Mobile

11/4/2015
11:00 AM
Subbu Sthanu
Subbu Sthanu
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

BYOD 2015: Data Loss, Data Leaks & Data Breaches

The growth of employee-owned devices in the workplace is placing new demands on enterprises struggling to protect both personal and professional data.

Historically, corporate-owned desktops and laptops were obligatory. They not only saved employees time and money, but also enabled IT to carefully control their use and minimize risks associated with using them for work. Anti-malware, data loss prevention (DLP), web access control and VPN were some of the security capabilities that were commonly enabled to company-issued devices. 

Bring Your Own Device programs and the rise of employee-owned devices in the workplace have dramatically transformed how companies can (or can’t!) control the risks of these devices Over the years, employees have come to expect their devices to be under little or no scrutiny from their employer. At the same time, many major mobile operating systems are designed in a way that restricts the visibility and enforceability of an enterprise’s security capabilities.

But device ownership is only a small part of the current problem. An even greater concern is the content – work files, emails, enterprise resource planning records – that are increasingly stored on the devices themselves. Historically, the objective of enterprise security controls has always been to limit the risk of data exposure on laptops and desktops. Today – with the growing use of smartphones and tablets – data exposure has now become a top priority.

To capitalize on the benefits of BYOD without sacrificing security, it’s essential for security teams to fully understand potential threats, and preemptively develop plans to mitigate the risks to enterprises’ data. Here are three examples of these types of threats, and how companies can proactively defend against them.

Risk #1: Data Loss: Data loss is relatively straightforward to handle; enterprises should be able to remotely wipe lost or stolen devices. However, when the personal is intertwined with the professional, enterprises should only be empowered to remove work-related content. So – in case the device is recovered – the employee’s personal data can also be recovered.

Encrypting enterprise content and improving device security through access passcodes and ensuring the OS is up-to-date can help prevent criminals from extracting sensitive data from the device. But new  research from IBM Security into one million BYOD and corporate-issued devices found that nearly 80 percent of companies enforce only the most basic option to protect their data on employees’ phones: a 4-5 digit PIN. As hackers increasingly recognize mobile as an emerging attack vector, it’s essential that organizations update their mobile security policies accordingly, and require their employees to use lengthier passcodes to protect their data.

Risk #2: Data Leak: When an employee shares company data from a mobile device with an unauthorized app or third party, he or she is a mere click away from placing corporate data at a significant risk. In order to  prevent data leakage, companies need to develop centralized policies offering granular control of how data is accessed,  used and shared with specific applications and users. Data leak prevention can be enforced within individual corporate mobile apps or within content containers on the device.

Data leaks can also be caused by application vulnerabilities exploited by malware. According to a March IBM-Sponsored Ponemon Institute Study (registration required), nearly 40 percent of companies, including many in the Fortune 500, aren’t properly securing the mobile apps they build for customers. That’s why IT directors must ensure enterprise apps are vulnerability free in order to improve resilience to data leakage. 

Risk #3: Data Breach: If an employee-owned device connected to the company’s network becomes compromised by malware ­­from downloading a malicious app or faulty device security,  the whole network is susceptible to a data breach. This requires a different level of data breach prevention at the point of network entry, one that involves a deeper understanding of the risk profile of the device and the user. High risk factors include compromised and vulnerable devices, the context of the access (time, location) and historical access patterns (what is being accessed, how often).  Context- and risk-aware access control can enable enterprises to minimize the risk mobile devices pose to their networks.

Looking ahead, understanding and building a plan to lessen the risks to company data is an essential part of realizing the benefits mobility brings to employees and businesses alike. 

Subbu Sthanu is the Director of Mobile Security and Application Security at IBM. Prior to IBM, Subbu served on the leadership teams of security software vendors like Novell, NetIQ, Trustwave and BeyondTrust, heading up product management, marketing, corporate development and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sagiss, LLC
50%
50%
Sagiss, LLC,
User Rank: Strategist
11/19/2015 | 11:45:53 AM
Getting the Word Out
This is a great article. Another vastly important factor that often goes overlooked by businesses is educating employees on these BYOD risks. Simply taking the time to ensure that employees understand their part in the whole has the potential to save companies from massive (and costly) data losses. 
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.