With BYOD uptake on the rise in 2016, unsecured mobile devices pose a risk to UK firms. The number of personal laptops, smartphones, tablets, and wearable devices is consistently increasing in the UK, with 64 per cent of the UK population owning three or more smart devices. With 75 per cent of Europe’s workforce expected to be mobile by 2018, it is no surprise that personal computing devices are increasingly being used to conduct business activities.
At the same time, 40 per cent of UK businesses are said to have no security policies in place to protect sensitive data from unauthorised mobile devices at work. While allowing employees to utilise their own devices may seem a win-win situation, helping to bring down company expenditure, the lack of security makes mobile devices a prime target for cyberattack.
Bring Your Own Device (BYOD) or Wear Your Own Device (WYOD) policies indeed offer benefits to both companies and employees, but many firms simply do not yet have the regulatory and technical processes in place to ensure the security of sensitive data.
Maintaining data control in a complex environment
One of the largest risks behind utilising consumer devices in the workplace is storing sensitive data on potentially unsecured technology. A significant portion of the data stored on unsecured employee-owned devices is out of reach of company systems and firewalls, carrying with it inherent security risks. Employers lose control every time an employee stores or transmits work-related information using a personal laptop, tablet or smartphone – a challenge that is only set to grow with smartphone saturation in the UK expected to reach 100 per cent by 2018.
In addition to risking device loss and theft, employees can unknowingly expose their company to malicious software, putting corporate data at risk. Jailbreaking or rooting a device removes limitations imposed by the device maker, often eliminating restrictions designed to improve security of the devices. Rooting gives device owners administrator-level permissions, enabling them to install and run apps that could be malicious in nature.
Adopting a ‘one size fits all’ policy governing the security of personal and enterprise data in one device is not realistic - especially when considering the privacy requirements and the elements of risk are so diverse. Complex legal implications must be carefully considered when trying to implement a successful and secure BYOD or WYOD solution inside a corporate environment.
In a recent court case, a company remotely wiped the phone of a sales rep when they resigned, deleting their personal and work-related files from the company-owned device. The employee then sued the company, yet the court rejected their claims, stating that the information on a mobile device is not ‘electronic storage’ under the Electronic Communication Privacy Act. Company policies must clearly address ownership, custody and access rights for the information involved. Unless they do so, the liability issue will persist. On a company-owned device, limitations can be placed on devices in use and minimum system requirements and configurations can be implemented.
Furthermore, how devices connect to networks and their access privileges can be set by the business, with admins then able to access the device for any potential investigation. When it comes to employee-owned personal devices, organisations will partially or fully lose the ability to undertake these actions, and will often depend on employees to secure their devices. Without control over the devices used, there is an inherent risk of a data breach.
The key to securing smart devices at work
The first issue to be addressed must be the human element. If users are skirting standard business practices to complete their work, the knee-jerk reaction is to tighten security and issue a remedial fix - but responsive security must go further than that. Businesses must identify why users are not following standard security practices and address the issue directly.
Only once the reasoning behind unauthorised usage of smart devices has been identified and solved can assessing vulnerabilities become a viable solution. Tools such as mobile device management (MDM) software, for example, enable corporate control over a fleet of devices, allowing IT administrators to troubleshoot and manage employee mobile devices remotely. Without addressing the human element in the first instance, however, solutions such as this become less effective.
User-owned devices, while saving on company costs, represent a significant vulnerability to UK businesses. Without a business’ security protocols, unsecured smart devices may be utilised as an attack vector, resulting in a breach. By partitioning BYOD devices and securing sensitive business data separately from that of the user, however, the potential for damage can be mitigated. IT professionals must now focus on flexibility - mobile devices are fast becoming a staple in modern business, and security must adjust. Furthermore, to ensure data remains safe, security policies must become a collaborative action between IT departments and users.
Alexandru Catalin Cosoi, Chief Security Strategist at Bitdefender