20 BYOD Security risks your enterprise is facing Right Now!

By Darshik Jariwala - September, 18th 2016

Preface

Back in October 2014, Gartner said in one of their reports that 40 Percent of U.S. Employees of Large Enterprises Use Personally Owned Devices for Work; and according to  Global Market Insights Inc, Bring Your Own Device (BYOD) Market size would be worth USD 366.95 Billion by 2022. A very recent report by Skycure states that 1 in 5 Organizations Suffered a Mobile Security Breach.

What this means is that in a very immediate future, we may see nearly all the companies have their employees working on their smartphones, phablets or tablets. And with the growing adoption of BYOD comes the growing security risks for BYOD. For all we know, irrespective of the company policies and compliance’s, employees must not only be using their personal devices but also dealing with sensitive information.  Without the sufficient amount of knowledge, this trend could have quite serious repercussions for both, the company and its employee. Very soon, most of the cyber attacks meant for systems will be redirected towards these devices and none of the users may be well equipped to deal with the situation. And what are these situations which could have the ability to put the company in an uncomfortable place and under the radar of the attackers? Every kind of security risk, minor or major, can throw them off the path. Here we have 20 listed BYOD security risks your enterprise may be facing even when you are reading this. You may as well have a look at them all considering you may have to deal with them too (if you are already not).

1. Jailbreak & Rooted devices

The materials to find a way to Jailbreak iPhone or to Root Android phones are as easily available as finding a flash drive on amazon or eBay. It would be a relief to know that the employee dealing with sensitive information isn’t doing so on a Jailbreaked or Rooted device. The unofficial apps could prove to be extremely dangerous, not to mention the Free virus and spyware accompanying the downloaded app.

2. Unsecured Device Locks

Another one of the underrated and widely overlooked security measures. Although this may be a personal choice to the user, it really is not and shouldn’t be when transacting the company business over the same device. Sharing lock codes & patterns with colleagues, easy to guess codes (read: DOB) are some of the many ways the device could be exploited if fallen into wrong hands. Not to mention the havoc it cold wreck if acquired by someone with planned social engineering means.

3. Lost or Stolen devices

Not only is it extremely difficult at times to retrieve your stolen phone, retrieving the phones too shares an equal amount of risk. The fact that the device also stores company sensitive data adds a whole new dimension to this crime which may lead to consequences one can only imagine.

4. Data Leakage

Every time an employee shares data or information with a third party app, he/she is essentially at the edge of leaking some data, albeit unintentionally. In a recent study, it was stated 46% of businesses confessed to data leaks resulting from the use of file sharing services.

5. Encryption

There is a high possibility that quite a lot of companies may not have an end-to-end encryption policy in place in spite of a proper BYOD adoption. The data shared or transferred may be encrypted but possibly only at the time of transit. It is necessary to question the encryption and security measures in place for the devices in question (System to mobile, mobile to mobile, etc). A strong password and an even better encryption ensure a secure transmission of information.

6. No EMM Solution

As hard as it may be to believe, such is the case with many startups and to some extent, even SMB’s who allow their employees to use their personal devices as an alternative to workstations to ensure the completion of task or project. This is done mainly to ensure the completion of work before the deadline or  allowed to make sure it is done even post  working hours. There is no EMM solution in place, no encryption or security measures. All done on mutual “trust and understanding”. This neatly brings us to the next security risk factor.

7. Disgruntled Employee

Employees and Employers both fail that understand that these working relationships are not fairy tale stories. There are bound to be disagreements, arguments, verbal fights (in some cases even more) which may someday lead to a sour relationship and an employee resigning holding grudges against the company. There must be certain policies in place so that when the employees leave, the company data on their devices doesn’t leave with him/her.  Do read about these 9 instances about how the disgruntled employees breached security in various ways to get back at their former organizations.

8. Workaround For Imposed Restrictions

Such instances are more often than not found in the IT companies who are comparatively more tech-savvy and manage to find a workaround for some features such as, connecting to workplace network he/she is allowed access to, accessing certain restricted websites, or accessing sites beyond the company confined checklist of allowed sites. A large organization usually maintain multiple networks to restrict access to certain employees or they segregate networks to be used by only some specific group of people pertaining to their roles and duties within the organization. This is maintained by the IT department. For instance, an employee may try to access a network he/she may not be authorized to use.  The workarounds are nothing but loopholes which are found and exploited for personal gains and employees may not necessarily mean any harm to company or company data.

9. Connecting Device to Unsecure/Open WiFi

An employee who uses the same device for both personal and professional purpose may frequently connect his device to an unsecured wifi network outside the workplace, such as malls, cafe. He/She could be a next potential victim for the hacker who wishes to gain access to the employee’s device to exploit the information contained within, or transmit data without the device owner’s knowledge.

