Beach To Breach: Reducing BYOD Security Risks During The Summer Holidays

BYOD Summer Holiday

It’s the time of year when people start booking their summer holidays, and for employers it is vital that they ensure their BYOD policies are rigorous enough to protect their business against any potential data breach while their staff are away enjoying a fortnight in the sun.

The balance between work and social life has become more blurred with employees able to access websites, social media and emails from their smartphones or tablets in or out of the office anytime and anywhere in the world. As a result, concerns around BYOD have increased. While companies recognise the benefits of mobile technology in terms of productivity and competitiveness, they are not always focused on the risk this poses in terms of potential cyber-attack.

There is no doubt that adoption of mobile devices in the workplace presents a challenge that is as much a question of policy and control as it is about the technology itself. According to analyst firm TechMarketView, over 10 million UK employees are predicted to be using personal devices in the workplace by 2016.

Manufacturers are pushing tablets as the must-have device for everyone in the family, whether it’s a high-end iPad from Apple or the new cost-effective Hudl from Tesco. What does that mean for the enterprise? It means an influx of new devices coming onto the network because, you can bet your life they won’t be staying just for the home.

For the IT security team this has the potential to be a real headache as they count the ways in which the BYOD trend complicates their work lives. And, as the transition from desk-bound computers to laptops, tablets and smartphones continues gathering pace, it’s no surprise that hackers are choosing mobile devices as their next target. It makes economic sense and they are simply ‘following the mobile money’.

The issue with employee-owned mobile devices is that they can access corporate resources outside of the control of the corporate IT function. This means it can be difficult to identify even basic environmental data for these devices, such as the number and type of devices being used, and the operating systems and applications they are running.

The proliferation of mobile devices and their growing use in the workplace has fuelled a rapid growth in mobile malware, significantly increasing the risk to individuals and their employers. Research indicates that 79% of malicious attacks on mobiles in 2012 occurred on devices running Google’s Android operating system, according to US authorities. Given the lack of even basic visibility, many IT security teams certainly don’t have the capability to identify potential threats from these devices.

However, despite the pitfalls, the benefits of BYOD are often too strong to ignore. So, in order to regain control in this mobile world, IT security professionals must be able to see everything in their environment, so they can establish risk level and then secure it appropriately. For most enterprises, the right solution is to implement BYOD policies that clearly define the proper use of employee-owned devices in the enterprise and then have enough checks and controls in place to enforce those policies.

At the end of the day, security of mobile devices is ultimately a question of three phases:

  • Before – establishing control over how mobile devices are used and what data they can access and store.
  • During – visibility and intelligence is vital if security professionals can hope to identify the threats and risky devices and monitor their activities on the corporate network.
  • After – the inevitable happens and the network is compromised by a threat, be able to retrospectively review how that threat entered the network, which systems it interacted with and what files and applications were run to ensure it can be cleaned up quickly.

Whilst employees need to remember the risks of spending too long exposed to the sun, when they are on holiday, organisations need to ensure the risks posed by their mobile devices don’t expose corporate assets to misuse or theft, otherwise they won’t be the only ones getting burned.

Sean Newman

Sean Newman is Security Evangelist and Field Product Manager in EMEA for security vendor Sourcefire, now part of Cisco. He has been in the security and networking industry for over 17 years, previously holding a position as Senior Product Manager for software developer Sophos for three years. Prior to that he spent more than 10 years as an Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.