Author: Piotr T Zbiegiel
It should come as no surprise that employees are using personal devices to complete company business. In a recent survey 60 percent of employees are allowed to connect their devices to their corporate network. These devices allow employees to work efficiently but open up many new risks for an enterprise. As an information security professional it is your job to understand the risks and assess their potential impact to your employer.
The call is coming from inside the network.
In the past enterprises provided computers and other devices to their employees. In general, only company-owned devices were allowed on the network. Now with the popularity of smartphones and tablets employees expect to use them to get their work done. Some enterprises may find that while their borders are protected by firewalls they still have “gooey centers”. Their internal networks may not be ready to allow personally owned devices to access resources within the enterprise.
Corporate data on personal devices.
In addition to allowing personal devices to access their networks, enterprises must also come to terms with company data on employee-owned devices. Depending on the type of data there may be concerns over Intellectual Property, PII, HIPAA, or other privacy and regulatory issues. Along with concerns that employees could steal sensitive corporate secrets there is also the risk of lost or stolen devices being the cause of a customer data leak.
Malware on devices gets carried past network access controls.
With the rising popularity of smart phones and tablets attackers are specifically targeting those platforms. Malware can infect mobile devices and make its way past network access controls. Recent examples of this sort of attack include WireLurker which infects iOS devices as well as Mac and Windows desktops. Once infected the device “phones home” to the attackers which allows them to send remote commands to the device. NotCompatible is an advanced Android malware that, similarly, takes over devices and adds them to a botnet maintained by the attackers. Once a member of the botnet the device can be used for a myriad of malicious uses including spamming and DDOS attacks.
What’s an enterprise to do?
While there may be risks involved with BYOD many companies also see the benefits of allowing employees the flexibility of completing their work using tools they are familiar and comfortable using. In most businesses it may not be possible to eliminate the use of personally owned devices altogether but that does not mean companies have no recourse. Enterprises can respond to BYOD in various ways:
- By clearly defining policies surrounding employee use of personal devices. These policies potentially include approved devices and applications, types of data that are allowed on devices, types of work that can be performed, device configuration requirements, etc.
- By enhancing internal access controls and limiting authorization for users on personal devices. Access to company data, especially sensitive data, could be prevented if the user is on a personally owned device.
- By deploying a MDM (Mobile Device Management) solution and requiring employees enroll personal devices before access to company data is granted. MDM solutions can allow an enterprise much more granular control over how the device is configured and how corporate data is stored on it. This could include requiring passcodes or passwords, encrypting devices, compartmentalizing data and applications, and gaining the ability to remote wipe the contents of a device.
Business demand for specialized knowledge in a growing digital world will continue to expand as new technology security concerns arise. Lewis University’s online M.S. in Computer Science with a concentration in Cyber Security teaches students how to identify cyber threats, design combative software systems against an attack and investigate the aftermath using digital forensics tools. To learn more about the master’s degree call (866) 967-7046 to speak with a Graduate Admissions Counselor or request for more information.