Security expert Richard Henderson says BYOD might not be as beneficial as some think, but there are still benefits to allowing it.
I wrote about 10 ways to reduce insider BYOD threats last week, which focused on some security tips to help IT professionals and users get the most out of BYOD deployments. There is a wealth of deeper information within what constitutes a forest representing the nuances of good security, since often there are no absolutes.
Speaking of absolute, I spoke about the concepts of BYOD security with Richard Henderson, Global Security Strategist at Absolute, a software security organization, in order to get a more detailed look at the trees in the overall forest.
TechRepublic: What are the biggest threats from BYOD?
Richard Henderson: "It's up to the CIO/CISO to determine how risky it is to allow non-corporate devices on the network and what measures can be put in place to control that risk. While government agencies and some large enterprises dealing with sensitive, compartmentalized, or classified information have very stringent requirements, your typical office's BYOD policies can sometimes be far too relaxed. This lenient attitude can create an unprotected entrance to the corporate network via mobile devices.
Outdated devices pose another serious threat for BYOD. A recent report found that 60% of mobile devices in an enterprise BYOD environment are running an outdated operating system and are vulnerable to known security flaws where patches have been made available. Requiring employees to run the latest software updates is always difficult to regulate, so companies end up taking on more risk. Of course, there are many devices, typically Android-based, where patches will never be made available due to the age of the device or the abandonment of updates from either the manufacturer or the carrier. It's incredibly difficult to ask employees to continually replace their hardware for a newer device that is currently supported.
Organizations' lack of visibility is also a threat, which is further complicated by BYOD. Most companies have very little visibility of the endpoints on their corporate network, and with the explosion of IoT devices everywhere, in many cases are provided with even less long-term support than smartphones, the situation is only going to get worse.For a particularly risk-averse CISO or CSO, BYOD policies just aren't worth the risk."
SEE: BYOD (Bring Your Own Device) Policy (Tech Pro Research)
TR: Are there any myths or misconceptions about BYOD security?
RH: "Privacy is a big area of confusion for BYOD. When employees use their personal devices for work, they expect to still be able to use their phone as they see fit, and without their employer watching. While some mobile security solutions out there prioritize user privacy, employees need to understand that they will need to relinquish a certain measure of control to their employer to ensure that the device and the data accessible through it is protected from theft and loss. BYOD isn't a right, no matter what employees may think."
TR: What are your recommendations to mitigate or reduce risk?
RH: "A third of cybersecurity incidents can be tied back to attacks on mobile devices, so building policies and programs that specifically address mobile devices (both company-provided and BYOD), as well as removable media, is critical to reducing risk. As a first step, IT teams must deploy a fully fleshed-out and well-planned mobile device management (MDM) or enterprise mobility management (EMM) solution. These solutions help ensure policy compliance among employees, which is very important, but insufficient on its own.
In order to protect against mobile cyber-attacks, companies should adopt a mobile threat defense solution. These solutions can detect malicious threats, alert IT teams accordingly, and provide remediation action, like remote-wipe, disconnecting from WiFi, etc. Some more recent developments around machine learning-based appear to have success detecting unknown or never-before seen threats.
Beyond that, companies must get buy-in from employees. Hosting regular training sessions that teach employees about the importance of mobile security is key. The sessions should cover why software updates are so important to company security, why public WiFi networks should be avoided, how to identify a phishing attack, and exactly what to do if they suspect something is wrong. Circling back to the initial point on snooping by the enterprise, I think it is one of the most critical pieces of building a successful strategy to communicate clearly to employees that the technology being placed on employee-owned devices is only there to protect corporate data and network assets, and will never be used for snooping or monitoring personal activity... unless an incident has occurred and further investigation is warranted."
TR: Are there any problematic apps (or types of apps) which represent more of a BYOD risk than others?
RH: "Certainly. Cloud storage apps can lead to issues if allowed to be installed willy nilly, especially with those employees who are entrusted with the most critical of corporate data (HR information, financial data, intellectual property).
