As BYOD crosses over from hyped trend to standard practice, the business of connecting a variety of popular personal mobile devices to the corporate network continues to give IT bosses sleepless nights, and rightly so. The simple fact is that any employee using a personal wireless device to access corporate data has the potential to compromise corporate security.
By definition, BYOD favours popular consumer-led devices, most of which are not built with enterprise-class network security in mind. The provision of a wireless gateway into the corporate network invites connections from ‘outside’, beyond the control and protection of the fixed network perimeter.
This point of entry is therefore exposed to all manner of network villains, from viruses and Trojans in popular circulation to the targeted attentions of cybercriminals. Couple this thought with the fact that most consumers opt for mobile device settings that overwhelmingly favour convenience over security, and the possible extent of the dangers starts to become clear. If you build a new door, uninvited visitors will come knocking.
Back when businesses favoured security-centric, enterprise class devices like the Blackberry, their data was for the most part protected. In sharp contrast, today’s device du jour is made for, and marketed at, the consumer. The default out-of-the-box intruder prevention settings on these devices do not meet today’s enterprise requirements, regardless of whether the intruder is trying to hack-in remotely or has the targeted device in their possession.
What’s more, this problem (let alone how to address it) isn’t communicated to the consumer at any point in the lifecycle of their device. Handset makers, OS providers, mobile operators and retailers all have the chance to raise awareness of their devices’ shortcomings but, instead focus on what these new devices can provide for the ‘good guys’ without highlighting the opportunities they also deliver to the ‘bad guys’.
Thanks to the ubiquitous reuse of passwords across business and personal accounts, BYOD is fast becoming a hacker’s dream. Passwords have long proved they are inadequate to secure the large amount of data that is now held in the cloud and the recent exposure of the Heartbleed bug highlighted the problem even further.
As the number of users employing password ‘protected’ cloud back up facility also increases, the prospects for personal device security, and by extension corporate network fallibility, are set to get worse before they get better.
Dimension Data recently reported that 82% of global organisations have embraced BYOD, but less than half have established an accompanying security policy. As personal and business mobility converges, device security settings should be subjected to much closer and more frequent scrutiny than they are at present.
Although we are starting to see a change in attitudes from manufacturers (Apple, for example, boosted its business functionality with iOS 7) it remains fundamental that IT bosses should insist on the adherence to a strict BYOD policy in order to protect their corporate network security.
This should include a comprehensive review of internal user access policies, a clear charter clarifying what data can and cannot be accessed from a mobile device, guidance on how to change and manage device security settings and, importantly, the introduction of strong authentication.
An employee’s personal device can be used as a virtual token by a dedicated multifactor authentication platform, enabling the network to securely verify the credentials of every mobile device that tries to connect. Personal device-ready authentication solutions will not only lock down corporate gateways, they will also save businesses money by removing overheads relating to equivalent token-based solutions.
But perhaps most importantly, employers can tackle a prevailing ‘culture of complacency’ brought about by the widespread misuse of username and password-based authentication. Requiring users to engage with stronger authentication models via their own devices will drive both acceptance and familiarity, proving to users that simplicity and convenience need not be compromised as a result.