Please, No More BYOD

Steve King, COO & CTO, Netswitch
Technology Management

Companies are quickly discovering, and rushing to comply with the fact that employees today want to use a wide range of different mobile devices/apps to access various enterprise assets, interact with corporate data, and collaborate with their colleagues.But almost no consideration has been given to the fact that mobile began as a consumer technology, and that all of these devices lack the security and administrative functions that IT and security teams use to manage traditional endpoints such as laptops and desktops.While I understand the allure of potentially increased productivity and coincident employee satisfaction that accrue to enabling personal mobile devices in the enterprise, those benefits come with a disproportional risk.

* In 2015, Tech Pro Research reported that 74 percent of organizations allow, or plan to allow, employees to use their personal mobile devices for work.
* Twice as many employee-owned devices will be used for work than enterprise-owned devices by 2018, according to Gartner.
* 5.2 million smartphones were lost or stolen in the U.S. in 2014 according to Consumer Reports.
* According to a 2015 report conducted by CyberEdge Group, almost 60% of the enterprise security decision makers they polled cited mobile devices at their weakest security link
* Ernst & Young reports that 56% of enterprises admit to being unlikely they will detect a sophisticated threat.
These numbers tell a frightening story to people responsible for corporate cyber-security and they portend the mobile tsunami that shows no signs of slowing down.
The tools available to an enterprise to manage mobile devices are still very rudimentary and as such position mobile as an irresistible attack vector to cyber-thieves. Data loss is a huge emerging problem and mobile devices facilitate the vacuum. Until the hardware and software get to a place where the devices can be hardened with a single swipe of the corporate cyber-security wand and only the enterprise portion of a device can be easily and safely wiped, corporations should ban employees from using their personal devices in the workplace.
Once again, we have created a problem that we are unable to address to such an extent that the Federal government feels it needs to get involved. The Federal Trade Commission has just issued orders to eight mobile device manufacturers requiring them to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.

These manufacturers are: Apple, Inc.; Blackberry Corp.; Google, Inc.; HTC America, Inc.; LG Electronics USA, Inc.; Microsoft Corp.; Motorola Mobility, LLC; and Samsung Electronics America, Inc.

Among the information these folks must provide under the FTC orders are:

* The factors that they consider in deciding whether to patch a vulnerability on a particular mobile device;
* Detailed data on the specific mobile devices they have offered for sale to consumers since August 2013;
* The vulnerabilities that have affected those devices; and
* Whether and when the company patched such vulnerabilities
Today, mobile data security is the top concern to most CISOs and the need to safeguard sensitive data in mobile environments throughout the data life-cycle, at rest, in motion, and in use has become critical to ensure end-to-end data protection. The major risk of course is that attackers will use the weak mobile security on an employee's mobile device as a backdoor into the protected network.
BYOD is a manifestation of the consumerization of IT, the security risk of which is compounded when users access cloud applications that are also unmanaged, or marginally managed and thus not secure-able by corporate IT. This double whammy of Shadow IT compounds the risk of data loss and creates several brand new attack vectors for the introduction of malware. The amazing part is that it is self-inflicted.

While you struggle with the decision of whether to continue to allow BYOD in your own enterprise, you might want to consider these suggestions:

* To prevent an infected device from accessing sensitive information, mobile devices should have a dedicated Wi-Fi network at the office that does not connect to internal company resources.
* Malware typically takes advantage of system and application vulnerabilities to exploit a device. Companies wanting to provide access to company email on an employee's device should take advantage of a mobile device management solution to make sure employees are only accessing company email from devices that have the latest OS updates and (for iOS) are not jailbroken.
* It's also important that organizations educate employees about the dangers of clicking suspicious links in emails or text messages. Even if the email is from someone you know, they could still be sending malware without their knowledge.

If it were up to me, we would delay future implementations of BYOD until we figure out how to address and manage the many threats that uniquely accrue to employee-owned mobile devices. Until that happens, IT should administer, manage, allocate and control all computing devices that have access to corporate networks. Period.