Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security

08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Security Concerns Increasing as BYOD Programs Continue to Grow

Businesses are expanding their BYOD programs to include partners, customers and others, but most are behind in securing their mobile environments, according to a Bitglass survey.

A growing number of enterprises continue to expand the reach of their bring-your-own-device programs, bringing contractors, partners and others into the fold along with employees, but admit to being concerned that their efforts are opening them up greater security risk, according to a recent survey.

In the report entitled "Mission Impossible: Securing BYOD," researchers for cloud access security broker BitGlass found that 85% of companies surveyed have some sort of program allowing at least their employees to use their personal mobile devices, particularly smartphones and tablets, for work.

Some of these same companies have also opened up the BYOD programs to contractors, partners, suppliers and customers, according to the survey.

(Source: iStock)
(Source: iStock)

However, 51% report that the number of threats to mobile devices has grown over the past year, and only 30% are confident they have the proper security in place to protect personal and mobile devices against malware. The BYOD safety concerns range from data leakage and an unauthorized person access data to the inability to control uploads and downloads to lost or stolen devices.

The survey of 400 IT experts illustrates the challenge that BYOD has presented to enterprises over the past several years. There are myriad reasons to embrace the trend, but it also greatly expands an enterprise’s attack surface and highlights the challenges of securing personal mobile devices. (See Cisco: As Business Users Go Mobile, So Do Attackers.)

"Most companies are happy to allow BYOD because of the many benefits cited in the survey results, including enhanced flexibility, mobility, employee satisfaction, reduced costs, and more," Jacob Serpa, product marketing manager at Bitglass, told Security Now in an email. "It's also a good way to attract and retain top talent as many employees are now expecting to be able to work from their personal devices. In other words, IT departments are making the conscious decision to allow BYOD, but aren't always doing so securely."

Serpa noted that, in the survey, 42% of companies are relying on "ill-suited, agent-based tools to secure corporate email on BYOD, and 24% don't secure it at all. If organizations continue to blindly accept the benefits of BYOD without taking the proper steps to secure it, they are rendering themselves highly vulnerable to data leaks."

BYOD has been around for almost a decade, coinciding with the introduction of first smartphones and then tablets. The proliferation of personal mobile devices combined with the growth of cloud computing made it easier for employees to use their smartphones and tablets for work, including accessing the corporate network and downloading cloud apps and services.

It also gave bad actors avenue to steal data and another pathway into a business's IT environment.

"Hackers know that personal devices typically have fewer built-in protections than managed devices, so they see BYOD endpoints as easy gateways into corporate networks and applications," Serpa said. "Typically, attacks targeting these devices are enabled by careless employee behavior. For example, workers checking personal emails or browsing social media at home can easily have their passwords stolen or their devices infected with malware if they click on malicious links or download suspect files. Stolen credentials can be used to grant direct access to enterprise resources, while malware can spread throughout an organization's systems via files uploaded from infected devices."

The problem is that endpoint protections that organizations traditionally have relied on are difficult to install every mobile device workers use during the course of their workdays, he said. In addition, one in five organizations in the survey said they lack visibility into basic cloud-native apps -- such as email -- on employees' devices.

"As you cannot secure what you cannot see, visibility into cloud apps is the first step towards data protection," the researchers said in the report. "Unfortunately... organizations do not have sufficient visibility into applications on BYO devices. Only 55% of firms can monitor files sharing apps, like Box and Dropbox, that can easily be used to share highly sensitive files. Likewise, only 49% of enterprises can see what is done with their information in messaging apps alike Slack."

The lack of visibility and control over data downloaded to personal devices means the data on the devices are frequently targeted by threat actors, highlighting the need for such tools as selective wipe, which enables businesses to remotely remove corporate data from personal devices while keeping the personal data unharmed.

Bitglass's Serpa said many companies may be overestimating of what their traditional security tools -- which were made to secure managed devices on-premises -- can do at a time of the cloud and BYOD and may believe that their devices and the data they hold are more secure than they are. There also may be a reluctance to invest in the tools they need in light of the massive amounts money they've spent over the years on the security solutions being used to protect their on-premises infrastructure.

"Unfortunately, many companies are getting blinded by BYOD's many benefits and are treating proper cybersecurity like an afterthought," he said.

Serpa said there are multiple tools companies can buy, such as identity and access management (IAM), single sign-on and multi-factor authentication. In addition, user and entity behavior analytics (UEBA) that detect anomalous user activity and agentless security solutions deployed in the cloud also should be used.

Fifty-six percent of those surveyed put remote wipe and mobile device management as the technologies they use or are planning to use, while other tools included device encryption and anti-malware.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
PUBLISHED: 2021-03-04
On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
PUBLISHED: 2021-03-04
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
PUBLISHED: 2021-03-04
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
PUBLISHED: 2021-03-04
A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.