What are the implications of BYOD culture on enterprise security?
Bring your own device (BYOD) is the workplace trend du jour. Recently, enterprises have been encouraging their employees to use their personal devices at work, i.e. smartphones, laptops, and tablets.
Employees themselves often find working on their own devices more comfortable. In turn, they can work more efficiently. As well as this, by using their own laptops and phones, workers can enjoy better flexibility in where and when they work.
Of course, an obvious added benefit is that it saves organisations a hell of a lot of money. Kitting out personnel with official workplace gadgets is not cheap. What's more, with millennials increasingly making up the workforce, most of them are bringing their phones and using them during work hours anyway. Thus, it makes sense to have them bring their own devices in, which they naturally warm to, than making the extra expense.
There are quite a few alarm bells that ring when you talk about BYOD. For example, how do you know that if someone is using their mobile phone, they're not actually messaging a group chat about Friday night cocktails? Thus, BYOD does require a level of trust, but many organisations feel faithful in their staff enough that they are happy to make this transition.
However, as employees rejoice, cybersecurity teams stare on in horror. This is because BYOD is a festering hotbed for attacks.
Wherever there is a new trend or innovation, cyberattackers follow closely behind. BYOD is no exception, with predators closing in at large on the expanding attack surface. The threat is further accelerated by the fact that these devices are always on and connected. Unfortunately for cybersecurity teams, they are left to spin the new threat plates introduced by BYOD.
One concern is data leakage. If the physical device is lost or stolen, you risk data exposure and consequent leakage. However, organisations are commonly moving their data to the cloud, which does alleviate much of the problem. Furthermore, companies can explore mobile data management options. These enable them to wipe a lost or stolen device remotely.
There is also the risk of malicious apps. A number of these are even available on the app store, which implies some kind of legitimacy. Therefore, unfortunately, lots of people are unknowingly carrying devices with apps of a malicious nature on them. In a worst-case scenario, apps can take over the user's phone entirely. This gives the attacker access to all their confidential information and, of course, the business's too.
The major issue with BYOD is that organisations lack any control. Had it been their own devices, they could install all the security software to their heart's content. However, there's not a lot they can do to modify the security of their employee's devices.
BYOD offers a host of potential for businesses and their employees, but the security cost is huge. Hopefully in time, the concept will mature and the issues will be ironed out, but for now, it's not all it's cracked up to be.
Enjoy this article? Why not check out our Ask the Expert with Rick McElroy at Carbon Black?