10. Loss of locally stored data due to device hardware failure

Such a situation could occur if the information on the device is not synced over company’s cloud storage or with any other system as a backup. In a very recent case, the Samsung Galaxy S7  Edge literally exploded which eventually resulted in the company recalling all the sold devices. In such cases of hardware failure, it can be complicated for any organization to have a handle on the device and the issue.

11. Adware & Spyware Apps

More of google searches take place on Mobile than on Desktops or laptops even, as was recently officially confirmed by Google. More and more people browse the internet, use mobile apps than websites. This is good news for Marketers and App developers as they are able to effectively target ads within the apps, unlike internet browsers on desktops where most users simply turn it off using pop-up blockers or extensions like Adblock. In other cases, some attackers build apps specifically acting as a spyware in the background but appearing as a legitimate app to a naked eye. These apps could also have the ability to spy on all those devices which interact with the primary device the app is installed on.

12. Dividing Personal & Professional Data

Unless there is a way to figure out creating a partition on the storage similar to the traditional hard disk drives on desktops, all the data will be stored in the same space within the devices’ local storage. So technically, in spite of the separation of data by the apps installed, all the data (personal & professional) is still actually stored within the same cluster.

13. Vulnerable Apps

Unlike the Adware and Spyware apps which are intended to harm, some apps invariably have vulnerabilities or loopholes not known yet to the respective app developers. These apps could fall into the category of the personal apps or an organization’s proprietary app only available to employees. It is imperative to constantly keep an eye out for bug fixes, updates, and feedbacks. The employees  are usually unaware of such issues. The company IT department and the app developers are the ones who are responsible for staying up-to-date for these issues.

14. Virus Affected Android Devices

Although all smartphones are vulnerable and can by affected by viruses, the attackers mostly focus on Android for mainly 2 reasons; a significantly higher number of users and an open ecosystem for building and distributing apps. Taking advantage of the widespread Pokemon Go furor,  unofficial versions of Pokemon Go had begun to suddenly appear in Android play store in some countries where Nintendo had yet to release the app. This by no mean implicates the iOS and Windows Phone users are always safe from such attacks, merely that Android users may need to be extra cautious.

15. Apps Requesting Access Permissions

Unlike the initial days of using smartphone where people usually read the access permissions pop-up at the time of app installation or during its first use, they are now well aware of them and quickly need to “allow access” and get to using the app, sometimes without paying attention to what kind of access the app is really requesting. On the other hand, there may be apps which request access to all information/features (camera, contacts, location, etc). The users should be wary of such apps. For instance, there is most probably something fishy about an app which requests access to location or camera when the app is built for the purpose of simply detecting and removing duplicate contacts from the directory.

16. Non-Maintained or Misconfigured EMM

This could be a major blow for any organization who adopts BYOD, has compliances and policies in the right place but for some reason does not seem to maintain the Enterprise Mobility Management (EMM) solution or have somehow not configured in the most efficient way. The roles could include enrolling new devices, wiping data from devices no longer in a use of if the device owner no more works or the company, managing access controls to name a few. Every EMM provider makes sure that they are always available to provide support to the clients for any tech or non-tech queries (depending on the vendor and selected package).

17. Storing Sensitive Data Over Consumer-oriented Cloud Storage

In order to deal with the “inconvenience” to constantly manage and juggle between personal and company data, some employees may resort to using their personal cloud storage solution and store all the data in the same place. Once the data is transferred to the users’ personal cloud storage, the company loses the access and management to this piece of data which will be available to the users after leaving the company as well.

18. No Training Education for Employees

Yet another point adding to an already long list of security risks. In one of the statistics, it is reported that a staggering 67% of employees said contrary to what the company believes, the BYOD policies are not clearly defined. Organizations obviously need to educate every employee regarding the compliance policies, security risk’s and their responsibilities in terms of safeguarding their devices and all the data contained within.

19. Vulnerable Devices

Employees should regularly update their mobile operating systems and the applications as and when it is available for their devices. Also making it a point to keep reading the latest security news pertaining to their devices, its operating system or any apps installed and make sure to take all preventive measures to ensure their devices are safe (at least to their knowledge).

20. No Multi-Factor Password Adoption

Multi-factor authentication requires two or more credentials from the user to authenticate their identity. It includes a combination of something the user knows (password), something that a user has (OTP) and something that they are (biometric scan). It is be determined by the users’ role in the company and/or the information he/she has access to. Multi-factor authentication provides added security layer while accessing any data or app and hence reduces the security risks.

Epilogue

Hard as it is to accept, it is really an accepted fact that no amount of precautions taken will be enough to make any system a 100% secure, even with all the measures taken for all the above-mentioned security risks. They will, as always, keep looking for new loopholes and vulnerabilities. However, it does make the job a little harder for the hacker. Employees completely, or at least heavily, reliant on their personal devices to get their work done is not the future, it is the present. With every passing year, the attackers are steadily gathering the information (read: ammunition) to find new ways to breach the data. It is your company, your data, your move.

Feature Image Credit – American Advisors Group/Flickr