Businesses Face Security Pressures from BYOD Trend
Written by Rajiv Shah, Communications Data and Security Solutions Director
Businesses face increasing security pressures as the Bring Your Own Device (BYOD) trend takes hold across the globe. It is estimated that by the end of 2013 there will be more mobile-connected devices than there are people on earth. The boundaries between personal and work devices are blurring as companies are looking for ways to offer more flexibility to employees. Allowing staff to use their own personal devices can bring major benefits to a business, but also brings risks that need to be understood and managed. These personal mobile devices aren’t always as well secured as traditional company owned laptops and desktops so companies need to make sure they have the right risk management strategy in place.
The proliferation of smartphones and tablets, which are often not as well protected as traditional desktop systems, can be a lucrative target for cyber attackers. Furthermore, the limitations of appropriate device based security software and the sheer range of devices that many consumers have makes it difficult for even the tech-savvy to keep them all safe. Perhaps it’s not surprising that many employees are apathetic or unaware of the risks. Recent research by Detica in the UK conducted by YouGov showed that a third of employees either didn’t know whether they had any security software installed on their mobile device, or hadn’t updated it for over a year.
A number of industry surveys have pointed to a dramatic increase in malware targeting mobile devices, suggesting up to a ten-fold increase in the last 18 months. Detica’s Australian-based threat intelligence research confirms not only this dramatic increase in volume, but also in sophistication. The majority of attacks may still be concentrated on small impact premium rate SMS and similar scams, but we have also seen examples such as of compromise of credit card details and intercepting the confirmation SMS messages used by many banks to limit fraud. As mobile devices are increasingly used to access corporate data and networks, it is not surprising that hackers are starting to use these as a new and effective attack vector to steal valuable intellectual property and damage business.
Businesses Need to Protect Their Data
Recent research by Detica’s research also showed that in a typical week almost three-quarters (73 percent) of office workers use one or more personal devices, such as smartphones, to do their work; nearly half (45 percent) use two or more. Although these figures come from research in the UK, the environment in Australia is very similar - BYOD is an equally big trend with companies looking at ways to offer more flexibility to employees. The survey confirmed that this is not leading to increased security vigilance from staff, thereby increasing the strain on businesses’ security operations and their ability to protect their data.
This doesn’t mean that companies should shun BYOD - such policies improve flexible working and can greatly benefit both business and employees. However, if companies fail to adopt security best practice, they risk incurring increasing disclosure and financial penalties, not to mention the likelihood of falling victim to cyber-attacks. Businesses must educate themselves and their employees about the security risks and what they should both be doing to minimise them. Properly thought through security can greatly benefits to employees without unnecessarily impacting on the enjoyment of their personal devices.
Protecting Your Business from Cyber-Attacks
BAE Systems Detica suggests the following best practices for businesses >>>
Make sure the organisation goes into BYOD with open eyes. There are many benefits of bringing in BYOD into the organisation but companies need to be prepared for the risks. A properly thought through assessment should inform decisions on what data can cannot be accessed on mobile devices, and what devices can be used. Once decided, make sure you publish these BYOD policies to the IT team and individual users. Explain what they can use their personal devices for and what responsibilities users and the company have with regards to security.
BYOD security should be considered as an end-to-end problem, looking at all stages in the connection to the corporate network, and putting in place a number of layers to provide maximum protection. Device based controls such as basic configuration rules and Mobile Device Management platforms can have a role to play, but also think about how the device connects via some sort of public network (eg 3G, 4G or wifi). Network and/or cloud based security systems can block known malware, viruses, botnet command and control channels and similar threats before they reach the device, overcoming the limitations of trying to deploy such software on the device. A Virtual Private Network (VPN) service can also safeguard against attackers who set up malicious “free wi-fi”-type services. Companies should also think about deploying the appropriate mobile gateway platform for access into their corporate systems – a standard firewall or gateway may not be appropriate.
Preparation and protection can reduce the risk of attacks, but will never be perfect. Companies need to be always vigilant, putting in place monitoring of their corporate networks, to be able to detect when attackers do breach their defences and be able to respond.
Be prepared - have a plan in place to respond to any cyber-attack. Keep track of how an attack may have happened - how did the hackers get in, how do you improve the system so it doesn’t happen again.