There is an easy answer to this question when looked at from two different viewpoints. The use of employee personal devices in a work environment, for work purposes poses security concerns for both the employee as well as the employer. As an employee, the biggest risk with BYOD is allowing your employer access to your personal devices, personal communications, and information. We all want our privacy, right? However, for an employer, the biggest risk with BYOD is not having the ability to control the devices, monitor activity, and ensure the protection and proper use of business information. Quite the dichotomy, isn’t it?
Many employees use their personal devices for work purposes without BYOD policies in place. While the regular availability of work activities may lead to more working hours, should the devices be lost, damaged, or infected by malware or viruses, the company’s data is at risk. This led to the onset of BYOD policies, so companies can have more control over the hardware used and establish regulations for the use of personal devices for business purposes.
Mobile Malware: Take a look at your smartphone. It’s come a long way since the Motorola DynaTAC 8000X. It is sleek and appealing, and full of sophisticated technology. Basically, it’s a handheld computer. That’s right. A computer. Most consumers don’t think of their mobile devices as full-blown computers, yet they use them for computing activities, such as banking, Internet use, and more, without regards to the dangers of doing so. Mobile malware is malicious software that can be designed to operate negatively on your device, remotely controlling the device, stealing sensitive information, and/or disabling the phone entirely. Mobile malware infects mobile devices in the same manner as PC malware. Mobility not only puts your identity, banking information, and other personal information at risk, but work related files stored on the device and work emails are also at risk in a malware attack. Emails can be transferred to interested third parties without you even knowing, turning your phone into the ultimate tool for corporate espionage.
Public Wi-Fi: With unlimited data no longer being the industry standard, and the cost of data increasing while the monthly caps decrease, saving data is on the mind of most mobile users. The easiest way to do so is by using Wi-Fi for the Internet, downloads, uploads, and other data related activities instead of burning through data. Because of that, many users opt for the “Use Wi-Fi when available” option. However, using public Wi-Fi access to bank, send emails, and download/work on business documents is like opening a portal for malware, viruses, hackers, and the curious to access your device. Professional account credentials can be intercepted when sent over unsecured networks and attackers can watch your online activity while you access your private information.
App Downloads: Everybody loves apps. From productivity to games and fitness to travel, there is an app for everything. But who created these apps and where did they come from? It is best to download apps from reputable sites or official app stores, and ensure the developer is verified. Fake or alternative versions of popular games and apps can be infected with malicious code or become botnet enabled to allow the attacker remote control of the infected device. It is also necessary to read the permissions requested upon install and know what will be accessed and for what reason, and if it makes sense with the application. For example, a photo editor app will need access to the camera and gallery, but be cautious if it is requesting access to outgoing messages, contacts, or other, unrelated services and applications. Suspicious activity following an app download, such as new apps installed outside of your knowledge or the battery runs low very quickly, are signs a device could be infected.
Corporate Data Loss: Probably the biggest concern with BYOD for many companies is the risk of losing their businesses critical data. With access to corporate email, networks, and databases, your personal mobile devices now possess one of the most valuable assets your company has – information. Two typical scenarios can lead to the exposure of data stored in mobile devices: device loss or theft and unsecured communications via mobile devices. According to Ponemon Institutes’s Global Study on Mobility Risks report, 51 percent of companies allowing BYOD experienced a mobile data breach. 38 percent reported stolen or lost data, 31 percent had confidential data stolen, and 7 percent had information destroyed. Attackers can use compromised or stolen mobile devices to access all kinds of sensitive corporate data stored in them or in the networks or databases they have access to.
Things to Look Out For:
- Phishing: A fake website made to look like the real one where login and account information can be collected
- Trojan Horses: Malicious programs that look safe and legitimate to the user
- Middle-Man Attackers: Attacker becomes a middle-man in the communication stream, logging information sent between user and server, typical with Wi-Fi connections
- App Copies: Popular apps are copied and infected with malicious code and are provided in official app stores
- Worms & Spyware: A worm is a malicious program that replicates itself and spreads throughout a network, causing the device to slow down or crash, while spyware collects information without the users knowledge and sends it to the attacker
- Direct Attacks: May be the most known and easily recognized. Viruses can come from files sent in emails or text messages and can even send Bluetooth connection requests to spread the virus further.
There are many other things a business should be aware of when deploying a BYOD environment. To start with, you have the common security concerns associated with an electronic device: spyware, malware, viruses, and so on. Yet common security concerns are not the only issues affecting personally owned devices. Exposing sensitive corporate data is a growing fear for any organization embracing BYOD. . That is why today’s businesses need to go beyond traditional security policies and practices and look at technologies that help control access, protect against malware, and prevent data loss. To be even more secure, business data should be protected before being moved to a mobile device, so that the security risks and threats described above will be minimized. Utilizing software that applies protection to the data itself such as Microsoft Azure RMS can help you protect your sensitive information as it moves from on premise, to mobile and even cloud environments.