Services Blog- Hummingbird Networks

5 BYOD Security Risks Every Business Owner Should Know About

Written by John Ciarlone | Jan 21, 2014 2:00:00 PM
So, I was reading a good blog about Bring-Your-Own-Device policies, over at Search Security, and they made an interesting point that really stuck with me:  It's quickly getting to the point that this is happening, whether employers want it to happen or not.  
That is to say, there are so many employees with so many cell phones and tablets that they're probably using their corporate networks on mobile devices, regardless of the policies in place.
 
Is BYOD security something business owners should be concerned about?

BYOD - A Tricky Compromise

On its face, it seems like a great everyone-wins idea:

  • Employees use the devices and services they're familiar with.
  • The multitude of collaboration apps often allows workers to invent their own solutions.
  • On-the-go work becomes easier, if their personal devices can connect with you.
  • Your operations are under less pressure to provide new devices.
  • There's a definite morale boost associated with everyone bringing their own device.

Basically, it would be an all-around great idea... except for the security concerns.  And they are numerous.  To be able to safely harness BYOD, you need to be able to deal with several challenges.

Five Security Barriers To Successful BYOD

1 - Employee Misuse

While not as prevalent as many might think, whenever you let your employees online, there's a chance that they'll go to sites that don't belong on a work network.  (For brevity's sake, we'll just leave at that...) 

Blacklists can help, in terms of blocking known websites, but of course, more sites get added every day.  We'd suggest updating and expanding your desktop "Acceptable Use" policy to cover mobile, and have your employees read and sign it.

2 - Device Insecurity

While precise statistics aren't available, it's undeniable that plenty of users don't implement much security on their personal devices.  Many have no lock or passcode at all, meaning that their devices are potentially gaping security holes if lost or stolen.

We strongly recommend implementing mandatory password requirements on all employee devices logging into your system.   However, be reasonable:  People won't lock up their cellphones with 16-character alphanumeric passwords, because they're simply too hard to type in.

Cloud mangement moniotring platforms such as Cisco Meraki will give you an inside look into your network showing which devices are coinnected as well as limited the access to certain devices. 

3 - Jailbroken Devices

"Jailbroken" devices, if you don't know the term, have had their security deliberately bypassed by the owner, to allow the installation of software besides what's offered in their device's App Store.  (Among other uses.)

These devices present such a clear potential security threat that it's tempting for companies to ban them entirely, and that's a totally reasonable response.  However, tread carefully - your own IT staff are among those most likely to have done this, and they'll strongly resist it.


4 -
Device-Specific Security Holes

Another issue with BYOD policies is the multitude of Operating Systems on them.  Even with Blackberry mostly fading from the picture, you've still got Windows 8, iOS, and about a billion different versions of Android to deal with.

We recommend having an approved-OS policy, along with specifically asking your employees to not install major OS updates until your security team has an opportunity to review them.  The recent release of iOS 7, for example, initially included a major security hole that quickly bypassed the lock screen.

5 - Data Theft

Finally, we'd be remiss if we didn't mention the potential for deliberate data theft.  When a substantial chunk of your records can fit on a single iPhone, espionage is an unfortunate worry.

Our best advice here is simply to have a robust virtual network in place, with distributed universal data policies that ensure no user has read, write, or copy permissions for anything they shouldn't.

Talk To Your Employees

There's a running theme here: it's worth talking to or surveying your employees for their mobile usage habits.  One thing studies have shown is that this tends to vary wildly between businesses.  Find out what your employees are doing, before making new rules.