Skip to main content

BYOD opens back doors to hackers

When chief executives first heard about bring your own devices (BYOD) to work policies a decade ago they thought, if they thought about it all, that it would be a useful way to save money. But many companies which have endorsed a BYOD policy are now waking up to a security nightmare.

The term BYOD started being used at the mobile technology conference UbiCamp in 2005. In that era, the world was a very different place: cyber security was simply a matter of ensuring that PCs running Microsoft's ubiquitous operating system Windows carried the latest anti-virus patches.

Mobile phones were still used primarily for making voice calls, although some tech-savvy users also listed to music on them. The premature launch of third generation (3G) mobile networks had been a disaster and reliable high-speed mobile internet connections were still years in the future.

Because Microsoft’s software was dominant, hackers rarely troubled to attack machines running alternative operating systems such as Apple or Unix.

Cyber hackers exploit flaws with ruthless efficiency

Today’s staff, however, use their sleek smartphones for online shopping, social networking and even for locating new sexual partners. And while the computing power of mobile devices has grown exponentially, their price has dropped sharply.

High-speed ultra-portable wireless tablets running Google’s Android operating system can be bought for les than £60 in the UK. Cyber hackers are now ruthlessly and efficiently exploiting any and all flaws in all leading operating systems including Apple and Google's Android with ruthless efficiency, writing over 167,000 new variations of malware every day of the year.

Most members of staff now carry their own smartphones or tablets with them everywhere they go and see no reason why they should not use them to flick between Facebook and confidential company messages and files. According to research organisation Kaspersky Lab, 36 per cent of staff in large and medium-sized companies store work files on personally-owned devices. A staggering 18 per cent keep confidential data such as passwords to corporate email accounts on privately-owned devices.

The proliferation of personal mobile computing over the past decade has made a huge proportion of the population dependant on having internet access wherever they are. Research carried out earlier this year by the University of Derby found that 13 per cent of smartphone users could be termed to have a psychological addiction to their devices. A previous study in the US, which involved depriving a test group twenty-somethings of their online devices for two weeks, reported that, in addition to extreme psychological stress, many exhibited physical withdrawal symptoms such uncontrollable sweats and shaking plus others more generally associated with serious drug abuse.

Disturbingly, the University of Derby’s researchers also found that 35 per cent of people use their mobile devices in areas or situations where they are banned.

Grim reading for any CEO thinking of turning back the clock

These studies results make grim reading for any CEO or CIO who is thinking of turning back the clock and reversing the BYOD trend which has come to dominate most workplaces. But while staff mix business with pleasure on their devices, they are unwittingly opening any number of back doors into the entire corporate IT system.

The proliferation of dating and hook-up services mean that, should their smartphones be hacked, some staff may be vulnerable to being blackmailed into revealing corporate passwords and log-in details, enabling organised criminal gangs (OCGs).

Boards which try and ban personal devices from the workplace are now likely to meet with huge resistance from their staff. But there is growing global evidence to suggest that all organisations must urgently modify their BYOD policies if they are to avoid being at the mercy of organised criminal gangs (OGC) stealing and then ransoming selling confidential data and State Actors bent on industrial and political espionage.

Earlier this month (August 2015), the US Federal Bureau of Investigation (FBI) began investigating presidential candidate Hillary Clinton following concerns earlier this year that a server she had installed in her home that stored hundreds of official emails containing classified or sensitive information could have been compromised. The controversy began in late 2014 when State Department lawyers discovered they did not have access to some of her records as they prepared responses to congressional requests related to the 2012 attacks on a US compound in Benghazi, Libya.

Revealing herself as a true advocate of BYOD, Clinton is reported to have said she handled her email this way for the convenience of having one phone. When even supposedly tech-savvy US political leaders see nothing wrong in using a single device for personal and professional communications, it is apparent how far organisations have to go in addressing the BYOD issue.

For most companies, turning back the clock is probably not an option. The most practical solution is to ensure that if confidential data is illicitly copied, stolen or transmitted to a third party, the company is made immediately aware. This is easily achievable using best practice data loss prevention (DLP) software enabling organisations to monitor all data and user access in a company's IT system.

KCS Sentinel, for example, powered by ZoneFox, provides information such as who accessed data and when and whether it was copied, changed, deleted, transferred to a UBS stick private email via a web browser.

Stuart Poole-Robb is the chief executive of the security, business intelligence and cyber security adviser, the KCS Group Europe.