Mitigating BYOD security threats
The concept of bring your own device BYOD continues to be a growing trend for businesses around the world and the Middle East is certainly not lagging behind. The region is notably an early adopter of the most innovative technology trends with BYOD being no exception.
BYOD, which essentially means that employees bring their own smartphones, laptops and tablets to the workplace, is booming as demand for connected devices grows and employees prefer to access work emails and documents on their personal devices and not handle multiple devices. Due to the increased proliferation of smartphones and tablets as well as increased mobility of workforces, we can see a clear paradigm shift in the way companies operate on a day to day basis.
According to a research report by MicroMarket Monitor, in the Middle East and Africa region, the BYOD market is expected to grow from $11.1 billion in 2013 to $38.03 billion by 2019. Clearly, given its inherent advantages for employers and employees alike, BYOD adoption is bound to grow even more in the coming years.
BYOD allows employees to operate on devices they are comfortable working on, and in some cases from the convenience of their homes. Employees also want to use the latest technologies, get access to company apps, as well as the employee intranet while at home or travelling. Although the technologies to support this demand have increased productivity and efficiency, they also pose a risk. The main concern for companies when it comes to BYOD continues to be the risk of malicious employees or data leaked by mistake. Mobile security and privacy is undoubtedly a concern too.
As mobile platforms become more integrated and common in the workplace, when a device is lost or stolen, there is a high possibility of putting data and credentials at risk. Many organisations view security as a technical issue, however, it is important that they realise employees also have a part to play in the security of the business. It is much easier for cyber criminals to target the employee than the business itself, so educating employees on how to mitigate security risks should form an integral part of any IT security strategy.
As more employees bring their own devices into the workplace and use cloud, virtualisation and social networking, businesses now face the challenge of enforcing corporate security policies on consumer devices that are not solely controlled by the IT department. This lack of control exposes businesses to serious security vulnerabilities in the form of data breaches and unauthorised access, so getting security controls and policies right is vital.
The methods cyber criminals use to exploit employees are still the same as a decade ago, the difference now is that the number of exposed points have increased. For example, in addition to the corporate PC, employees now have a host of personal devices and social media platforms for hackers to target. With so many different attack vectors, there are more opportunities for cyber criminals to compromise security, improving their success rate.
A central part of the BYOD strategy is extending the existing authentication schemes to mobile devices. BYOD should not create any extra costs and it is important to lower the IT burden by using the same access platform for all endpoints. A centrally managed access for all resources, networks, cloud applications, VPNs, VDIs, web based applications, is highly recommended. While a lot of people would be happier if their device at work was managed by their operator, it is imperative for operators to address the end users’ security concerns. Operators need to work together with the companies’ IT managers to incorporate BYOD security strategies, as key logging malware can be downloaded simply when a staff member decides to use their office PC USB to charge their device. As with the endpoints, operators need to provide central management access for smart phones, tablets, notebooks, laptops, desktops. Lastly, it is important to keep it scalable, as more mobile devices and endpoints would need to be supported with time.
The best practices to minimise threat surfaces for mobiles devices are through the implementation of strong authentication measures, e-mail, data encryption for high level executives and ensuring digital signatures are enforced. Also organisations have become more understanding, permitting their employees to use mobile devices for work purposes. In order to address any related security concerns, market technologies that can be used by organisations are mobile device management and one time password apps. While mobile device management technology provides the ability to create a secure area within the device that is dedicated to corporate functions and applications, one time password ensures stronger access control is provided using the device as an authenticator. Adopting a holistic security strategy that offers multiple layers of protection such as encryption, access controls, encryption key management, network security, mobile device management as well as one time password technologies and strong authentication is important. But it is also important to mitigate the risk posed by human error.
Mobility is the future of the workforce and, as long as mobile devices will continue to be used in business, having the right BYOD policies in place will help mitigate the security risks. A clearly defined policy outlining the rules of engagement should be enforced and the potential issues addressed upfront. Technology will keep evolving, so enterprises large or small need to be prepared for what the future brings.