The Bring Your Own Device movement has ushered in an era in which millions of people access work data on the corporate server using their privately-owned phones. But security managers are paid to worry and many rightly question the wisdom of allowing employees to use their personal mobile devices for work.
Even though they’ve lost the war, however, they’ve learned to deal with the new reality foisted upon them. Putting in place corporate-wide rules, backed up by the deployment of MDM solutions to exercise a degree of control will hopefully, mitigate risks posed by the use of privately-owned devices. Of course, the logistics will never be easy, especially when employees use more than a single device. In those instances, IT winds up needing to support multiple devices, regardless of the operating system, handling whatever software incompatibility issues crop up along the way.
But those are minor annoyances. The more serious concern is that despite all the efforts to preach best practices, employees will continue to be careless or take shortcuts that leave their devices – and their employers’ data –exposed to attackers.
Putting in place corporate-wide rules, backed up by the deployment of MDM solutions to exercise a degree of control will hopefully, mitigate risks posed by the use of privately-owned devices.
And you don’t need to push BYOD bad behavior to an extreme. Even when the most mobile-savvy employees conduct themselves according to the book, they may still inadvertently expose corporate information. For example, individuals downloading apps from third-party sites are nonetheless prey to attackers who have demonstrated their ability to infiltrate malicious apps that hide themselves. Earlier this fall, for example, Symantec researchers found that hidden malicious apps were downloaded more than 2.1 million times from the Google Play Store. And we’re talking about a first-tier vendor; imagine the potential risk when a user accesses a third-party site with questionable security.
In order to navigate past the shoals, organizations can make the case that they’re justified doing what’s necessary to protect their data; on the other, laws and regulations add boundaries that they must respect. Apropos, the Federal Trade Commission recently announced it had settled its first case against a developer accused of creating "stalking apps" and "stalkerware." (Symantec told PC Magazine that its Norton Mobile Security app has seen seeing about 2,000 devices infected with stalkerware each month.) The 3 mobile apps in question here allowed buyers to secretly monitor the mobile devices on which the apps were installed and then track the user’s physical movements and online activities.
Even when the most mobile-savvy employees conduct themselves according to the book, they may still inadvertently expose corporate information.
But according to the FTC, at least one hacker was able to exploit the poor security in the apps to access a company’s cloud storage account twice between February 2017 and 2018. The FTC did not divulge names but noted that the hacker had successfully deleted certain information from the victim organization’s servers. The upshot: the breach exposed a trove of valuable data, including login usernames, encrypted login passwords, text messages, GPS locations, contacts, and photos.
But BYOD doesn’t need to lead to adversarial relations as there are commonsense measures that both employers and employees can adopt as they learn to coexist.
On the Employee Side
- Make sure not to let your mobile apps get out of date. Developers issue patches all the time when they discover new vulnerabilities. Don’t ignore their patch prodding
- Stick with the major trusted sites when downloading apps. Even then, it’s not a 100% guarantee when you consider that hackers exploited Apple technology earlier this year to distribute modified versions of popular apps like Spotify, Angry Birds, and Minecraft to enterprise employees. Still, if you opt to download an app from an unfamiliar site, you’re tempting the fates
- Use mobile security apps, such as Norton or Symantec Endpoint Protection Mobile, to keep your device and data secure
- Take note if your phone's battery drains faster than normal; it may be a sign that someone has access to your device
- Make sure that your phone has not been jailbroken
- Don’t tune out when IT sends around emails with best practices updates
On the Employer Side
- Deploy a robust combination of antivirus technology, advanced firewall, and web browser protection to protect your organization’s mobile devices and users against malicious threats and unauthorized access to sensitive corporate information
- Consider a mobile security solution that provides enterprise-level management so that administrators can centrally define and distribute security policies to mobile devices over-the-air
- Use a mobile management solution that lets administrators secure and manage the organization’s mobile devices from a single management console
- Do systematic updates of content along with scheduled (background) or manual scanning of all devices.