Top 10 BYOD Risks Facing The Enterprise3:00 PM EST Fri. Jul. 26, 2013
Threats to the enterprise posed by an employee-owned mobile device can be as complex as a sophisticated malware attack designed to snoop on an employee's browsing activity or as simple as a lost phone in a taxicab. The threats are forcing security teams to introduce new policies to reduce the risk. Enforcing them without impacting productivity is a balancing act. Experts say the first step is to understand the perceived risks and weigh them against the company's security posture.
Check out the rest of CRN's BYOD special report, available exclusively on the CRN Tech News App.
Employees who demand the latest and greatest technology may also be technically savvy enough to jailbreak or root their device firmware. Tools have helped automate the process, getting the job done with a few mouse clicks. Jailbreaking removes the limitations imposed by the device maker, often eliminating restrictions designed to improve security of the devices. Rooting gives the device owner administrator-level permissions, enabling them to install and run apps that could be potentially malicious in nature.
Organizations that restrict certain devices from network access may find employees using a workaround to tie into corporate resources. Certain mobile apps can enable employees to trick network access control checks or at the very least enable the device owner to access corporate email, calendar items and contacts.
Employees can expose corporate data by failing to apply software security updates on their devices. Further complicating the issue is the software update process for some devices. Apple broadly pushes out software updates to iPhone users, while Google Android devices are more dependent on the carrier and device maker for updates, sometimes leaving known vulnerabilities available to attackers for an extended period of time. In addition, businesses have no control about software coding errors in third-party applications running on the employee's device.
Some employee devices are configured to identify and attempt to connect to any open wireless access point to retrieve data from the Internet. While most businesses provide secure access points for guests, open wireless points at some hotels and residences can put device owners at risk of man-in-the-middle attacks and other threats that enable an attacker to snoop on their activity. To mitigate this threat, organizations can take advantage of technology designed to force wireless users to use a VPN when accessing corporate resources.
If the device owner fails to implement a PIN code to lock the device, a smartphone or tablet that falls into the wrong hands could give an unauthorized person unfettered access to email until the device is reported lost and the data is wiped. Some organizations are implementing policies to prompt users to sign in every time they check their email on their device. Others push out security updates in near-realtime to the device.
Many freely available mobile applications collect as much data on the device owner as possible in an effort to sell the data to advertising networks. A mobile application is considered adware or spyware by security vendors when it collects data without requesting the owner's permission. Some apps also install aggressive ad-driven search engines on the device to send users to specific advertiser websites.
The good news is that Apple, Google and Microsoft have restrictions that force mobile application makers to request permission to access device resources, such as the camera and contacts. The bad news is that most users typically fail to read the fine print and almost always grant permission during the mobile app install process. Security experts say apps with too many permissions can be a concern for data leakage. Granting too many permissions could expose contacts, email addresses and device location data to unscrupulous people.
Dropbox and other storage services offered on mobile platforms could be a concern for data leakage. Employees could use these storage services to store company data if organizations fail to put restrictions on sensitive data or fail to have an enforcement mechanism restricting the use of mobile cloud storage apps. Also, if a company doesn't provide an approved storage solution, technically savvy users might bypass security controls altogether. In addition to Dropbox, Google, Apple and Microsoft have cloud-based storage capabilities aimed at consumers.
Security vendors that monitor mobile malware trends have seen a steady increase in mobile malware targeting Google Android devices. The bulk of the threat is made up of SMS text messaging Trojans targeted at consumers, but enterprises are not immune. Security firm Kaspersky Lab recently identified Red October, a targeted attack campaign that had a mobile malware component. F-Secure also detected Zeus and SpyEye banking Trojans that attempt to take advantage of a victim's mobile device.
Lost or stolen devices are the biggest risk to organizations that allow employees to connect their personally owned device to the corporate network. Some businesses have implemented ways to remotely wipe any corporate data, such as email and contacts, from a lost device. Pushback from employees who don't want to give their employer unfettered access to their device has prompted companies to take a closer look at containerization. By containerizing business data on the device, IT teams can have the ability to selectively wipe corporate data if the device is lost or stolen.