Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

No Organization Is Ready for BYOD

The Risks Are Not Worth the Reward

The Risks Are Not Worth the Reward

Android is cool, iPhone is cutting-edge and carrying a tablet is convenient. What’s not so cool, cutting-edge or convenient, however, are data breaches, which as everyone already knows lead to millions of dollars in damages year after year. The odd thing about data breaches, though, is that despite the fact that enterprises, SMBs and government agencies are more aware of them, they continue to allow the use of BYOD technologies, which increase the likelihood of a breach occurring. Although no one has come up with a “Moore’s Law” type of equation that demonstrates how data breach risk increases in direct correlation to BYOD, the evidence is clear that it does increase.

BYOD RisksHow do we know BYOD adoption increases the risk of a breach? Great question. There is an unending chain of headlines, reports and opinions indicating that it does, many based on factual research and on incidents that have occurred. A few of the more recent studies on the topic revealed that nearly half of the organizations allowing employees to connect to their corporate networks via BYOD have experienced a related breach — staggering when you consider the number of breaches that occurred before BYOD hit the market.

Despite the overwhelming risk that BYOD brings, prevailing winds suggest that organizations are convinced they must allow employees to use their own devices to conduct business communications and access data. Whether or not this trend represents a triumph of BYOD providers’ marketing genius or signals that businesses have lost control of the ability to establish basic security rules remains to be determined, although it is probably a combination of both.

Regardless of where an organization stands on the BYOD issue, there are a few basic facts it needs to consider before adoption:

• BYOD has created increased risk exposure that no organization is prepared to handle

• Visibility and monitoring are security essentials that BYOD and MDM can’t provide

• Security-aware organizations do not have to allow BYOD

• You don’t have to trade the promise of sales and productivity for decreased security

Let’s explore these notions further.

BYOD has created increased risk exposure that no organization is prepared to handle

There simply is no way to deal with the risk that BYOD brings. Between Android and iOS alone, there are millions of apps readily available for download, countless numbers of which open up doors in BYOD technologies that hackers and cybercriminals can easily stroll through. Even iOS, long believed to be highly secure, is proving to be vulnerable. As recently as December 2012, researcher Carlos Reventlov identified a vulnerability in Instagram’s iPhone application that could allow an attacker to execute a man-in-the-middle attack on iOS.

Visibility and monitoring are security essentials that BYOD and MDM can’t provide

When it comes to data security, visibility and monitoring are essentials. When it comes to BYOD, even the most advanced MDM solutions cannot provide a comprehensive, granular picture of how employees are accessing and sharing corporate data. Organizations that don’t have visibility into employee activities have no way to determine how, when and where their information is being exposed.

Security-aware organizations do not have to allow BYOD

Mobile Device Security RisksAny organization that is serious about security does not have to allow BYOD. Most enterprise-class organizations have sophisticated physical security systems that include state-of-the-art surveillance cameras, pin-pad door locks, and ID and access cards. None would allow employees to remove surveillance cameras and replace them with their own, install their own pin-pad locks or issue their own ID cards. In these cases, Bring Your Own Security simply would not work and would never be allowed. The same could be said of BYOD; in the name of security, organizations do not have to allow it.

You don’t have to trade the promise of sales and productivity for decreased security

There is age-old adage in business: “Nothing happens until somebody sells something.” When it comes to BYOD, organizations need to take a hard look at whether or not the security trade-offs are actually worth the assumed productivity and sales rewards. Organizations that dive deep into this issue will probably discover that sales reps using corporate-issued devices are likely closing as many deals as those who are using BYOD, that they are able to respond to emails as fast on a BlackBerry as they can on an iPhone, and that they can access business applications with efficiency.

At this point in the evolution of consumerized mobile devices and smartphones, security is simply too far behind the curve and cannot provide any real defense against data breaches, data theft and compliance violations. Corporate-issued and controlled devices are able to provide not only security but also the functionality needed to enable secure business communications and access to data and applications. There is simply no reason for an organization committed to security, productivity and sales to take on the risks inherent in BYOD.

Related Reading: Dealing with Mobility and BYOD Security? Start with The Network

Related Reading: BYOD – One Size Risks All

Related Reading: BYOD- The Flash Mob of Network Security

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.