While BYOD may be great for worker productivity, the risk of a company losing sensitive corporate data because of a poor -- or nonexistent -- BYOD policy is even greater. According to a global study on mobility risks by the Ponemon Institute, more than half of 601 IT and IT security practitioners surveyed in 2012 said confidential data had been lost due to insecure smartphones and other devices being introduced to the workplace.
Executives shouldn't stick their head in the sand and hope the BYOD challenge will be remedied on its own, said Eric Maiwald, research vice president at Gartner. Implementing restrictions limits employee productivity and could result in the very real possibility of not being able to hire good employees in the future, he said. Younger workers especially see their mobile device as an extension of their workstation, said Maiwald.
"If I am bringing my own device, it changes the whole paradigm of how technology is used, where enterprise data is, how employees work, and where they work," he said. "It changes the whole work model for the enterprise."
For solution providers, BYOD means helping customers navigate this new work model and making sure they are educated about the threats it poses. The channel plays a big role in helping businesses manage BYOD risks and regaining control over their data.
PRODUCTS SHOULDN'T DICTATE POLICY
Many companies don't have a firm BYOD policy but they're being forced to address the issue largely because executives are introducing Apple iPads or iPhones into the office and want them connected to all the corporate systems they can access from their laptop, said Charles Zwicker, director of commercial sales at Weidenhammer Systems, a Reading, Pa.-based solution provider that sells Fiberlink MaaS360 cloud-based mobile device management software. Some companies suddenly realize they already have employees connecting to the network via their personally owned mobile devices and rush to consider a security technology, Zwicker said.
"A lot of companies are letting the products dictate what their policies are going to be," he said. "It's not a good way to go about protecting the network and certainly not what we advocate."
Zwicker said many companies start out with Microsoft Exchange ActiveSync to enforce a device PIN code requirement, remote wiping and other basic policies. IT teams then move to consider mobile device management for more advanced functionality and better enforcement of restrictions, such as the ability to selectively wipe corporate data from a mobile application on a personally owned device.
"We've seen an awful lot of tire-kicking, but not as much buying yet," Zwicker said. "Businesses with larger workforces that are remote are starting to see more and more mobile devices out in the field and over time we expect that to result in more purchasing decisions."
Lost or stolen mobile devices are the biggest problem businesses are dealing with, which makes remote wipe capabilities critical for controlling BYOD risks, said Rob Kraus, director of the engineering research team at Omaha, Neb.-based managed security services provider Solutionary.
He recommends organizations assess the kind of data that employees are accessing on their personally owned devices and determine ways to protect the data -- not necessarily the device.
Kraus advocates for granular access control mechanisms to limit the access of employees to systems they need, rather than the entire corporate network. In addition, monitoring system logs and network traffic could help contain threats before they become a serious breach, he said.
He also urges companies to develop BYOD policies in conjunction with legal counsel and work closely with business executives to gain long-term leadership support for security initiatives. The process is complex and prone to stumbling blocks, according to Kraus. Business managers and IT teams don't always agree on what data needs protecting and how it should be protected. He cited a recent case involving a company that was integrating employees from an acquisition. The company encountered a different security culture and found it difficult to immediately develop a strong set of BYOD policies, and it ended up suffering a breach.
YOUR'E LOSING ME
When Darrin Reynolds tried to address the BYOD issue at his company a few years ago, he ran into an unexpected problem.
Reynolds, vice president of information security at Diversified Agency Services, a division of New York-based marketing services firm Omnicom Group, had instituted a policy requiring employees to use devices that enabled his IT team to remotely wipe them if they were ever lost or stolen. But the first time an employee's device was lost, the IT team couldn't do anything. Not wanting to risk illegitimate charges, the employee had immediately reported the lost device to his mobile carrier; when the carrier took it off its network, the team lost the ability to remotely wipe it.
"There was a steep learning curve," Reynolds told CRN about implementing the company's BYOD policy. "Just because we haven't seen major threats doesn't mean we ignore the potential for problems, and right now our security posture calls for controlling what happens when a device is lost."
The nature of BYOD risks means IT departments should drop the idea of device control and instead focus on ways to secure sensitive data, said Mike Siegel, vice president of products, services and support at San Francisco-based mobile application management vendor Mocana. Siegel said IT teams must go beyond traditional security technologies such as antivirus.
"BYOD is essentially indicating that the world of a closed and protected platform by which IT can manage the activities and applications employees use at work has become archaic," Siegel said. "The future with BYOD is in having the ability to provide security and assurance around your data."
