing apps.
Both of these procedures undo security features placed on the device by the manufacturer. While there's nothing wrong with jailbreaking or rooting per se, it's definitely not compatible with BYOD because it opens up the device to increased risk of attack.
Bear in mind that a compromised device could be a data fire hose, pumping out keystrokes, GPS location, and network traffic. A compromised device is scary beyond belief.
Solution: MDM solutions can be used to keep an eye on devices, but it is becoming increasingly difficult to identify rooted Android devices, and there's no shortage of rooted Android devices out there.
- Untrustworthy employees.
While BYOD or no BYOD won't put off an employee who is determined to try to steal data from a company, BYOD does make it a little easier because it's a device that they own and that's primarily under their control.
Solution: Endpoint security software can help prevent data leakage, but it can't control data that employees have legitimate access to. Tight controls, access control, logging, and encryption are a must.