The momentum of bring-your-own-device (BYOD) has surged like a tidal wave across enterprises of all sizes recently. However, the trend is giving rise to complex, and unforeseen consequences – from sudden variations in app performance status to new forms of cyber risks.
Allowing employees to bring personal devices creates potential new threat vectors, particularly in industries where many employees are carrying sensitive company data. According to the network security firm Fortinet, 89 percent of workers have cloud storage on their devices, and 70 percent of them use the space to store work-related files, and 33 percent store customer data on the cloud, allowing them to gain access to it from their personal devices.
The lack of BYOD security oversight can translate into increased likelihood of BYOD devices being hacked or infected with malware. Security firms have frequently discovered malware and viruses in enterprise and common apps used on employee devices – meaning that even enterprise store policies can’t even guarantee that applications will be secure.
But malware is only one cyber risk problem pertaining to BYOD security threats. When an organization allows employees to connect their devices on its network, it creates a new type of risk. Employees holding personal company data could pose a major security breach.
For example, if an employee is terminated, he/she could connect to unsecured Wi-Fi networks; this could lead to a loss of company data or, even worse, corporate data in hands of adversaries with monetary aims. It also opens up the business data to malicious behavior that can be introduced through online surfing, even outside of business premises. While the malware infection rates of BYOD devices may remain minuscule, the threat of hackers entering a corporate network through an employee’s table/smartphone remains real.
Furthermore, the use of personal apps can result in phishing scams that take personal credentials to another server/database to cross-reference when trying to gain unauthorized access to corporate accounts. Smaller- and medium-sized organizations are at particular risk as they often lack comprehensive BYOD security. Hackers know this, and therefore, SMEs are becoming an attractive target for criminals hoping to gain access to sensitive data like customer databases.
Thwarting BYOD-based cyber risks
As mentioned above, a BYOD workplace is vulnerable to cyber risks in several different ways – downloading of malicious applications, employees being negligent with security policies, and ex-employees connecting to unsecured public Wi-Fi networks, for example.
However, organizations can mitigate and even prevent these pitfalls by taking the following measures:
Monitor staff behavior: monitoring software use on devices of staff members without their acceptance can lead to legal problems; state and federal laws prohibit companies from accessing employee personal devices without their consent. The Stored Communications Act has the description of the penalty for unauthorized access to employee devices.
Organizations can instead monitor how employees abide by BYOD policy implements; this can be done through meetings, surveys and workshops that give insight on employee behavior. Staff members can also be rated for compliance and reminded how they could cyber threats at bay.
Educate employees: employee education can go a long way in mitigating cyber risks arising from personal devices. Simply letting employees know of the threats malicious apps can cause may stop inadvertent downloading. Additionally, employees can be educated on the set of rules for how the devices should be used.
Enlightening employees on using stronger passwords can also be useful in instances of physical theft or device loss. A stronger password could potentially make it difficult for an adversary to gain access to the company data stored on the device. Lastly, employees should be taught about the dangers of using open, unsecured Wi-Fi networks.
Keep company network in check: traffic coming from BYOD devices can infiltrate a company’s bandwidth and network, so it is essential for employers to make sure the traffic increase is legitimate. Network software that filters network overuse and Mac addresses can be used to track the impact of devices on network traffic.
Such programs may also include network access protocols for tracking user credentials for network authentication as well as integrate unauthorized access restrictions to the network communicating with the user. Archiving data is perhaps the best way to detect any suspicious spike in BYOD traffic trends.
Apart from these measures, organizations can also consider cyber risk insurance coverage which gives access to risk management experts to mitigate the effect of security breaches, while also providing funds to rebuild the network if it fall victims to a BYOD cyber incident.