What is optional today -- bringing non-company IT devices, to include laptops, tablets, and smart phones in the workplace -- may soon become a norm. According to Gartner (News - Alert), in 2017 half of employers will require employees to supply their own devices (BYOD) for work purposes. As Gartner explains, BYOD drives innovation for CIOs and the business as it gives staff the freedom to access the company’s networks and systems—to connect to corporate resources, execute enterprise applications and access data, documents, as needed—from anywhere, at any time.
While BYOD is rapidly becoming a growing trend, due to its many benefits like workforce productivity, efficiency and value of an overall reduction in technology costs, it has been left to IT managers to ensure policies are in place regarding acceptable use of personal devices. IT managers are taking a proactive stance in addressing the BYOD security concerns that come along with non-corporate devices. In other words, the IT department is enforcing security and device policies to secure the device and the data, as they are concerned that such devices might pose a threat to the company IT infrastructure.
In brief, the foundations of an enterprise BYOD strategy have touched on matters of usage, threat literacy, security and mobile device management (MDM) to avoid risks of sensitive data falling in the wrong hands.
The shift to bring-your-own-device (BYOD) is already underway and companies need to be preparing now. Yet, in spite of this growing demand, many employers fail to create or communicate policies regarding BYOD and the security risks related to using unsecured personal mobile devices. Consequently, when BYOD is not properly implemented and employees are not fully educated on best security practices for BYODs, a business can be susceptible to being attacked by a malicious hacker that can exploit less secure employee-owned hardware to attack the company network.
According to Andrew Deacon, a security specialist at British IT security company Sophos, it has never been easier to hack into an organizations’ network, steal its secrets, or create havoc with its data systems, as told in a post published this week in The Wall Street Journal. Deacon says that, although the mobility trend of connected workers is reshaping business, BYODs have become a prime target for criminal hackers to exploit insecure, widely used personal computers and handsets that employees own and use for work. Unfortunately, hackers, “even without serious technical skills,” are finding ways to gain unauthorized access to them and are able to capture personal and work information users store on the device.
The following are “Five Ways Hackers Exploit our Bad BYOD Habits,” as the WSJ post mentions:
Public Wi-Fi Hotspots: Many of us use public Wi-Fi hotspots at one time or another. Public Wi-Fi access is everywhere and most of these networks are open and not secure; users utilizing wireless access points could put their privacy or data at risk should savvy hackers have the tools, skills, and patience to work around the limited protection of hotspots. Should malicious hackers intercept a personal mobile device, they could compromise sensitive information, eavesdrop on emails and chats, capture log-ins and, worse, steal the victim’s identity, as Symantec (News - Alert) Corporation explains in a post that discuses Wi-Fi hotspots endangerments.
Man in the Middle Attacks: Both spoofing and phishing, in particular, may be used to leverage man-in-the-middle attacks; they are a common method for intruders (tech-savvy con artists and identity thieves) to test vulnerability. If victims were to confide details about themselves, then, a knowledgeable hacker could use them to gain unauthorized access to a BYOD, if left unprotected.
Unique Identifier and Passwords: Sensitive information such as passwords are often used to identify a BYOD user; therefore, it is important to safeguard them. Many people, unfortunately, use the same single password for everything. Not a good idea; as the WSJ post explains, if an unauthorized person were to compromise the password, they could use it at-will to access “their victim’s other accounts, any of which may have corporate data worth mining.” Security experts recommend BYOD users never to use the same username and password on multiple websites, devices and networks.
Malicious Trojan Horse Programs onto Unsecured BYODs: Mobile malware is very much a growing issue. The threats that confront BYOD users are constantly evolving and increasing in their complexity. Lookout's analysis of the mobile threat landscape suggest that even the use of antivirus software and a firewall, to decrease risks of sensitive data falling in the wrong hands, cannot always curb risky online behavior. Analysts see malware as a significant danger to BYOD devices. The vast majority of viruses are usually being spread through a malicious email attachment. Norton, the anti-virus company, defines this sort of attachment as "malware," saying it is a common way for a sender to transmit info to another user (to attempt to steal information from a victim) via email. When the attachment is open, a hacker can install a virus or Trojan on the user's BYOD. Therefore, it is best not to click on any attachments from unknown senders to avoid being “used to pilfer data like passwords and internal communications,” as the WSJ post noted.
Using Cloud with BYOD: Some IT departments have opted to integrate their cloud computing efforts with their bring-your-own device initiatives, in helping the business to obtain the maximum business value from both. Yet that trend has also been worrying IT security experts, as employees tend to upload confidential business data from their BYODs. It is important to find a secure way to secure corporate data among apps in the cloud or carry out file-sharing services, for example, with strong security controls. Although uploading sensitive data to cloud services like Dropbox (News - Alert) and iCloud, for instance, may offer security, encryption and authentication, there is still the vulnerability that hackers can exploit through backdoor computing.
Edited by Rory J. Thompson