How the growth of BYOD could exacerbate cyber risk

The growth of Bring Your Own Device (BYOD) was a result of attempts by organisations to save money on kit by encouraging staff to use their own devices, such as smartphones and tablets, for work-related tasks – a decision that has always been regarded as suspect from a security standpoint.

“With employees using their own mobile devices for business and personal activity, firms are now tasked with supporting the new social, virtual, and mobile employee and the applications they access,” says Carmina Lees, director security business unit, IBM UK and Ireland. And those applications and activities are often far from secure.

In February 2015, IBM researchers analysed 41 of the most popular dating apps and found that 60% of those apps had medium to high severity security vulnerabilities. They also found that about half of companies have employees who use dating apps on work devices.

The data hack on dating firm Ashley Madison – whose smartphone app allows millions to access its services – serves as a harsh example of the vulnerability of online services. Some 39 million members (about 9.7 gigabytes-worth of data) had personal details stolen, including names, home addresses, sexual fantasies and credit card information.

With about 7.18 billion mobile devices in the world, the shift to mobile devices as the primary form of connecting to corporate networks is increasing rapidly.

In addition, due to work pressures employees often choose convenience over security and according to IBM research: one out of every three employees shares corporate data to third-party cloud apps without the knowledge of their employer; one out of every two millennials share work data to outside cloud apps and by 2020, these millennials will make up 50% of the global workforce; while 60% of employees understand that accessing and uploading data to these third-party applications violates their employers’ security and privacy policies, but still do so.

Also, as different devices run on different operating systems and software, this offers determined hackers new ways to infiltrate an organisation’s IT system.

“The only real solution is to standardise both the type of device used by staff and the software used,” says Stuart Poole-Robb chief executive at KCS Group. “Whatever device staff use to access social media, they should be made aware that social media websites, such as Facebook and LinkedIn, must be used with caution. They should be educated never to reveal details such as the dates of a business trip on social media. Nor should they provide information on a public profile to enable social engineers to build up an accurate personality profile.”

It is important to remember that addressing the risk posed by multiple devices is not just limited to controlling the devices themselves and the websites that staff access.

The proliferation of data collection, information availability and access devices and routes is also propelling risks to new heights. Those risks come from a wide variety of players in the scene, from ‘script kiddies’ – teenagers using downloadable tools – to low-key data theft through to espionage by state actors.”

Xavier Verhaeghe, technology solutions vice-president EMEA at Oracle adds: “It is getting easier by the day to access information, or manipulate applications, if the organisations involved don’t focus on keeping up with the threats by better data governance and IT security measures.”

As a direct result protection is getting more difficult: traditional perimeter security is not efficient and effective anymore.

“A lot of the investments go into network security although a lot of the threats go via other routes like privileged users and more sophisticated access to data,” says Verhaeghe. “Even with carefully managed and approved external apps and cloud tools, it is impossible to try to define the perimeter and assume total protection via this way.”

Security architecture needs to include levels of protection in different areas such as networks, but also governance, privileged user access management, access governance, data and audit vaults and more recently with the evolutions of security-in-silicon.