What You Need to Know About BYOD Security

29 May 2018 | Posted by Cass Information Systems, Inc.

According to Gartner’s latest Managed Mobility Services (MMS) guide, 75% of smartphones used in the enterprise will be bring your own device (BYOD) by 2022. That’s up from 35% in 2018, forcing a migration from device-centric management to app- and data-centric management. But to ensure BYOD becomes both widespread and fruitful, security needs to remain firmly at the top of vendor and customer agendas.

What Are the Risks of BYOD Adoption?

Comparitech neatly summarises seven of the main security risks related to BYOD:

  1. Data leakage: The unsanctioned leakage of corporate data from an unsecured device.
  2. Data loss: Physical theft or loss of a device, compromising sensitive data.
  3. Public exposure: Public Wi-Fi hotspots are frequently used by remote workers but are vulnerable to eavesdropping and man-in-the-middle attacks. Using personal area networks, e.g. via Bluetooth also involves similar security risks.
  4. Third party usage: Insecure usage of a device by, for example, family or friends at home.
  5. Malicious apps: For example, trojans can generate unsanctioned premium rate calls or purchases, and spyware can monitor processes and data such as calls, browsing history, emails, and GPS.
  6. Rogue apps: When a rogue employee obtains root access to a device, bypasses security restrictions, and installs unauthorized apps.
  7. OS-specific security customization: Some users will use “jailbreaking”, “unlocking”, or “rooting” to remove vendors’ configuration restrictions, which increases exposure to insecure applications. With restrictions removed, it’s easier for malicious apps to access and manipulate sensitive data or device sensors, e.g. camera or microphone.

These risks naturally weigh on the minds of those considering BYOD, with one study revealing that 81% of managers surveyed stated data security was the main barrier to BYOD adoption. However, the fact is, with a thorough BYOD program, these risks can be truly controlled and managed. It's when a thought-out, systematic approach is used that BYOD reveals itself to be equally secure as a corporate device program.

And above all else, staff will use personal devices for work purposes whether officially sanctioned or not. A BYOD program recognizes this fact and transforms personal device usage from being uncontrolled and unknown to secure and managed.

But how is it done?

Policy is Key

An effective BYOD policy is critical to security; without one, the safeguarding of company data and assets is essentially a game of chance.

The security component of your BYOD policy helps instill simple but crucial behaviors in your employees. For example, requiring users to use a PIN on their device and report any lost or stolen equipment to the employer. Typically, they will‬‬ agree not to alter any of the employer’s or manufacturer’s security measures (which may include “jailbreaking” a device).

You'll want best-in-class security tech – such as MDM software installed on employee-owned devices – and your policy should also impel users to agree if they wish to participate in your BYOD program. Your policy must also contain a contingency of the steps to follow should a security breach occur.

Another ingredient of BYOD security policy is the stipulation that safe, standardized methods for file/data/document storage are used, including email attachments. Phishing emails are the most common tactic employed by cyber-attackers and, according to Verizon's 2016 Data Breach Investigations Report, 30% of phishing messages are opened. In the study, around 12% went on to click the malicious attachment or link, therefore letting the attack succeed.

Finally, because both technology and security threats are constantly evolving, your policy should be updated regularly, written in flexible language and not limited to today’s particular technologies.

Several Lines of Defence are Needed

Security threats appear in myriad forms and are constantly evolving. This means a multi-pronged security strategy is needed:

Encryption

Businesses need to protect both data stored on the device and data sent to and from it.

Data housed on the device should be protected through software and/or hardware-based encryption, depending on the device type. Data transmitted between the corporate network and the device should be encrypted via a tool such as a VPN tunnel or over HTTPS.

Virus Protection and Remote Management

Best practice dictates that mobile threat protection is centrally administered by the company's IT team through MMS software. This involves the supply of a mobile security app, monitoring of threats, and performing remote scans.

If a cyber-attack is detected, the team is able to instantly react with measures such as blocking email access. What’s more, if a phone is stolen or lost, the IT department can disable it via remote locks and data wipes.

Containerization

A data container is a mobile application that partitions and secures a part of a device’s storage from the rest of the device. Corporate apps and data are therefore better protected from intruders or malware interacting with them.

Sometimes known as sandboxing, using a secure data container allows a company to take a united approach and successfully realize policies across all devices.

Authentication

This includes protocols for strong passwords – for example alphanumeric and length requirements. An MMS vendor can also help set up two-factor authentication to provide a further level of security.

End-User Privacy Must be Retained

Unfortunately, merely thinking about some of the risks we’ve so far discussed can cause some organizations to freeze up and disregard BYOD. But the enterprises that do adopt a program need to ensure that the employees themselves are not discouraged in any way.

It’s therefore crucial that your security doesn’t violate an employee’s right to privacy and to emphasize in the policy document that you won’t have access to data such as locations or websites visited. Without this, staff can be unnecessarily suspicious of a BYOD program and adoption levels can suffer. What's more, those that do adopt may be more likely to look for ways to circumvent security measures.

For every program or regulation, such as GDPR, that goes some way to allay concerns about end-user privacy, there’s another breach or public outcry, such as the recent Facebook/Cambridge Analytica scandal. So, one way to ensure a successful BYOD program is to acknowledge the current zeitgeist of mistrust and put employee minds at ease by being open and transparent about your access to their data.

We recently explained rights to access in our two posts on how GDPR will impact telecom expense management for the end-user and the enterprise.

Final Thoughts

At Cass, we recognize that the best BYOD programs protect a business and its information, while still keeping devices appealing and user-friendly. Which is why we integrate our mobile device management (MDM) system with the BYOD solution itself. That way, built-in compliance incentives can be leveraged – for example, employee-reimbursement can be made subject to MDM enrollment and policy-compliance.

Security has always been pivotal to MMS adoption, both for employer and employee alike. And along with sourcing and logistics, managed EMM, finance management, and program management, it’s identified by Gartner, in their latest MMS guide, as one of the core service disciplines of MMS.

The guide evaluates how seven of the key MMS providers (including Cass) approach these disciplines, as well as offering analysis of the current market as a whole and the direction it's heading in over the coming years. If you’d like to learn more, download Gartner’s Competitive Landscape: Managed Mobility Services guide for free today.

Topics: managed mobility, BYOD Security

Get regular Telecom roundups direct to your inbox.