Bring Your Own Device (BYOD) has been a hot topic over the last two years as organizations begin to permit employees to bring personally owned mobile devices (such as laptops, tablets, and smart phones) to their workplace, and let them use those devices to access the corporate network and sensitive information on it.
Businesses usually get some advantage with this program, as the cost for acquiring device is already born by the user/employee which may save companies a lot of money. Other benefits are increased productivity efficiency and the ability to work remotely.
Risks and vulnerabilities also increase when end user devices come in picture on an already hardened and secure network. Company has control over the issued corporate owned devices and has necessary security mechanisms in place. Implementing security technologies and defining an acceptable use policy for user owned device is not an easy task. It is pretty hard for an “IT guy” to tell the end user what to do and what not to do on their swanky phones, tablets and laptops.
Some of the common risks associated with BYOD program:
- Jail breaking/Rooting - Many users’ jail break /root there phone to have admin privileges and rights on the phone. These custom jail break apps are just install and run, and it’s fairly easy for novice user to root the device. This process however beats the in-built security mechanisms implemented in devices and also opens the attack surface.
- Mobile Accessibility - Mobile devices can move far beyond the boundaries of the corporate network. Open Wireless networks available in coffee shops, airports etc. gives attacker the opportunity to directly communicate with the corporate owned entity, perform Man in the middle attack, and sniff the network traffic for sensitive data.
- Personal/Corporate Separation - A personal device is used for far different purposes, and far more often then a corporate device. This places the security decision in the user more than ever. A malicious application may have far greater consequences when installed on a corporate device. For instance, granting excessive permissions to a mobile application may seem harmless to a user but may result in data leakage.
- Lost or stolen devices - Lost or stolen devices tend to possess serious security risk, as a lot of sensitive information is on the device. Devices should have solution of remote wipe/clean.
- Employee Resignation/Termination - If the employee is let go, or leaves the company, recovering and deleting company data can be a problem. There should be a policy in place that governs how that data will be retrieved from the personal laptop and/or smartphone.
- Device Sharing - Mobile devices are more likely to be occasionally shared, potentially putting corporate data at risk. A person with malicious intent can read sensitive information on enterprise applications. Re-authentication upon each access and two factor authentication should be implemented.