Advertisment

Security Implications of BYOD

author-image
PCQ Bureau
New Update


Advertisment

Advertisment

The latest internal information security threat that's giving most IT heads sleepless nights is actually not deliberate or pre-planned by someone. It has emerged due to the use of the latest gadgets that professionals are inseparable from today. This latest gadget can be a smartphone, tablet or any portable consumer device, which they eventually begin to utilise for work. Since it's nearly impossible to prevent employees from bringing their gadgets to office, organizations have shifted gears to 'officially' allow them to do that. Since the IT industry is known to come up with buzzwords at the drop of a hat, this phenomenon has been christened as BYOD or "Bring Your Own Device". With BYOD, organizations can offset some of their hardware capex costs to employees. As good as it may sound, things are not as hunky dory in BYOD. There are information security issues involved.



Why is BYOD a Security Risk?



Traditionally, organizations have PCs and laptops on their networks. Both of these are well within the control of the IT department. What the company employees are allowed or not allowed to run on these machines, and what they can access on the network are all controlled with security policies and software. With the concept of BYOD coming in, the IT department can't take complete control over its employees' machines. Moreover, there's no standardization of the type of machines that employees bring, making it even more difficult to add control. As a result, these personal machines are at greater risk of being compromised. Here are a few serious security implications that the concept of BYOD can lead to in an organization:

Advertisment





1. Company data is more vulnerable now: With a single device to store personal and business data, the challenge is to ensure that the business data is protected. Employees should not be allowed to use their storage devices on the network. Data theft is a major issue that can be undertaken in the garb of BYOD. Also, social networking sites can be used to lure unsuspecting employees into using media on the corporate network that can be attacked with malware, allowing hackers to easily breach corporate security. Stolen data can be sold to competitors or used for extortion and blackmail against the company.



2. If not monitored, a consumer device can spell doom: Lenient attitude towards a personal device could lead to data loss in case the device is lost or stolen. Besides employees tend to use personal devices for personal work, which can be a dangerous practice on an organised network. Stringent policies are required to be implemented. People tend to change gadgets as soon as something new and fancy is available. Putting security software on such a device allows the IT admin to monitor its use. The software will keep the antivirus updated and files that are against the company policy cannot be installed. Also, the need to scan everything on the corporate network is needed to identify malware.



3. Maintenance & support: There are limitations to providing support to different kinds of gadgets. Most apps have not been designed for a consumer device. The policy should not restrict consumer devices entirely, instead it should determine which app to provide on personal devices. This can be done by using identity and access management (IAM) technologies that allow access to corporate apps to end users with privileges from mobile devices.

Advertisment



4. Wi-Fi access from several devices can slow down the Internet: Most tables lack LAN ports and so rely on Wi-Fi. Wireless plays a key role in the whole issue. This can take a toll on Internet bandwidth, as a lot of devices accessing Wi-Fi at the same time can slow the network painfully.

Advertisment



5. Bluetooth use can cause data loss: Any unsecure Bluetooth connection can be attacked by hackers through a highly directional antenna and a laptop running inexpensive software. All they need to do is to send an anonymous business card or photo and access the user's contact, email and text messages. Since, bluetooth is made for peer to peer communication, it doesn't have a security structure. Users have to make their own authentication guards. So, only connection with trusted people should be allowed by putting up a firewall or password.





6. Use of personal mobile apps can cause Trojan attacks: Concealed in the software code of mobile apps can be Trojans, worms, viruses and other malicious malware compromising your network security if your personal device is on the network. A trojan is a type of malware that can be programmed to do nasty things on your PC. It basically comes via internet or USB peripherals and hides behind software applications.



7. Physical security cannot be ignored: Allowing employees to use their device to workplace means carrying and sharing sensitive data on the device. And if that device is stolen or lost then sensitive info can fall in wrong hands. Employees should be provided with remote wiping software that enables a remote wipe and lock. In case a device is lost or stolen, business data can be deleted by IT team immediately.

Advertisment



How can network mode and authentication tools help



You can't run away from it, but sit and plan how to deal with it. Not having a policy for BYOD can be a daily challenge for the admins. Having two types of network: one for employees and other for guests is very important for network security. The authentication process can ensure that only a known device is allowed on the network and you can equip it with a security suite, so that IT can track its use and run scans when needed. Antivirus with malware code signatures should be installed at the gateway to the corporate network to scan all traffic passing through the corporate network.



Password-protected devices are less susceptible to data loss in case of theft and damage to a device. Also, IT team can create an encrypted storage section in the device so that employees can store sensitive corporate data. Using DRM (digital rights management) and DLP (data loss prevention) will lend more security to the corporate network. Educating employees is equally important about what smartphone or tab to buy.



Desktop virtualisation can bring flexibility and more security to the workforce that relies more on mobile devices for work. By having desktop virtualisation, employees can access their desktop OS and other apps from their tablet and smartphones without having to store data on the mobile device. This won't affect a user's experience as he can also access his personal files on the mobile device. IT administrators can manage desktop images directly from one interface without worrying about the endpoint hardware.

Advertisment