Once upon a time, all of the devices that were used to access corporate systems were owned and managed by the company’s own IT department. Then, the mobile revolution happened. People wanted to use their personal devices for work, so that they didn’t have to carry and keep up with two or more devices. Companies wanted this, too, because it cut a big chunk out of their monthly operational bills. BYOD was born. As many as three-quarters of all businesses are either operating under some type of BYOD situation, or are planning to in the foreseeable future.
Unfortunately, all that glitters is not gold. While there are definite advantages to allowing employees to use their own devices for work, there are some serious business network security concerns, as well. Here are the most common maladies caused by BYOD (and how you can mitigate those risks).
There are two ways BYOD devices can bite you: when they let the wrong fellows in and when they let the wrong data out. These devices can leak info in numerous ways, including via a device that’s lost or stolen, and via careless users who use insecure methods to store and transfer your data, plus the hacker who gets in through an app vulnerability or by an open Wi-Fi hotspot.
Say a device containing sensitive corporate data is lost. Nobody knows where it is, and your BYOD policyclearly states that your IT department can wipe the device remotely in this instance. Well, your employee’s only photos of their newborn niece in Arkansas are on that phone. Think they’re going to tell you it’s lost? No, they’re going to keep looking and hiding the loss, while your data is out there unprotected by your business network security protocols. You also need to consider what happens when employees use their devices for both work and for illegal and/or unethical activities.
The data stored on the device is rarely the target of the savvier hackers. These guys are after the keys to the kingdom — the login credentials and passwords programmed into the phone. Some employees simply set their apps to remember their passwords. Others serve up a virtual feast for potential hackers, creating an entire document of all their user names, passwords, and login credentials, usually saved conveniently as something ultra easy to find, such as a document named ‘Passwords’.
Which brings up another realm of dangerous business network security possibilities: mobile devices simply make it easier and more likely that users engage in shadow IT. Shadow IT is the use of unapproved or blacklisted applications for business purposes. It’s not just easy to use an insecure consumer-grade public cloud with their mobile devices; it’s almost certain that they will (Evernote, anyone?).
In many cases, the communications engaged in on mobile devices — such as text messages, chat sessions, and emails — could be needed for audits or for litigation. But these communications may not be available when summoned, especially if the employee has some reason that they don’t want the information to be made available. This could make it impossible for you to comply with an audit or to answer a subpoena in the event of litigation.
Ready to get serious about business network security in your BYOD environment? Request a quote for our security solutions today.