Solution providers need to better educate their clients about the risks mobile devices pose to the network, said Shane Swanson, COO of Bakersfield, Calif.-based CharTec, a solution provider that also trains MSPs. User training needs to be consistent and ongoing. If corporate systems are not properly protected and employees fail to understand the risks posed by their personal devices, it is possible for an attacker to use the smartphone as a staging ground. Once a foothold is established, the cybercriminal could pivot to more sensitive back-end systems. Security experts have seen the technique used frequently on employee workstations, Swanson said.
"BYOD is a big game-changer," he said. "If people don't adopt some kind of solution, all these devices connecting to the network could threaten to bring it down, even though we really haven't seen it happen yet."
Swanson said mobile device security is still evolving, making it difficult to sell something that offers complete protection. Multiple device platforms and multiple device firmware versions make enforcing policies a tricky problem.
"There are still a lot of unknown issues that our clients are having trouble wrapping their head around," he said.
However, Microsoft Exchange ActiveSync is a good place to start implementing BYOD controls, according to security experts. From there, organizations can evaluate mobile device management products for more robust capabilities if they are needed, said Gartner's Maiwald. MDM products should go beyond basic functionality and include containerization, which separates corporate data from personal data on the device, and mobile application management, he said. Network access control, which is seeing a resurgence as a result of BYOD, also can have some robust capabilities.
Solution providers can address their clients' mobile security needs by helping them conduct an initial risk assessment, according to Maiwald. Once an organization understands what data needs to be protected, a solution could be as simple as ensuring antivirus is installed on devices or be more complex, such as implementing data encryption or network access control capabilities to restrict access to sensitive corporate resources, he said.
Emerging technologies to mitigate BYOD risks include workspace aggregators that allow employees to tap into applications and content through the cloud, a mobile app or a Web application. Aggregators, designed mainly by virtualization vendors, make applications independent from the hardware device and also often don't have OS dependencies, Maiwald said.
"Just remember that employees don't want their employer to have the ability to delete all their information, so solutions have to be more capable," Maiwald said. "Employees have pushed back. … We're at a point were no breakout technology has emerged."
MOBILE MALWARE: REAL OR OVERHYPED?
While BYOD brings plenty of complicated issues for businesses to worry about, one problem they don't need to worry about so much -- at least for now -- is mobile malware, experts said.
Reports from McAfee, Symantec, F-Secure, Sophos, Kaspersky Lab and other security firms that track threats all indicate that mobile malware represents about 1 percent or less of all malware threats globally. Attackers are targeting victims on the desktop because it's still easier to victimize people online, said Graham Cluley, an independent information security analyst based in the U.K.
"If the bad guys could make more money in mobile, they would turn to mobile platforms," Cluley said. "It's a business and they're making the best business decision right now by sticking to laptops and workstations."
Security vendors have reported seeing an increase in mobile malware targeting Google Android devices but, so far, the bulk of the threat is SMS text messaging Trojans targeted at consumers in mainly in Eastern Europe and Asia. Some mobile applications contain spyware functionality, which can monitor a user's browsing history.
All of the risks need to be clearly understood so businesses can determine if they need to segment off corporate data from the rest of the device, said Pete Greco, vice president of sales and technology at Minneapolis-based solution provider Productive.
Fear uncertainty and doubt, or FUD as it is more commonly known, is how marketers hype up threats to fuel interest in certain security technologies, but it doesn't necessarily result in better protection of corporate networks, Greco said. There is no better example of where FUD has created a "buy it first" mentality than mobile security, Greco said.
"Policy and philosophy needs to come before the technology, but with mobile that conversation can be paralyzing," Greco said.
Detecting suspicious activity is only half the battle, according to Kevin Mahaffey, founder and CTO of Lookout Mobile Security. The bigger risk is the inability to patch mobile devices, he said. Lookout finds thousands of users on outdated, vulnerable versions of Android for one reason or another. Sometimes the phone is outdated and no longer receiving updates from the carrier; other times, the carrier is still working on pushing out a fix issued by Google.
"When we learn about these threats it may take six months or more for a device to get updated," Mahaffey said. "The bad guys can use it for months and there's not much people can do about it."
Lookout, however, cut through some of the mobile hype in a recent report, which found that despite a steady increase in mobile threats globally, the chance of mobile device owners in the U.S. encountering a serious mobile threat is negligible. The firm's analysis found that the problem device owners are mostly likely to encounter is overly aggressive advertising schemes built into mobile apps. Called adware, mobile apps -- typically the freely available apps -- collect user data and sometimes record browsing activity without the user's knowledge. The information is sold to advertising networks. However, there's only a 1.6 percent chance of encountering the problem, according to the Lookout report.
"There's definitely been an awful lot of attention paid to attacks that aren't very widespread right now," said Solutionary's Kraus. "That doesn't mean mobile security doesn't deserve our attention; we just need to focus on the right issues."
PUBLISHED JULY 29, 2013