Three types of BYOD risk and what to do about them

BYOD is here, it has been for nigh on a decade, and it’s here to stay. So what is your IT organisation doing about it?

Security is a hot-ticket item for CIOs and CISOs right now, with mobile devices definitely in the mix, whether related to official corporate devices or the use of employee personal devices in the workplace.

It’s a multi-tiered security issue, with overlap between both sets of devices, where the use of employee personal devices for work purposes, commonly called “bring your own device” (BYOD), brings its own set of security challenges.

However, some corporate IT organisations still want to avoid the issues of BYOD. They might think that they can just ignore or potentially even “ban” BYOD.

But, with the exception of some extremely controlled work environments, such as financial trading floors, it’s hard if not impossible to stop employees using their personal devices for work purposes – either at work or elsewhere.

With BYOD, a number of basic mobile security risks need to be addressed.

Device-based risks

Minimal access security: this could be not using a suitable password (or PIN), through to not using superior, access-based security options, such as two-factor authentication.

Unsecured ports: without firewalls, BYOD devices can be vulnerable to unwanted intrusion and the loss of sensitive corporate data.

Software-based security risks

No security software. Security software neither pre-installed nor later added, by the corporate IT organisation or end users, to protect the device, and its content, against threats.

> See also: How to remove the dangers of BYOD with private cloud

Software-based vulnerabilities. This is usually from out-of-date operating systems or mobile apps, particularly where the BYOD device suffers patching and update delays, through split hardware and operating systems ownership, e.g. a Samsung handset on Android.

Thankfully, this global security issue is now being addressed by the major handset manufacturers in light of recent mobile security exploits, such as Android ‘Stagefright’.

Then finally…

User and data-based risks

This is usually negligent or uninformed acts ranging from losing the phone, through end users ‘modifying’ their mobile devices through acts such as ‘rooting,’ to the use of unsecured public Wi-Fi networks.

Then finally, there is unencrypted data, both on the device and for the transmission of sensitive data between the device and corporate applications.

The security risks, of course, spread beyond the BYOD device once it’s connected to corporate networks and the corporate IT infrastructure.

Corporate IT organisations need BYOD strategies, policies, and standards

In order to help address these security risks, corporate IT organisations need to create and implement the following, for the effective management of BYOD and its risks, such as a business-defined BYOD strategy or strategies, a high-level BYOD policy, an acceptable use policy (AUP) and end-user agreement (EUA), data classification and handling standards, basic user roles/classification, and a supported-application list and a resource matrix.

It sounds complicated, but organisations don’t need to reinvent the wheel here. Instead, they should use Google, or another search engine, to find existing and shared examples of the above, which can then be tailored to suit their own needs.

Two good examples are the White House’s BYOD guidance for government, or SANS’s AUP.

Beyond the usual BYOD security approaches

The actions necessary to address the security risks listed above might include security risk assessments, use and user policies, device-based policies, the use of mobile device management (MDM) tools, and continual end-user education.

There are, however, a number of additional things an IT organisation can consider to mitigate BYOD security risks. These include, but are not limited to, doing one or more of the following:

Option 1: Make BYOD network access the exception rather than the rule. This is a ‘limitation program’ – only allowing specific end-user roles to use their BYOD devices on the corporate network. It doesn’t make BYOD safe but it can reduce the scope and attack surface created by BYOD.

> See also: Six tips for building a 2015-proof BYOD policy

Option 2: Use mobile management approaches beyond traditional MDM. This is a management approach that separates out the device, applications, and data. For BYOD devices, including laptops, the end user can self-install a virtual desktop to represent a ‘rusted end-point’ on their ‘untrusted device.’

There are many mature solutions on the market, including for smart phones, and IT organisations can use them to support the ‘trusted end-point’ while leaving the end user to manage the rest of the device.

Option 3: Operate zero-trust networks. This is where the corporate IT organisation adopts the policy of not trusting any device or any ‘open’ corporate network, such as those connecting to the Internet.

Additionally, access to sensitive systems and data, such as HR applications, can be restricted to trusted (i.e. not staff-owned) devices via secure identification mechanisms and network controls.

So what has your IT organisation done to mitigate BYOD security risks? 

Sourced from Sarah Lahav, CEO, SysAid Technologies

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics