As more companies embrace the growing BYOD trend, many have started issuing mobile devices to their employees to give them more flexibility over how, when and where they can carry out their duties. However, in doing so they are opening up a number of additional security risks.
The first, and most obvious risk, relates to the way employees use their devices outside of the workplace. Should an employee, who has access to sensitive company data, connect their device to an unsecured public Wi-Fi network, it is possible for a hacker to gain access to their device, and any sensitive data the device has access to.
Of course, most companies will have introduced security policies, which outline how and where these devices can be used, but they will still lack the visibility they need to ensure that those policies are properly enforced. According to a recent survey by Enterprise Mobility Exchange, 72% of companies said that they issued over 100 mobile devices, while 32% said that they issued over 1,000 devices. On top of which, many companies use a wide range of cloud-based services, and often have little control over which applications employees install on those devices.
The Top Security Concerns Associated with Mobile Devices in the Workplace
Data Leakage (45%): The transfer of sensitive data to an unauthorized device/location.
Phishing Attacks (25%): An attempt to obtain sensitive data by masquerading as a trusted entity, usually via electronic communication.
Insecure applications (10%): Applications that are subject to attacks such as SQL injection and Cross Site Scripting, or any other security vulnerabilities caused by misconfiguration, poor coding practices or the use of sub-standard authentication protocols.
Spyware (10%): A type of malware which monitors the victim’s behaviour without them knowing. It collects information about their browsing habits and attempts to obtain sensitive data such as login credentials, etc.
Network Spoofing (5%): The creation of IP packets with a spoofed IP address, intended to mask the identity of the sender or impersonate a trusted system resource.
Ransomware (5%): A type of malware that encrypts the victim’s data and requests a ransom payment in exchange for the decryption key.
How Can Enterprises Protect Themselves Against Mobile Security Threats?
As with any data security strategy, visibility is key. As a starting point, enterprises must gain visibility into how their sensitive data is accessed, and where their sensitive data resides.
There are a variety of tools which can automatically discover, classify and encrypt a wide range of data types (known as data discovery and classification). There are tools which can identify and manage duplicate sets of data. There are Data Loss Prevention (DLP) tools which can be installed onto endpoints to prevent unencrypted sensitive data from leaving the device/network.
Auditing and monitoring solutions, like LepideAuditor, enable companies to monitor who, what, where and when, changes are made to their sensitive data. These tools can automate a response or generate real-time alerts based on a single event or threshold condition. Of course, one of the simplest ways to prevent security incidents associated with the use of mobile devices in the workplace is to disallow BYOD. However, given that BYOD can save companies money by transferring certain costs onto the user, in addition to enhancing productivity, it’s likely that this trend will continue to grow.
Other solutions may include the use of mobile device management (MDM) software, which gives companies more control over how devices are used, and which applications can be installed. Alternatively, remote wiping software can be used to protect sensitive data in the event that a device gets lost or stolen. Finally, companies must ensure that all mobile devices are protected with a PIN number.