BYOD security concerns are mounting

Tools

As can be seen in two of the stories in today's newsletter, security concerns about BYOD are mounting as attacks against popular devices, such as Android, also mount.

According to a survey by the Ponemon Institute, close to one-quarter of IT managers see mobile devices as a rising security threat to the enterprise. And security firm Sophos is warning about the explosive growth of malware targeting Android devices.

Dionisio Zumerle, principal research analyst at Gartner, recently identified three security hurdles for enterprises to overcome when transitioning to BYOD.

First, the right of users to use capabilities of their personal mobile devices can conflict with the enterprise's need to implement security policies, increasing the risk of data loss and the exploitation of security vulnerabilities.

"When enterprise data is allowed on these devices, the risk of leakage increases for the enterprise, not just because of the rise of mobile malware, but also because legitimate but unsupported apps, may inadvertently create security risks for the organization and, most importantly, because of device loss," Zumerle explained.

The Gartner analyst recommends the use of mobile device management products as one way to enforce enterprise policy. Other solutions include whitelisting and blacklisting apps, containerization of apps, and setting up an enterprise app store.

Second, user freedom to select their own devices, regardless of security considerations, makes it difficult for enterprises to secure devices at the workplace, as well as keep track of device vulnerabilities and updates.

"An essential security baseline should require enhanced password controls, lock timeout period enforcement, lock device after password retry limit, data encryption, remote lock and/or wipe. The enterprise mobility baseline must also express minimum requirements on hardware--OS versions will not be sufficient," Zumerle wrote.

He recommended that enterprises use network access control products and policies. These can be used to deny access to valuable enterprise assets on insecure devices.

Third, the user's ownership of the mobile device and personal data raises privacy concerns, which could inhibit an enterprise from taking aggressive security action.

"When shifting from enterprise to user-owned devices, 'remote wipe,' which is a fundamental security feature in a mobile security policy, becomes complicated from a legal and cultural point of view," he said.

Zumerle recommends that the enterprise obtain written consent from the employee to wipe the device in case it is lost, stolen, or compromised.

As the BYOD trend accelerates, so too do the security threats to the enterprise. Swift and decisive action by the enterprise will help prevent a major data breach, which could be embarrassing at the least and financially devastating at the worst.- Fred