BYOD poses serious risks to IT security
The always on, always connected, productivity-on-the-go trend of allowing smartphone and tablet toting employees to take their own devices to work (known as BYOD, or “bring your own device”) and to plug it into the company network is growing in popularity around the world.
A recent BYOD study conducted by smartphone manufacturer Samsung Electronics, in conjunction with IDG Research, revealed that 85% of global companies support the BYOD trend, while 70% of IT executives believe that a company that does not implement a BYOD policy will be at a competitive disadvantage.
While some companies readily admit that they allow their employees to practice BYOD since it is convenient and sometimes more cost effective than having to issue and pay for company devices, many information security managers also admit that companies ought to do more to understand the security implications behind the trend.
According to a worldwide survey conducted by analyst firm Frost & Sullivan and published in the 2013 Global Information Security Workforce Study, 78% of security professionals believe that BYOD pose a “somewhat” or “very significant” risk to companies.
These fears are not unfounded, says Lutz Blaeser, Managing Director of South African security software distributor Intact Security. “Last year, just over half of secure IT security networks in the UK alone reportedly had their security breached due to employees using personal devices in the workplace. While the BYOD trend in South Africa is still relatively low, with only an estimated 5% of local businesses adopting BYOD policies – it is bound to pick up pace, especially as more people adopt a more flexible way of working.”
But Blaeser admits that the popularity of BYOD is not driven merely by productivity. “Employees still like to access their personal messages and social networking while at work, and using their own devices at work allows them to access their personal apps and e-mail, whereas the company computers could have a block, prohibiting users from having access to, for example, social networking sites.”
Indeed, a global survey conducted by Fortinet reveals that many employees already consider using their own devices at work to be a “right” and not a “privilege” – especially among Asian respondents, with more than half (55%) saying that they regard it as their right.
This is going to cause huge headaches for IT departments. Blaeser, whose company Intact Security is responsible for distributing GData as well as other brand name security software to the South African market, predicts that hackers and other cyber criminals will exploit the BYOD trend to target companies and institutions, by launching attacks on employees’ private mobile devices to gain access to sensitive data on company networks.
He advises that the solution is not to ban BYOD, but to rather implement strong BYOD policies pertaining security. “The amount of malware and malicious apps developed specifically to attack tablets and smartphones will continue to increase throughout 2013,” Blaeser says. “Make rules that employers should activate passcode protection (whereby users have to enter a special code whenever they switch on their devices). Although many will argue that such codes are easy to crack, it is better than having nothing. Companies can also ensure that any sensitive business data is encrypted. Employees should change their passwords regularly, delete data that is no longer needed and also backup important data – not only business information, but those of personal importance too, such as family photographs and videos.”
Lastly, he says, companies can encourage users to install reliable security software on their devices that will help to fend off malware and continue to protect devices remotely in the event of loss or theft. “Everyone knows that Android-operated devices are vulnerable to attacks due to its wide uptake and popularity. Products such as GData’s MobileSecurity have been developed specifically to secure Android devices.”