Fifteen years ago, IT departments considered it their job to determine which PCs and laptops — and even which newly released smartphones and tablets — to issue to business users. Then came the bring-your-own-device trend.
Employees liked the convenience of using their own devices for work, and felt it increased their productivity. In most cases, companies cut costs when they no longer needed to purchase mobile devices for staff.
IT leaders recognized those advantages, but also the management and security risks that emerge when staff use their own devices to access the corporate network, business-critical applications or sensitive data. By 2014, the U.S. BYOD market was valued at nearly $30 billion and was expected to grow more than 15 percent a year through 2022, according to Global Market Insights. The majority of respondents to a Bitglass survey (85 percent) use their own devices at work.
Yet 30 percent of IT pros still have security concerns, citing data leakage, unauthorized data access, inability to control uploads and downloads, lost or stolen devices, and malware as top concerns. And the same percentage say the leading inhibitor of BYOD is company security concerns.
Cybersecurity Compliance Risk and BYOD
BYOD introduces significant issues in meeting increasingly stringent regulations. The European Union’s General Data Protection Regulation, for example, requires the data controller to remain in possession of customers’ personal data, but that’s tricky when the data may be accessed from or stored on a device the company doesn’t own.
Compliance and privacy are top issues, says Wade Baker, associate professor of integrated security at Virginia Tech’s Pamplin College of Business and founder of Cyentia Institute, a cybersecurity research organization. “If an organization goes BYOD, they have to have some level of visibility on the device, as that causes some primary concerns,” he says.
Spencer Wilcox, executive director of technology and security at utilities company PNM Resources, recommends establishing a BYOD policy that answers the following questions:
- Who owns all the data types on the device (email, calendar, contacts, text, phone and location history, app data and photos)?
- What are the legal and policy decisions on the data types a company claims ownership of?
- What are the technical controls that a company adopts to control the data it owns?
Mobile Apps May Contain Malware
BYOD policy also should define appropriate employee behavior. For example, employees might be asked to not install or use apps that are not on the company’s list of approved downloads. “Users might be installing an app that they think is a fun game, but it’s a malicious app containing malware,” says Baker.
That’s what happened a couple of years ago with the DressCode Android malware, which was embedded in more than 40 apps, many of them in the entertainment category. The malware’s botnets could be used to infiltrate internal networks.
Symantec, in its 2018 Internet Security Threat Report, found a surge in mobile malware, noting that last year, an average of 24,000 malicious mobile applications were blocked each day.
MAM vs. MDM for Robust BYOD Security
By implementing or extending enterprise mobility management solutions, such as mobile device management and mobile application management, to BYOD devices, IT can bolster company policies. MDM gives IT control over devices, while MAM gives IT control only over specific corporate applications and their data.
“The most extreme is full control of a device: ‘You can use it, but we can monitor everything on it,’” Baker says. “From a risk perspective, that’s best for companies,” though that doesn’t mean it’s the right approach in every case.
Both MDM and MAM may be used together to enable security for corporate- and employee-owned devices, offering a package of safeguards that prevent employees from unknowingly compromising their devices. This includes limiting the apps that can be downloaded and the kinds of data apps can store; blocking company data from personal clouds; automatically updating devices; and requiring the use of VPNs instead of open Wi-Fi when users are offsite.
“When a leaking site or app is being used on an open Wi-Fi network, the unencrypted information can be harvested by a malicious actor or ‘man-in-the-middle,’” Wandera reports. “Depending on what is being leaked, it could involve credit card or identity theft, or even the reuse of login credentials to access a corporate network.”
Some experts say that MAM may be the more appropriate solution for BYOD, providing a less invasive and more targeted way to enforce security requirements. For instance, with MAM, IT only can remotely wipe corporate apps and data on a BYOD device, while leaving personal apps and information intact. MAM can be deployed for enterprise email and to give secure access to other apps, such as collaboration tools and cloud storage.
Zero Trust Is Crucial for BYOD Security
Wilcox, however, considers machine trust to be the biggest issue with BYOD.
“If you trust the machine itself, then you allow an uncontrolled device into contact with your network,” he says. “A number of MDM solutions purport to solve this problem by allowing some control of the device, but in most cases, the MDM solution is unable to do more than protect the data on the device and allow the network manager to see where the device is going.”
A more effective method, Wilcox indicates, is to isolate the device from the data, effectively establishing a zero-trust model, where the device is not trusted and all of the data remains on the company systems or in the company cloud.
The good news, as Baker frames it, is that mobile devices still aren’t the primary vector for big attacks.
“If you want to cause real damage to a company, you aren’t likely to attack mobile devices to do it,” he says. “To steal information like IP data, you are probably going to attack the server that processes that or the file server that has all the documentation.” Today, however, mobile devices are still a target for hackers interested in targeting larger technologies. For businesses, constant vigilance remains key.