For those unfamiliar with the acronym, BYOD stands for "Bring Your Own Device."
Technology moves fast; so fast that many organisations struggle to prevent their IT infrastructure from going obsolete. To combat this, organisations are allowing individuals to bring their own devices to work as they are often newer and more advanced than the equipment provided by the IT department. Not only that but employees often feel more comfortable working on their own device.
Despite the fact that an increasing number of organisations are choosing to embrace this trend, there are still considerable security risks involved that many are not aware of. For example, an employee may lose their smartphone or bring a laptop to work which has accumulated a virus or contains malware. It's also worth noting that some people like to tinker with their devices. A user can "jailbreak" or "root" their device, which allows them full access to the system directory, and the ability to make changes to their operating system. While it is getting harder to do, it still presents a significant security risk for your organisation, as such devices are more vulnerable to fraudulent attacks. Halifax bank have explicitly stated that anyone using a device that is suspected to have been jail-broken or rooted will not be allowed to use their Mobile Banking app.
Mobile phones and tablets present the greatest threat. A recent study conducted by Nielsen found that the average smartphone user has 26 apps installed, and most of them come with privacy and security issues (including those downloaded from trusted app stores). For example, mobile phone apps often have access to information such as your contacts and email account. Some apps have access to core functions of the OS and can change the way information is shared between devices. Some apps simply fail to encrypt data correctly.
Such security vulnerabilities are not intended to support malicious behaviour, but are simply the result of lazy programming. While newer operating systems may request user confirmation when an app requires certain permissions, users are often unaware of the security implications associated with them. Of course, the ideal solution would be for developers to build better, more secure apps. But this is not something we can rely on. As such, to prevent any viruses or malware on your device infecting the company network, you may want to consider using a Virtual Private Network (VPN), to ensure a secure and encrypted connection. You may also want to consider using Enterprise Mobility Management (EMM) software which can help determine how mobile devices are used on your system, as well as detect risks.
Lost or stolen devices are a major concern. According to Bitglass (PDF), over 68% of health care data breaches occur when devices are lost or stolen. You will need to ensure that your employees are using a secure PIN code and that they are keeping all applications up-to-date. You can also make use of remote wiping features, which are typically available on most smartphones and tablets through MS Exchange ActiveSync. If you are using a laptop, you will need to install the software yourself. You do not need to delete all data on the device; instead you could delete a certain folder which contains information relating your organisation. Make sure that your IT department can identify all devices connected to your system and regularly perform penetration tests in order to identify potential vulnerabilities.
About Aidan Simister
Adian is the global SVP for IT auditing, security and compliance vendor, Lepide Software.