Bring Your Own Device
A growing number of companies allow employees to use personal devices in the work place, and commonly connect to the company network. This BYOD (Bring Your Own Device) practice bears multiple benefits, such as increased flexibility, employee satisfaction, productivity, and in some cases reduction of company computing purchase expense. However, this practice also results in some unique cybersecurity risks. Company’s implementing BYOD use must address these security risks in order to protect the company’s data. Make sure your company’s cybersecurity requirements adequately address BYOD management.
Accordingly, this article highlights some of the prominent BYOD security risks in the workplace today.
Exposure of Confidential Data and Information
Downloading company data and information onto employees’ personal devices exposes the data in a variety of ways:
Use of public Wi-Fi to transmit company data – When employees conduct business on mobile apps using public Wi-Fi connections, they potentially expose data transmission to unauthorized parties. Hackers routinely scan public Wi-Fi activity, searching for opportunities to steal confidential data. Employees should use a VPN to conduct business over a public Wi-Fi.
Potential for theft of the employee owned device – Mobile device theft continues as a pervasive threat. When employees use the device for company business, device theft presents potential network security risks. A talented hacker can potentially use the device to gain connectivity to the company network. Additionally, confidential information stored on the device is subject to theft. For this reason, some companies implement BYOD security protocols that prohibit storage of confidential data on employee owned devices.
Employees sending company emails to personal contacts – Do your company’s BYOD security protocols allow employees to use company email on their personal devices? If so, your company could be at risk for exposing confidential information to unauthorized parties. Employees may unwittingly send confidential information via email to personal contacts when they use the same contact list for both company and personal business.
Employees may unwittingly install malicious applications on their personal devices. When the employee connects the BYOD device to the network, the malicious apps can transfer malicious code, with or without the employee’s knowledge. Additionally, when employees let other people use their BYOD device, opportunity increases for invasion of malicious apps on the device, and ultimately to the company network.
User Control of Security Features
Sometimes people find ways to remove security restrictions (e.g. jailbreaking or unlocking) from software or applications on their personal device. This practice increases network security risks by allowing malware to enter the device without screening for security threats. Eliminating such BYOD security risks proves challenging for several reasons:
Company Control of Employee Owned Devices – Based on employee input to surveys, many believe that the company they work for should not have access to their personal devices. They claim privacy invasion. Indeed, this philosophical issue presents potential legal liabilities for companies that manipulate an employee’s personal device without the employee’s permission. How can companies avoid this BOYD security risk?
Companies sometimes require employees to sign forms giving permission to their employers to access their BYOD when necessary to protect company property. These forms may even include waivers of company liability for any harm caused to the employee resulting from of company actions with the device. These terms, while legally enforceable, may discourage employees from using their devices at work. This situation may limit the benefits a company hopes to achieve by implementing a BYOD policy.
Alternatively, companies can work to resolve these BYOD security risks with a less heavy-handed approach. Companies can configure employee owned devices to allow limited network access. The company can choose to limit the functions BYOD can access to those which have adequate security controls implemented by the network. For example, some employees want company email available on their smart phones, to allow email retrieval when away from work, but otherwise do not need the smartphone to connect to the network. In this case, the company can install an email application on the employee’s smart phone and isolate that application from other applications on the smartphone.
Lack of Resource for Monitoring Mobile Applications – A typical tech savvy employee installs many and varied applications on their personal mobile devices. Delegating responsibility to the IT department for managing all BOYD applications would likely prove a futile expectation. The cumulative workload required to accomplish this responsibility would require major resources and distraction from normal business workflow. This problem provides another reason to consider limited network access for employee owned devices.
Employee Initiated Attack (Inside Threat)
According to Verizon’s 2017 Data Breach Investigation Report, 15% of all data breaches occurred due to insider threat. This means employees or others having access to the company network stole data from the company. When employees connect to the network with a personally owned and managed device, they have opportunity to take company owned data outside the workplace and download it when not connected to the network. This is one reason that companies sometimes do not allow employees to download company data and information to employee owned devices.
According to Verizon, in 2017 approximately 5,698 devices were lost or stolen, 74 with confirmed data disclosure. Seasoned hackers make quick work of extracting and using unencrypted data from mobile devices.
Does your company have the potential to wipe data from BYOD remotely if lost? This is one way to safeguard against data theft in the event of a lost employee owned device storing company data.
In the case of device theft, or even in the case of an employee loaning a BYOD to a person with malicious intent, the thief may steal identity information and use it to access the company network.
Confidential Data and Information Leaving Company with Employee Termination
Does your company maintain a policy for comprehensive collection of company owned data and information from the departing employee? Collection of company owned devices secures only part of the company’s exposure to data theft when the company implements a BYOD policy. If you BYOD policy allows company data to be stored on employee owned devices, you should consider how you can retrieve the information upon employee termination.
Company Liabilities with BYOD Use and Policy Administration
Companies can carry legal liability risks associated with BYOD use.
Litigation: If a company mandates or allows BYOD use to support company functions, the courts could summons employees to present these devices as evidence in a legal case. If this situation causes the employee financial harm or reputation damage, the employee could file claim against company.
Employee Claims of Privacy Breach: Several places within this article we mention company access to employee owned devices. This situation provides employees the opportunity to claim breach of privacy, particularly when the company can access portions of the device storing personal information.
Personal Data Loss: Some companies implement MDM (mobile device management) or EMM (enterprise mobility management) software and procedures as a mechanism to wipe data from mobile devices in the event of loss or theft. When this occurs on employee owned devices, the employee will likely lose personal data. This situation could lead to a company having a legal liability to the affected employee.
How Do I Manage BYOD Security Risks?
The list below briefly describes some control mechanisms aimed at reducing BYOD security risks. In the article, we have mentioned a few of these and described how businesses can use them, and we highlighted some risks inherent to implementing these controls. Businesses must balance BYOD control needs with associated risks, when deciding how to implement BYOD use into their workplace.
MDM / MAM – Mobile Device/Application Management can include remote data wiping for stolen or lost devices.
NAC – Network Access Control is necessary for ALL devices connected to the network.
EMM – Enterprise Mobility Management operates similarly to MDM/MAM but within an enterprise environment.
RBAC – Role Based Access Control provides network access to individuals based on the needs of their job function. This allows restricted access, therefore greater control over exposure of data to loss, theft or other unwanted disposition.
DLP – Data Loss Prevention software and procedures can provide data monitoring services at all levels, including data transfer information such as where the data was sent from, where it was sent, time of the transfer, etc.
Remote Tracing – This is normally implemented with company owned hardware but can be extended to BYOD, and can prove valuable in case of device theft.
Security Awareness Training – Regardless of the safeguards a company deploys, risk of unwanted data exposure exist as long as humans are involved. Employees need to be educated and routinely reminded of a company’s Cybersecurity Requirements and Network Security Best Practices.
Issue and Enforce Clear BYOD Use Policies – BYOD security policy must we well-structured and communicated to all persons using BYOD in the workplace.