Five security risks of moving data in BYOD era

Unregulated network access, lack of data management and disgruntled employees are some top risks companies face in terms of safeguarding data even as employees use their mobile devices for work.
Written by Ellyne Phneah, Contributor

The influx of computing devices, from laptops to smartphones and tablets, into the workplace might bring convenience and increased productivity to individual employees. However, this bring-your-own-device (BYOD) trend also surfaces a range of security risks and challenges in terms of securing corporate networks and data, mobile device management, and having granular security policies.

Ammar Hindi, Asia-Pacific managing director of SourceFire, pointed out that new technologies such as the enterprise cloud, cloud-based apps, social media, and high-powered mobile devices offer more ways to access corporate data.

Unregulated network access, lack of data management and disgruntled employees are some risks companies face in safeguarding data with BYOD.

In turn, moving data across different devices and networks is increasing security risks to the corporate network and opens sensitive corporate data to leaks and attacks. This is because employee-owned mobile devices are beyond the scope of control of internal tech teams, and the risks are compounded by the growth in mobile malware, Hindi added.

This is why organizations today need to go beyond traditional security practices and policies and look at technology to help set policies, control access and prevent data loss at both the application and device levels, advised Jim Watson, vice president and corporate general manager at Good Technology.

ZDNet spoke to other security watchers to find out what are the top threats faced by companies in today's BYOD era, and what they can do to secure the movement of corporate data.

Unknown third-party access via mobile apps
When employees download and install mobile apps for their personal use, they allow unregulated third-party access to other sensitive, corporate information stored on their devices, noted Amit Sinha, CTO at Zscaler.

These apps may be pre-infected with malware, which might be instructed by hackers' command and control servers to steal information from the mobile device without alerting the users, Sinha said. Should employees' handsets connect to open Wi-Fi networks, the corporate data stored on their devices might also be exposed, he added.

Additionally, imposing security apps on employees' mobile devices is a "headache" since the software requires constant updates and are easy to circumvent. "The user can simply uninstall the app if they dislike it. Worst of all, these apps impact device performance and degrade user experience by stretching the already limited processor and memory resources on the mobile device," Sinha said.

One way of addressing the security risks posed by mobile apps is to blacklist at-risk software, or adopt an effective bring-your-own-application(BYOA) strategy, Watson noted.

Blacklisting, while safer, is unrealistic since there are so many apps available and more being developed each day. The BYOA option could be safer since it involves separating corporate and personal data on the mobile devices using mobile application management (MAM), he said. MAM involves the creation, deployment and management of internally- and commercially-available apps used in business settings on personal mobile devices.

Challenges in tracking data
Neil Thacker, information security and strategy officer at Websense, pointed out the ability to manage and track corporate data has become more difficult with the adoption of both cloud and mobile storage services in the enterprise.

Most organizations cannot track data effectively and often rely on third-party services to do so or hope their employees strictly follow best practice guidelines. This means there is no effective method of measuring the additional risk exposure from the movement of data, Thacker explained.

Thus, companies should consider the use of a content security tool that comes equipped with discovery and monitoring features to protect against data loss, whether on the network or mobile devices, he said.

"They may also want to consider what information is allowed to be accessed and stored on a device, and set automated parameters to ensure data isn't at risk," Thacker added.

Data management, segregation difficult for compliance
The Websense executive also said data location and segregation are key challenges when trying to ensure compliance with cloud and mobility included in the equation.

"Auditors will want to ensure the data they are concerned about is adequately protected and will also want to see validation of this through documented evidence," he explained.

That said, information security teams should have a clear, documented list of policies on data management along with a list of third-parties or devices on which data is stored, Thacker advised.

Stolen, lost mobile devices leak data
Sinha noted that mobile devices get lost more often than PCs due to their smaller form factor, which means users tend to bring them everywhere. Since the majority of mobile and tablet devices are not usually locked with a PIN or password, and those that do are secured with just a four-digit PIN, the protection for mobile devices is not robust, he added.

Companies should follow or amend current corporate policies on mobile device security to be on par with PC security, but strike a balance between creating safeguards and user convenience, he stated.

Disgruntled employees a risk
Unhappy workers and those leaving an organization are another source of risks in terms of corporate information being compromised, Thacker pointed out.

The majority of the "leavers" will forget to remind the human resource (HR) team they have a device with corporate information. An employee unhappy with the organization and has the means of accessing data, on the other hand, may leak the data to rival organizations, he explained.

Companies must therefore remind their HR teams that all corporate data on a personal device is still the property of the company, as well as public cloud storage services employees created to store work data on, he said.

To protect confidential data, companies must monitor data-in-use and data-in-motion on employees personal devices and from cloud services, Thacker added. For example, a company can implement an acceptable use policy (AUP) highlighting the appropriate use of information that employees have already agreed upon and signed, he noted.

Editorial standards