Security is usually the biggest concern when companies start toying with the idea of implementing BYOD. As IT admins very well know, end users who are given too much liberty with their mobile devices can easily expose those devices to numerous threats. What really worries IT is that a single compromised device can provide an opening to the entire corporate network.
But what exactly are these threats? In this post, we take a look at 4 major threats to mobile devices that may impact an organization.
1. Mobile Malware
Among the four threats, mobile malware is the most capable of affecting the most number of devices in an organization. Usually, the mobile devices infected with malware are those running on Android. That’s because the Android app ecosystem, from development all the way to the marketplace, is not as strict as Apple’s. For this reason, it’s been relatively easy for malicious individuals to exploit vulnerabilities.
The biggest malware-based threats are the mobile botnets. These are infected mobile devices that have been linked together by a commonly shared malware. Devices belonging to a botnet, which can number to a million (as in the case of the Android.Troj.mdk botnet), can be remotely controlled by the malware’s creators.
To minimize the risk of malware infections, companies seeking to embark on enterprise mobility projects should consider antivirus protection and discourage uncontrolled installations and file sharing.
2. Jailbroken or Rooted Mobile Phones
If there’s one thing that can substantially increase a device’s vulnerability to malware, it’s rooting. Rooting is the act of altering a device to remove certain restrictions imposed by its operating system. The term “rooting” is associated with Android devices, while “jailbreaking” is for iOS devices.
Some people are tempted to root or jailbreak their phones because it enhances their phones’ capabilities. For example, people jailbreak their iPhones in order to install additional apps (mostly for free) without going through the App Store.
The problem with jailbreaking or rooting is that, while it can take away several restrictions, it can also remove a number of built-in security mechanisms. People who alter their phones are mostly aware of this. However, the allure of installing free apps can be too irresistible. Thus, it would be very difficult to effectively enforce BYOD policies that prohibit employees from rooting or jailbreaking their phones.
3. Data Leakage
You never worry about data leakage if your phone is only used for personal communications. But once you bring it into the workplace and start storing, sending, and receiving enterprise data with it, as is the case in BYOD, that’s when data leakage can happen.
Data leakage can be caused by a number of factors. Missent emails, file transfers over public networks, and usage of insecure cloud storage sites are some of them. Data leakage can be a big issue if your company belongs to a regulated industry. Laws like HIPAA, SOX, GLBA, and PCI-DSS can impose heavy penalties and fines the moment certain types of data are leaked out.
It’s important to have a DLP (data loss prevention) system in place to avoid either inadvertent or intentional data leaks. Also, if you really want to backup files to the cloud, you need to make sure you’re using a highly secure cloud backup software.
4. Lost or Stolen Devices
If even a highly secretive company like Apple can’t prevent its employees from leaving iPhone prototypes in cafes, then how much more for other companies? The size and portability of mobile devices simply make them very susceptible to getting lost or stolen.
Again, it might not be a company problem if an employee’s missing device only contained personal photos or messages. But if the device was enrolled in a BYOD program then, chances are, that device may have also contained confidential enterprise data.
The best security countermeasure for lost or stolen devices is a remote wipe. This would allow admins to simply delete all contents of a missing device remotely, thereby preventing unauthorized access into the files of the missing device.
To avoid lawsuits from employees whose personal files may also be deleted in a remote wipe, it would be best to implement a backup program using solutions similar to backup software for PC. That way, those employees would still have a way of retrieving the personal files in question.