The rise of BYOD: What are the key security risks and how can SMEs overcome them?

It's no secret that the momentum of the BYOD (bring your own device) trend has surged like a tidal wave across organisations of all sizes and industries recently. In this Q&A we talk with Don Smith, technology director at Dell Secureworks, to discuss the major concerns around BYOD and examine how businesses can overcome these challenges.

What are the biggest trends and talking points you are hearing from customers?

With the diversity of security attacks globally, it is becoming increasingly difficult and complex for small and medium-sized businesses to assemble the right in-house resources to protect themselves against the cyber threats they face. This could be a data breach through the network, data leakage by employees, or lost laptops or mobile devices. Threat actors such as cyber criminals and hackers are increasingly turning their focus to small businesses because they typically lack the breadth of security measures prevalent in larger organisations.

One of the major trends we are seeing is BYOD. While BYOD programmes are changing the IT landscape, it's clear that one of the biggest concerns around this mobile revolution is the security risk for organisations. BYOD may result in data loss and unauthorised access to data. Quite often, customers are asking us how BYOD will affect their data security and what measures can they take before becoming a victim of cybercrime.

When talking to Dell SecureWorks customers, what are the concerns and benefits of implementing a BYOD programme? Can BYOD work safely?

Companies want employees to be happy, and BYOD is part of that movement. Employees wish to have greater flexibility to meet their individual needs and BYOD can bring greater employee satisfaction and productivity. Our customers want to ensure that they not only have the right network security solutions in place but have implemented comprehensive endpoint security to defend against current and emerging cyber threats. Introducing a BYOD policy can make implementing such controls extremely difficult, if not impossible.

Customers want optimal user experience without compromising IT security. The major challenge for our customers is the uncontrolled endpoint client computer. Despite these cautions, BYOD can work safely. One example is the use of a virtual desktop infrastructure (VDI), which can be put into place so that employees on personal computers can interact with corporate applications and data without being directly connected to the company network. With a VDI solution the user's device doesn't connect directly to corporate resources, instead connecting to a virtualised desktop and thereby keeping the "untrusted" endpoint at arm's length from the corporation.

How would you advise organisations to protect their intellectual property when allowing personal devices into the workplace? What steps can businesses take to protect their clients and reputation?

Technology is advancing so that people can continue working and receive and process information at any time and in any place. However, many IT organisations struggle to understand this dramatic shift and how to safely and securely incorporate mobile technology into their environments and daily activities.

Many have fallen into the trap of believing they are safe through implementing perimeter and endpoint security controls. This is a fallacy – organisations must adopt a layered security model with controls in place from operating system and application through networks to the endpoint. Given the increasing porosity of the perimeter and the introduction of the uncontrolled endpoint through BYOD, it's increasingly difficult to implement controls on who gains access to what part of the business. There are a couple of simple security practices that organisations can take to protect their clients:

  • Employees are trained to never click on links or open attachments from unverified sources
  • IT applies software patches as soon as they're available and tested as secure
  • IT installs firewalls, intrusion detection and prevention systems, as well as anti-virus software
  • IT monitors the corporate network 24/7 for anomalies in incoming and outgoing traffic
  • The organisation should make efforts to minimise "who gets access to what"

Organisations should revaluate their current security precautions on a regular basis and make sure these measures are communicated company-wide.

What does Dell SecureWorks do to protect customers with BYOD strategies in place from cyber attack?

We have a portfolio of services that accommodate customers of all sizes worldwide. We protect our customers with a number of mobile security services and solutions, including: Mobile Security Strategy and Roadmap, Mobile Device Use Risk Assessment, Mobile Application Security Assessment and Incident Response and Forensic Investigation.

IT organisations feel the pressure to support personal mobile devices across their businesses. However, supporting employees' personal devices adds layers of complexity to any mobile support and security strategy. BYOD is a multi-dimensional challenge encompassing varying device types, OS platforms, differing network and mobile data security features, and a loss of control over devices. Though arguments for supporting BYOD include increased productivity and higher morale, the strategy may not yet yield a discernible ROI for IT and businesses to capture.

The Dell SecureWorks Mobile Security Strategy and Roadmap consulting service is designed to help IT organisations determine the most efficient and cost-effective path to support BYOD while protecting networks and data from unauthorised access. Consultants conduct specialised workshops and extensive interviews with major stakeholders to assess mobile support and security requirements, help evaluate current capabilities, and design mobile support and device management solutions that protect networks and valuable data.

These services can also be provided as part of larger security engagements where mobile devices or applications are in scope. Depending on the specific business requirements, we recommend a unique approach to deployment. If mobility is a key part of a customer's IT strategy, we advise customers to include their mobile assets in any broader security assessment, testing and/or compliance auditing.

Most recently, Dell SecureWorks launched a new Targeted Cyber Threat Hunting Service which is aimed to find cyber attackers who might be lurking in an organisation's network intent on committing a breach. This solution is the latest addition to the company's Targeted Threat Services portfolio, a comprehensive suite of security services designed specifically to combat targeted cyber attacks.

How does your service differ from other providers in the market?

Dell SecureWorks is relentlessly driven to protect the integrity of the world's digital assets against cyber threats. We do that with intelligent defences that combine our proprietary technology, global threat visibility and deep expertise. We offer a full suite of Managed Security, Threat Intelligence and Security and Risk Consulting services.

These services combine with our long established team of Counter Threat Unit security researchers, who are responsible for exploring and analysing the threat landscape regularly to better understand their tools, infrastructure, tactics and procedures. This is an every day activity for Dell SecureWorks, fed by over 50 billion events per day and the research of our Counter Threat Unit, which allows us to identify attackers and tune our response appropriately for our customers worldwide.

The bottom line is that it's much more expensive to deal with the consequences of a financial breach than it is to prevent one, so businesses need to ensure they're properly protected at all times.

Which industries are primarily being targeted by cyber criminals as a result of BYOD implementations?

If not used securely, BYOD opens one more window of opportunity for hackers. No particular industry sector is targeted, however, businesses should be aware that cyber criminals can be opportunistic in nature and seek to exploit any vulnerability.

Don Smith is technology director at Dell and has 19 years of experience in the IT security industry, including working closely with the Dell SecureWorks Counter Threat Unit to advise customers on how to best protect their business assets and networks.

Interested in attending IP EXPO 2013? Register now via ITProPortal and receive fast-track access to the seminar programme, plus entry into a prize draw for an exclusive gourmet dining experience at IP EXPO ONE Place Dining. As a loyal reader, you'll also be able to kick back in the exclusive ITProPortal lounge, enjoying complementary beverages and the chance to chat to our expert team of technology writers.