It is like this: as buzzwordy and amazing as the “Bring Your Own Device” (BYOD) trend is, it’s dangerous for your company’s infrastructure.
Currently around 80% of companies are already experiencing the BYOD trend, says VP/GM of Mobile at Rapid7, Giri Sreenivas. It seems as much as everyone is embracing the trend, less than half of these companies actually do something about the security risks it introduces.
Speaking at the RSA conference in Amsterdam, Sreenivas provides examples of recent severe mobile exploits, describing how organisations can manage and mitigate the risk without forcing strict and unwanted controls on employees.
According to Sreenivas, BYOD has happened fast and most organisations are reeling to catch up with changing behaviours. He reckons that there is an instinctive response to replicate IT asset management and security practices for BYOD. For organisations, it seems best to have a Blackberry-like approach to personal mobile devices and these containers create UX challenges and user rejection. These attempts may not make your organisation any more secure, he says, as users will attempt to work around your controls.
Key threats to mobile devices include:
- Lost or stolen phones: Around 35% of phones are lost or stolen and most phones are replaced every 18 months. Sreenivas found that more than 50% of employees kept confidential data upon termination, and 40% will use it at their new job. He says most often improper termination is an overlooked vulnerability.
- Jailbroken and rooted devices: He reckons that 5% of iOS devices are jailbroken and a similar percentage of Android devices are rooted and these devices are typically intentionally compromised by the users.
- Trojans and malware: For well controlled ecosystems such as the iOS App Store, these aren’t common, but he argues that there is “room for improvement in Google’s Play store”. Devices that allow third party app download will always remain at risk.
- User behaviour: Users not only come with their own devices but also their own apps which pose a risk, with the average user having downloaded about 50 ad hoc applications.
- Promiscuous apps: These apps can access corporate data frequently, unbeknownst to the user. The can be well-known apps, such as “recent versions of LinkedIn, Path and Evernote. Pending legislation may drive better awareness through disclosure requirements,” says Sreenivas.
- Phishing: No matter how many times you warn people, they are still dumb it seems. “Personal email addresses and mobile numbers are new vectors and limited screen sizes inhibit browser security. Currently more than 4000 sites are dedicated to mobile phishing.”
- Man in the middle attacks: Mobile data costs and WiFi-only tablets drive insecure access and it is difficult to determine compromised communications.
Sreenivas warns that with recent threats such as DroidDream, AppSnapp and jailbreakme, organisations need to rethink how they do BYOD.
“BYOD is not for every organisation. Involve your employees — make it too hard for the end user and they will work around you, exposing your organisation to even more risks. There may not be an alternative given BlackBerry’s troubles,” he says.
In order to mitigate the threats posed by BOYD he thinks that organisations need to “design for risk management rather than inherit approaches to control.”