Imagine this scenario. John, an employee of your business, is having a typical morning at work. It’s 9:15 a.m., as he’s checking his morning emails. Oddly, he gets a notice from the HR department asking for login information due to an error, so he hands it over.
But there is a problem. That wasn’t the HR department.
John was just the target of an intelligent email phishing scheme. After he enters his data, it’s used against your company as hackers enter your network. Once they’re in, they are free to steal sensitive information or funds, or install malware that could potentially bring your business to a screeching halt. Confidential data is compromised by the hackers, costing you somewhere between thousands and millions of dollars in damage.
However, these costs could be avoided if you understood how to properly implement a BYOD policy for your company. To help you understand BYOD, we’ve put together this beginner’s guide to help you get to know how it works and how it can benefit your business.
What is BYOD?
BYOD, an acronym for Bring Your Own Device, is a policy that allows employees to bring their own personal device (whether smartphone, tablet or laptop) to work. It provides convenience, saves time and decreases resource usage. However, a BYOD policy also increases security risks, especially if implemented incorrectly. Thus, it’s imperative for a company to have a dynamic mobile security solution to account for the risks.
One popular alternative to BYOD is known as COPE, or corporate-owned, personally enabled. Under this model users are given a phone by their employer for business use, and also personal tasks that are within reason. However, it is this “within reason” opening that leaves many businesses worried. Users also aren’t great fans of having to juggle a phone for both work and play, either.
The other alternative to BYOD is no security policy – an option that any serious business should avoid at all costs.
BYOD Policy: Common Threats
When a company implements a BYOD policy (which has become the standard across all businesses, healthcare organizations and schools), they open themselves up for a dangerous range of threats. These are common tactics hackers will use to infiltrate a network, and knowing what they are and how to prevent them can save your business a lot of time and money.
Advanced Persistent Threats - Advanced persistent threats, or APT, is a sophisticated name for attacks by criminal organizations that have the resources and the time to figure out a way to get into any corporation’s network. An example of an advanced threat is from the aforementioned scenario at the beginning of this guide: cyber criminals could send phony emails supposedly coming from the human resources department, such as informing employees about false job openings. If the employees download the infected PDF file attached to the message, the hackers can infiltrate the network.
Malicious and Privacy-Leaking Apps - Not every app that we have on our smart phones or tablets is secure. There are dangerous applications that can leak sensitive corporate information from those devices. For instance, an employee may install a game or a productivity app that asks for access to their address book, which may contain the names and critical information of every employee in your organization. The app will then send the entire contents of the address book to a server on the Internet, which could be stolen by hackers. With access to this information, hackers have everything they need for spear phishing and advanced persistent threats.
Compromised Wi-Fi Hotspots – Anytime you are online at a coffee shop or airport, there are likely dozens of others using the same Wi-Fi. Unsecured hotspots at airports, hotels and coffee shops allow snooping and session hijacking. For instance, if an employee uses a non-encrypted connection to access Facebook or email, their session can be easily hijacked by a hacker on the network. When a hotspot is compromised it is ‘taken over’ by criminals, causing a potential leak in confidential information.
Malware & Zero Day Attacks - Anti-malware software scanning solutions for mobile devices are not nearly as sophisticated as those for PCs. As a result, employees could access the corporate network through their infected device and pass malware into the internal system. Zero-Day malware attacks on mobile devices have become prevalent on Android devices. With the drive-by strategy, criminals redirect visitors of a website to one they control, whereupon the malware automatically installs itself on the user’s Android device, basically rooting it. Once the malware takes over the device it may track data from applications, monitor network traffic, GPS information and even the user’s keystrokes, ultimately sending all this information to third party servers.
Trojans – A trojan is a form of malware containing malicious code that causes data theft and possible system harm. There are a multitude of trojans that can do things such as steal your passwords, access banking information, or disrupt your device’s security system. You can prevent these by downloading a reliable anti-malware software.
Poisoned DNS (Domain Name System) - Typically, DNS is not viewed as a danger to enterprise security, but that thought process is a mistake, particularly for mobile workers. DNS servers can be poisoned, which causes traffic to be routed to fake, malicious websites. For example, a user can type “www.mybank.com” and the DNS will point them to a different server that takes them to a website that looks like their bank, when it is actually a transparent proxy designed to steal passwords.
SMS Phishing and Spear Phishing – Spear phishing – the practice of targeting specific users’ information within a corporation, rather than user, is a significant threat to businesses. SMS phishing, or smishing, is the practice of texting people phishing emails that try to get users to log in to their banking or PayPal accounts, or more insidiously, their corporate network.
Jailbroken and Rooted Devices - Jailbroken iPhones and rooted Android devices are by definition completely unsecured and should always be prevented from accessing corporate networks. Sometimes an employee may not even know that their iOS or Android device has been jailbroken. Perhaps the employee’s teenage child has decided to jailbreak their parent’s iPad to download an app for free, and the employee has no idea the next time they log into corporate services that they are using a compromised device.
BYOD Policy: The Solution
To prevent security breaches in a BYOD environment, there are three different ways a company may proceed:
1. Mobile Device Management (MDM) This offers the lowest level of security. Mobile device management (MDM) solutions protect data loss from lost or stolen smart phones and tablets, helping businesses comply with security and privacy regulations. Typical MDM capabilities include setting up corporate email on a device, enforcing password requirements, detecting jailbroken and rooted devices, remote locking, and wiping data from lost or stolen devices. However, MDM doesn’t enable companies to secure countless worldwide networks, mobile devices, apps, and operating systems against complex and dynamic attacks.
