The BYOD ethos is a corporate cyber attack waiting to happen

19-02-2015 |   |  By Paul Whytock

Bring your own device to work may save companies a lot of money by reducing IT hardware expenditure, but it could cost corporations dear in cyber attacks. Most of us today are BYOD (Bring Your Own Device) workers. That is people who use their own computers and smart phones in the workplace. The problem is it raises a multitude of Internet security questions and potentially creates some serious risks. Ten years ago the BYOD concept was much more rigorously controlled and banned in many companies, but this has radically changed. Voltage Security, a data security specialist, warn that a drop in the number of corporations prohibiting BYOD, coupled with the new 4G mobile era, could leave organisations vulnerable to cyber criminals unless they take some rapid and robust security measures. And I think they make a good point. Bring your own device adoption or tolerance within companies does vary according to what region you look at but generally speaking it's thought to be between 45 to 78%, with the majority of bring your own device to work schemes using personal smart phones, tablets and laptops to access their employers data. In fact US analysts Osterman Research reckon there are now more than twice as many personally owned iPhones, iPads and Android devices being used in the workplace compared to company issued equipment. Banning BYOD wouldn't work So simply banning BYOD from the workplace wouldn't work these days and could actually reduce employee efficiency and impact on corporate performance. There is no doubt that 4g presents a problem. The new network will massively change the way we work, especially given its potential download speeds of a 100Mbps or more. BYODers will be able to run feature rich applications like video-conferencing as well as maximising accessibility to cloud-based services. So where are the main corporate 'Achilles heels' when it comes to criminal cyber invasion? There are three types of mobile data that are most vulnerable to bring your own device security risks. They are; mail communications containing sensitive information, secret business data and files, and transaction data that can be captured via intrusion into mobile payment methods. Such is the level of security concern regarding bring your own device it is now considered that 95% of companies could be susceptible to bring your own device security risks. This is a finding from a recent study by Internet security company Check Point Software Technologies (CPST). Here are some of the key points. A total of 87% of IT professionals surveyed by CPST think the greatest security threat to company information is careless employees. And over 60% believe that recent high-profile breaches of customer data were probably due to that carelessness. In addition to that, a massive 91% of IT professionals saw an increase in the number of personal mobile devices connecting to their networks over the past two years. In 2014, 56% of those surveyed managed business data on employee-owned devices, up from 37% in 2013. The analysts also looked at what bring your own device platform is the riskiest and decided that compared to Apple, Windows Mobile, and Blackberry, Android is. Its perceived risk grew from 49% a couple of years ago to its current level of 64%. And what about the cost to companies, particularly bearing in mind that one of the prime reasons for the proliferation of BYOD was the increasing number of company accountants licking their lips at the thought of all those hardware cost savings? Of the IT executives surveyed by CPST, 42% said mobile security incidents had cost their companies more than £160,000 which, when you consider the CPST study was based on over 700 IT experts, works out to be a lot of money, around £48million in fact. So, corporate bean-counters, where are the BYOD IT savings now? Gone seriously south I would suggest. Raid the corporate coffers But what can be can be done about all this? The answer is not a lot really unless some serious money is spent. Chief financial officers might consider raiding the corporate coffers to dish out the latest smart phones and tablets to their employees or alternatively they could call in the security experts and upgrade their network protection systems. They could conceivably do both, but I doubt it One thing that could be done pretty quickly would be for employers to implement on a company-wide basis a BYOD agreement checklist recommended by the Security for Business Innovation Council. It recommends that:   1.) Companies should ensure that end users are responsible for backing up personal data.

  2.) Clarify lines of responsibility for device maintenance, support and costs.

  3.) Require employees to remove apps at the request of the company.

  4.) Disable access to the network if a blacklisted app is installed or if the device has been jail-broken and specify the consequences for any violations to the policy. These are sensible guidelines but there is an overriding flaw. Can you see employees adhering to them regarding their very own, precious and paid-for-by-themselves smart phones, tablets and laptops? No, nor can I.


paul-whytock.jpg

By Paul Whytock

Paul Whytock is European Editor for Electropages. He has reported extensively on the electronics industry in Europe, the United States and the Far East for over twenty years. Prior to entering journalism he worked as a design engineer with Ford Motor Company at locations in England, Germany, Holland and Belgium.

Related articles