On top of that, Android users often need to be cognizant of the fact that there are many "free" apps out there that ask for significant permissions... and some of those apps in the past have been shown to collect much more data than they should. It may be essential for security staff to whitelist a subset of approved applications for their most privileged or critical employees."
TR: Can you comment on the cost savings involved with BYOD compared to any costs involved with additional security requirements/staff/controls? In other words, is BYOD still cost-effective?
RH: "I'm not sure BYOD has ever been as cost effective as it was initially sold to enterprises, and as you suggest, it may be a wash at best. But we have to look beyond the simple bottom line when it comes to BYOD: many companies use BYOD policies as one of many carrots on a stick to attract and retain good talent. If a top recruit wants to use a MacBook instead of a Thinkpad, then at the end of the day the costs are minimal. Add to that the fact that BYOD allows employees to use technologies they are already intimately familiar with, leading to greater job satisfaction and potentially increased productivity, and it becomes difficult to justify an iron-clad, strict device policy."
TR: My wife and I were in NYC recently and she lost her iPhone in Manhattan. We used 'find my iPhone' and it triangulated the iPhone to a specific intersection, but we never could find the phone. I feel since 'find my iPhone' has a degree of plus or minus a few feet in terms of locational accuracy that it may have been picked up and taken inside an apartment building at that intersection. Is there anything you could recommend for a situation like that?
RH: "Really, there's not much more you could have done to hopefully retrieve the lost device, other than placing it in lost mode and hoping that someone finds it and returns it to you or the local police (or Apple Store!). Beyond that, my advice to people who ask similar questions is simple - be pragmatic and accept that we live in an era now where phones, tablets, and laptops, while certainly pricey, are reasonably inexpensive enough to replace if the worst happens. With that in mind, it's absolutely critical that you avail yourself of all the tools device manufacturers make available for your protection: remote wiping/locking, full-disk encryption of the device, complex alphanumeric passcodes instead of simple 4 digit PINs, etc. Just ask yourself a simple question: if someone snatched my phone out of my hands and took off with it, would I feel secure that the meaty, juicy data inside the device was free from prying eyes? If the answer is no, then you have to do a little more to change that no to a yes."
TR: How does the BYOD landscape look going forward - any new threats, developments, solutions on the horizon?
RH: "2016 was the worst year yet for data breaches and leaks, and with the massive explosion of data being created, collected, processed, and shared, I expect 2017 to eclipse 2016. Threats around BYOD will likely play a big role. There are literally millions of devices out there that will never see another security patch again, and those same devices are not going to be replaced anytime soon. When you add to this the mire of IoT, where even the vending machines in the corporate cafeteria are now being subverted and used in attacks, it's obvious to me that the surface area for attackers to exploit has never been larger. I've been talking about the inherent threats surrounding connected devices for quite some time, and 2016 proved that the new world of machine-to-machine attacks are here to stay. Millions of connected devices have been subverted and used to launch DDoS attacks on scales that weren't even conceived of in the past. Major sites are knocked off the internet in a blink, causing e-commerce grinds to come to a halt. Millions of dollars are lost in revenue, clean-up and additional defenses.
What's an organization to do when devices inside their networks are exploited and used in attacks elsewhere? It's likely that conservative and risk-averse corporations will declare BYOD off-limits for their teams. But that will mean security teams will need to watch very carefully for rogue or difficult employees will attempt to find ways around security controls in order to get access to Inter- and Intranet resources. It may be a good solution for security teams to work with their network team colleagues and build out dedicated, fully-segmented network blocks with their own security infrastructure to provide the most basic of access to employee-owned devices."
Free ebook: Executive's guide to mobile security
Video: Top 5 things to know about BYOD
Report: Your business is wasting money on BYOD reimbursements
Infographic: BYOD is popular, but not widely supported by IT