2. Mobile Application Management (MAM) This offers a low level of mobile app protection. Mobile app management (MAM) solutions allow businesses to remotely provision, update, and delete apps. This helps businesses manage internal, public and purchased apps across corporate-issued or employee-owned mobile devices. Similar to MDM, MAM doesn’t enable companies to secure worldwide networks, mobile devices, apps, and operating systems against complex and dynamic attacks.
3. Mobile Security Management (MSM) This offers the highest level of security. MSM provides comprehensive protection against compromised Wi-Fi networks, spear phishing, SMS phishing, malicious apps, malware, jailbreak jamming and poisoned DNS. It enables companies to secure worldwide networks, mobile devices, apps, and operating systems against complex and dynamic attacks. Unlike MDM and MAM, an MSM solution dynamically learns and adapts to new threats in real time, while still providing essential MDM and MAM services. This is the best option for advanced enterprise companies.
BYOD Policy Templates
BYOD policy is not a one-size-fits-all program; it is built depending on a company’s needs. For example, a common IT practice is configuring devices with passwords, only allowing certain applications to be installed, and restricting email accessibility to only work email. Another common practice is to have all data on the device be encrypted. Here are four example BYOD policies:
BYOD for Schools. Technology dominates the lives of anyone under 18-years-old, but with a school’s budget typically planned to the penny, taking on the financial burden of providing every child with a laptop or tablet can be nearly impossible. This article should be a good starting point on how to implement a BYOD policy into a school.
BYOD for Healthcare. As digital data storage for healthcare facilities increases, so does the requirement to keep patient information confidential. Nurses and doctors need to look up patient information on-the-fly and using their own devices allows quick access. This policy provides a good blueprint how to implement a BYOD policy for healthcare.
BYOD for Business. Combining the phone you use for personal reasons with your job can be tricky. This BYOD policy for business is a good template for implementing personal phone use into the workplace, and keeping the two separate.
BYOD for Restaurants/Retail. In these businesses, customer service is of the utmost importance. Guests demand immediate satisfaction and attention should they be dissatisfied with your product. The complexities of this reality give BYOD a unique flavor. This BYOD policy for retail helps with problems that arise in this industry.
Pros and Cons of a BYOD Policy
As with any technology, the good has to be weighed against the bad. BYOD is an extremely popular policy being implemented by many businesses, but you should still weigh the pros and cons when deciding on whether or not to move forward implementing one.
The Growth of BYOD
BYOD is rapidly being implemented across businesses of all types. In fact, according to Virtual Bridges, 70% of working professionals will conduct work on their personal devices by the year 2018. There will always be pros and cons to consider before applying anything to your business, but the general consensus is if you don’t implement a BYOD policy soon, you will get left behind. Here are some more interesting statistics about BYOD and the effect it’s having in the workplace.
By 2015 the number of mobile devices will have grown to over 2 billion worldwide.
51% connect to unsecured wireless networks with their smartphone.
38% of companies expect to stop providing devices to workers by 2016.
67% of people use personal devices at work, regardless of the office’s official BYOD policy.
Only 11% of end users access business applications from the corporate office 100% of the time.
62% of companies surveyed plan to support BYOD by the year’s end.
78% of employees believe that having a single mobile device helps work-life balance.
35% of employees store work email passwords on their phones.
Statistics sourced from Virtual Bridges, Moka 5, and SecureEdge Networks.
Case Studies: Successful Implementations of BYOD Policy
These companies are at the forefront of BYOD, and great examples to follow their successful policy implementation.
Intel Corp. – They started their program in 2008, but by the end of 2012 more than 23,000 employees had been enrolled. The company’s IT department constructed a cloud which provides access to company services and information. Employees reported they saved 57 minutes each on average in 2012, which equates to a productivity gain of five million hours. Read more here.
Ford Motor Company – They first began a BYOD-like program in 2007, but were more concerned about Palm Pilots and laptops. Now, their program ePOD – email on personally owned devices – allows employees to access a bevy of company information, including business calendars, contacts and task lists. Since they began this program in 2009, they have added an updated security system which protects work emails and gives employees access to management and support for their devices. Read more here.
IBM – They are in the middle of implementing a program that will eventually cover all 440,000 of employees. They created a “secure computing guidelines” instructional for their employees to ensure that they understood the basic principles of online and mobile security. They also install their own email and calendar interfaces rather than using the phone’s preloaded apps. Read more here.
Choosing the Correct BYOD Solution
It’s vital to have a cloud service that keeps your sensitive information secure. However, your organization’s size will dictate which solution (MDM, MAM or MSM) is appropriate. It’s unquestionable a MSM (Mobile Security Management) solution is more secure than MAM or MDM; however, it’s best for large enterprises. If you don’t run an enterprise-sized business, you may want to downgrade to something different.
If you haven’t yet implemented a BYOD policy, it’s time to start searching. It will soon be standard operating procedure due to incredible savings potential and secure portability of employee devices. For a more detailed look into MDM vs. MAM vs. MDM, check out our interactive comparison.
The post The Beginners Guide to Bring Your Own Device (BYOD) appeared first on Marble Security.