Bringing your own portable security nightmare

BYOD is fast becoming the top concerns for many organisations and if it’s isn't, it should be.

It seems like only yesterday that the notion of ‘Bring Your Own Device’ simply meant bringing along a USB drive to transfer content and data from one device to another. Today however, BYOD is much more than this and unsurprisingly, carries many more risks.

By 2030, 80 per cent of the workforce is expected to be working remotely and by that time, work won’t be something we can do at a single location again. But what does this mean for the security of organisational data and devices? Are Australian companies prepared for this?

BYOD exploitation

Organisations have long been encouraged to jump on the trend of mobile working, leading the term BYOD to quickly become a household acronym. With businesses falling over themselves to adopt BYOD, flexible working environments are now a presumed condition of most jobs. With the proliferation of BYOD practices, the manner in which organisational information is protected has changed; no longer secured behind company firewalls, organisational data is now routinely accessed by staff on smartphones, tablets and notebooks from a multitude of locations. BYOD is fast becoming the top concerns for organisations moving into 2014- and if it’s not, it should be.

As we move into a more concentrated era of mobility and BYOD environments, Android exploitation and web-based exploitation of Windows is on the rise and the pressures of keeping up with the changing pace of technology, devices and platforms while maintaining security compliance, ensuring application compatibility and encouraging mobile work practices is nothing short of demanding.

What’s more, users are becoming increasingly tech savvy leading to multi-purpose use of many BYOD devices. Once connected to a PC, tablets and smartphones immediately become external storage devices and can also be used as a 3G modem to leak data without passing it through the corporate firewall.

Freedom vs Control

The crux of concerns for organisations however, is the focus on user freedom.

The mantra of flexible work has permeated corporate policy and many organisations have been so caught up in meeting this expectation of freedom that BYOD practices now dilute the control of corporate security teams through backup, troubleshooting, management and corporate policy enforcement and this is only expected to continue.

In its top 10 strategic technology trends for 2014, Gartner suggests that BYOD practices will double the mobile workforce by 2018, setting a clear expectation among staff and businesses that mobile devices will continue to become part of the temporary office furniture.

BYOD is a much more extensive problem than most companies think as workers are increasingly gaining remote access via personal devices without enterprise-grade security in place. As a result, everything from the devices used to the corporate applications and data being accessed, must be carefully reviewed to ensure there are sufficient security precautions in place.

A healthy combination of staff training and education as well as robust technical security measures using enterprise-grade software suited to each device type, should be standard practice across every organisation.

Organisations aren’t helpless

While this may appear to paint a daunting future for business security, there are a number of actions businesses can take to build stronger, comprehensive protection:

  • Engage and collaborate with all business divisions from HR, legal and IT to corporate services and most importantly, end users- to ensure they are educated from the start.
  • Focus on protecting the corporate data that will be accessed by a range of devices. This includes determining the level of access to grant and implementing security controls such as authentication, data protection, antimalware and governance.
  • Ask BYOD users to use a mobile security solution with an antitheft module and implement security controls that must be met for personal devices to access corporate data.
  • Evaluate your organisation’s chosen operating system and devices giving consideration to the following components:
    • Device evaluation and certification process
    • Associated costs of supporting the new devices
    • Available services, such as e-mail and calendar
    • Support model
  • Build the infrastructure that will work best for your organisation to support devices. This includes considerations around software requirements, bandwidth options, management needs and investment parameters.
  • Plan your technology deployment and training within your organisation to ensure that the demand for the new program doesn’t outpace the ability to support program participants.
  • Make sure you require onboarding for all devices
  • If budget permits, buy a mobile data management solution
  • Don’t allow staff to upgrade operating systems until this has been approved internally

Bogdan Botezatu is Senior E-threat analyst at antivirus software provider, Bitdefender