Mobile
11/4/2015
11:00 AM
Subbu Sthanu
Subbu Sthanu
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

BYOD 2015: Data Loss, Data Leaks & Data Breaches

The growth of employee-owned devices in the workplace is placing new demands on enterprises struggling to protect both personal and professional data.

Historically, corporate-owned desktops and laptops were obligatory. They not only saved employees time and money, but also enabled IT to carefully control their use and minimize risks associated with using them for work. Anti-malware, data loss prevention (DLP), web access control and VPN were some of the security capabilities that were commonly enabled to company-issued devices. 

Bring Your Own Device programs and the rise of employee-owned devices in the workplace have dramatically transformed how companies can (or can’t!) control the risks of these devices Over the years, employees have come to expect their devices to be under little or no scrutiny from their employer. At the same time, many major mobile operating systems are designed in a way that restricts the visibility and enforceability of an enterprise’s security capabilities.

But device ownership is only a small part of the current problem. An even greater concern is the content – work files, emails, enterprise resource planning records – that are increasingly stored on the devices themselves. Historically, the objective of enterprise security controls has always been to limit the risk of data exposure on laptops and desktops. Today – with the growing use of smartphones and tablets – data exposure has now become a top priority.

To capitalize on the benefits of BYOD without sacrificing security, it’s essential for security teams to fully understand potential threats, and preemptively develop plans to mitigate the risks to enterprises’ data. Here are three examples of these types of threats, and how companies can proactively defend against them.

Risk #1: Data Loss: Data loss is relatively straightforward to handle; enterprises should be able to remotely wipe lost or stolen devices. However, when the personal is intertwined with the professional, enterprises should only be empowered to remove work-related content. So – in case the device is recovered – the employee’s personal data can also be recovered.

Encrypting enterprise content and improving device security through access passcodes and ensuring the OS is up-to-date can help prevent criminals from extracting sensitive data from the device. But new  research from IBM Security into one million BYOD and corporate-issued devices found that nearly 80 percent of companies enforce only the most basic option to protect their data on employees’ phones: a 4-5 digit PIN. As hackers increasingly recognize mobile as an emerging attack vector, it’s essential that organizations update their mobile security policies accordingly, and require their employees to use lengthier passcodes to protect their data.

Risk #2: Data Leak: When an employee shares company data from a mobile device with an unauthorized app or third party, he or she is a mere click away from placing corporate data at a significant risk. In order to  prevent data leakage, companies need to develop centralized policies offering granular control of how data is accessed,  used and shared with specific applications and users. Data leak prevention can be enforced within individual corporate mobile apps or within content containers on the device.

Data leaks can also be caused by application vulnerabilities exploited by malware. According to a March IBM-Sponsored Ponemon Institute Study (registration required), nearly 40 percent of companies, including many in the Fortune 500, aren’t properly securing the mobile apps they build for customers. That’s why IT directors must ensure enterprise apps are vulnerability free in order to improve resilience to data leakage. 

Risk #3: Data Breach: If an employee-owned device connected to the company’s network becomes compromised by malware ­­from downloading a malicious app or faulty device security,  the whole network is susceptible to a data breach. This requires a different level of data breach prevention at the point of network entry, one that involves a deeper understanding of the risk profile of the device and the user. High risk factors include compromised and vulnerable devices, the context of the access (time, location) and historical access patterns (what is being accessed, how often).  Context- and risk-aware access control can enable enterprises to minimize the risk mobile devices pose to their networks.

Looking ahead, understanding and building a plan to lessen the risks to company data is an essential part of realizing the benefits mobility brings to employees and businesses alike. 

Subbu Sthanu is the Director of Mobile Security and Application Security at IBM. Prior to IBM, Subbu served on the leadership teams of security software vendors like Novell, NetIQ, Trustwave and BeyondTrust, heading up product management, marketing, corporate development and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sagiss, LLC
50%
50%
Sagiss, LLC,
User Rank: Strategist
11/19/2015 | 11:45:53 AM
Getting the Word Out
This is a great article. Another vastly important factor that often goes overlooked by businesses is educating employees on these BYOD risks. Simply taking the time to ensure that employees understand their part in the whole has the potential to save companies from massive (and costly) data losses. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.