Personal phones, tablets, wearable tech – do you know how many of these are connected to your business networks and how many of your staff access company data on unsecured devices?
As businesses become more agile and dynamic, many have started to adopt a positive outlook on BYOD. This hybrid approach appeals to staff and aims to increase workflow efficiency. Cloud hosted services, integrated business apps and mobile staff have created the perfect storm for new attack vectors. Instead of targeting the company infrastructure, hackers can now hedge a decent bet that if they can compromise an employee’s mobile device, it will contain sensitive data or accounts that they are looking to exploit.
Research found that approximately one third of organizations have knowingly sacrificed security for expediency or business performance. 75% of the respondents to the Syntonic survey have concerns about their current BYOD program with the ability to differentiate between personal and business use being the number one concern, followed by a lack of adequate security.
Without complete control of devices that handle business data, it is almost impossible for security teams to see how that data is used, stored or exfiltrated. With all the complications caused by the challenges presented above, it’s no wonder that most companies don’t know where to start.
Before tackling BYOD, it’s important to understand the business processes that may result in an employee using their own device. Any security control put in place before understanding the impact can have detrimental knock on effects to both staff and customers. Most users would not do this maliciously or with direct intent to circumvent policy, they are simply trying to do their job as efficiently as possible, especially when they are on the move. However, if you impede the natural flow of business with red tape and restrictive controls, users will undoubtedly attempt to find ways around them, and often do.
To assess the risks and weigh up the rewards, consider the following:
- Talk to your staff – how does the business currently integrate BYOD usage?
- Do staff access business data from personal devices such as email, shared drives etc?
- Are personal devices accessing business networks and infrastructure?
- If a BYOD device went missing or was stolen, can sensitive data potentially be accessed on it?
- What technical controls can we put in place to monitor or restrict any of the major risks?
Ultimately, there is no silver bullet to the BYOD problem. Every organisation is different, but there are some technical controls worth mentioning. Mobile service providers such as Vodafone, O2 and EE offer flexible mobile solution plans, Microsoft provides ActiveSync for Exchange accounts and there are numerous endpoint monitoring solutions that will cover most of your bases. The power is in your hands, but must be balanced against a budget and acceptable risk.
For advice on assessing risks and threats specific to your organisation, reach out to our experts here at Net Consulting and we’ll guide you through your BYOD journey.