The Shifting Mobile Landscape and the BYOD Environment
Over the past decade or so, smartphones have seamlessly woven themselves into the fabric of our everyday lives. Need directions? There’s an app for that. Want to lose some weight? Your iPhone can chart your calories. Need a place to avert your gaze in order to avoid dreaded small talk? Don’t worry, your phone’s got your back.
Therefore, it should come as no surprise that today’s increasingly mobile workforce is utilizing personal mobile devices for work-related purposes more than ever before. In fact, according to a survey of 790 IT professionals by Check Point Software Technologies, 93% of employees currently have mobile devices connecting to their network, and that number is only expected to rise in the coming years.
Unfortunately, smartphones’ introduction into the work place has not been nearly as seamless or as welcome as that into our personal lives—and for good reason. While the “Bring Your Own Device” (BYOD) environment has enhanced flexibility and communication for many employees, it has also created new channels for security threats to pilfer valuable enterprise data.
Traditionally, IT departments had full control over the technology that employees use to do their jobs—i.e. desktop computers, phones, etc. Now, many companies are scrambling to cover the holes left by mobile devices as 71% of them believe that the use of these devices is leading to increased security incidents, while 66% say that careless employees are an even greater security risk than cybercriminals. However, rather than block access to mobile devices altogether (let’s be honest this would never work), companies are enacting policies that not only adapt to the shifting mobile environment, but also embrace it as an opportunity for improving employee productivity, lowering costs, and supporting flexible working conditions.
BYOD Policy for Your Business
Focus on Employee Education:
Understandably, existing security training tends to focus around the desktop user because the mobile workforce is still in relative infancy. However, a thorough policy should be tailored to employee’s specific devices, roles and locations as well as include regular check ups and updates to make sure every base is covered. It should also contain easily accessible information on who to contact if an employee believes he or she has identified a security risk and rules on how to handle confidential information.
Be Aware of Mobile Security’s Top Threats:
1. Device Loss and Theft: A good rule of thumb to follow is to “maintain the same control over your devices as you would over your credit cards”. This means not lending out your mobile phones/tablets/etc. to untrusted people who could possibly introduce malware or unwanted services. In case that your precious device happens to get lost or stolen, record or register serial numbers and enable passcode time-out protections to keep track of your phone and keep valuable data safe. Luckily, some phones have measures in place to counteract this threat. Google Android 5.0 mandates hardware support for stored data encryption while Apple iOS 7 introduced a kill switch to render stolen iPhones and iPads worthless. In iOS 8, Activation Lock is enabled by default, strengthening out-of-the-box defenses against data breaches. Finally, as always, encrypt sensitive data and do not store any sensitive data on a mobile device that cannot be encrypted.
2. Leaky Apps: Many of the free apps in Google Play contain adware, software that endangers privacy by capturing information like device-unique IDs, location, contacts and more. In order to minimize risks, resist the urge to blindly tap “continue” during the installation process without verifying what exactly you are accepting, consider app ratings and reader reviews, and avoid any copy-cat app that tries to imitate other well-known apps or vendors. Implementing virus protection, spam detection and other malware protection on all your devices, not just those physically at work, will also greatly decrease security risks. (When possible, that is--unfortunately, there is not much out there yet to protect iOS devices). Lastly, avoid sideloading apps. Although the Google Play store and ITunes don’t guarantee their apps are free of malware, they do offer some level of protection. Bypassing them (i.e.,“sideloading”) can be a recipe for problems if you don’t know what you’re doing.
3. Network Connectivity and Online Behavior: Many network security risks can be dodged with common sense such as using caution when browsing the web (AKA no questionable websites while on a work device), disabling pop-ups and cookies and ideally only connecting to enterprise resources through a corporate firewall. Unsecured wireless networks make devices more vulnerable to attack and could put an entire organization’s network at risk—you don’t want to be THAT guy. Disable Wi-Fi, Bluetooth, and Infrared when not in use in order to reduce your device’s attack surface. Furthermore, when pairing with Bluetooth, use alphanumeric passwords and pair only with known devices.
As the BYOD movement (with its associated threats) continues to increase, the protection of enterprise data across mobile platforms is poised to become one of business’ primary security concerns of the coming years. Employee education and security awareness is as good of a place as any to prepare for the mobile business evolution.