Tips for Mitigating BYOD Security Risks

By Christian Crank

Let’s be honest and admit that we’re obsessed with our mobile devices: Our smartphones, tablets and laptops are with us at all times and go everywhere we go. Because we need to always have these gadgets on hand, there is a growing expectation that companies should allow and enable employees to use their own mobile devices in the workplace.

Bring-your-own-device policies allow employees to bring their personal mobile and other devices to work for use with company systems, software, networks and information. BYOD has become a huge trend, with nearly one-third of employees using personal devices at workplaces worldwide. Inc.com reports that the BYOD practice has risen by as much as 65 percent for the past few years. This figure is expected to increase even more over the next six years.

It’s obvious why employees love BYOD—convenience, familiarity with current devices, and access control, to name a few. BYOD also provides enterprises with several key benefits, including increased productivity, reduced IT and operating costs, better mobility for employees, and an incentive in hiring and retaining employees.

But for all the positives associated with BYOD, the practice also poses major threats to the security infrastructure. According to McAfee, malware in Android mobile operating systems alone grew by 33 percent last year.

For companies that practice BYOD, this news is alarming. If employees unwittingly download malware, their devices can then introduce that malware into corporate systems. Additionally, that infected device could cause important business information to be stolen.

Even if companies oppose BYOD, there are still risks associated with employer-issued devices. So rather than banning this practice, companies can employ a few key guidelines to help mitigate the security risks.

Use mobile device management software.

Many IT and security teams use mobile device management (MDM) software for securing devices. This enables IT teams to implement security settings and software configurations on all devices that connect to company networks.

MDM software can provide secure client applications such as email and Web browsers, Web device application distribution, configuration, monitoring and remote wipe capability. As mobile becomes more ubiquitous and more devices are created, MDM companies are working to add better tools and policies to protect BYOD environments.

Create an approved application list.

With thousands of applications available, this can be difficult to achieve, but the reality is that malware and rogue applications can cause serious damage without users realizing it. Companies can begin by creating an initial list of approved applications and making sure that any application not on the list is prohibited.

Employees who want to download an application that’s not on the approved application list must first submit it to IT for review. When dealing with mobile, you should prohibit the use of jail-broken or rooted phones, because they have a higher risk of downloading a dangerous application.

Employ password-protected access controls.

This may seem obvious, but setting a password access PIN is imperative in BYOD security. Passwords should be unique for each device and/or user account, and periodically refreshed by the owner of the device.

In addition to passwords, they should activate time-outs to lock the device after a given number of unsuccessful login attempts. BYOD policies should also have full-device encryption standards or sandboxed data container systems that allow only certain users and applications to access information that’s sensitive to the company.

Use remote-wipe services.

If a device is stolen from an employee and sensitive company data is on that device, then that company’s information is in the hands of another individual or entity. All BYOD devices should be subscribed to remote-wipe service, which are often part of MDM software package. In addition to being able to track a missing device, these services have the ability to clear a device of its data remotely, a critical last-resort measure for ensuring BYOD security in the event of a lost or stolen device.

The age of BYOD is here to stay. Enterprises shouldn’t have to take an authoritarian approach to BYOD by eliminating it altogether. Nor should they take a passive approach by ignoring unsecured personal devices in the workplace. Instead, companies can employ these simple security precautions and get their BYOD practices under control.

Christian Crank is a security researcher at TrainACE, a progressive hacking and cyber-security training and content organization that develops training classes and resources for the hacking and security community.