Mobile
11/4/2015
11:00 AM
Subbu Sthanu
Subbu Sthanu
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

BYOD 2015: Data Loss, Data Leaks & Data Breaches

The growth of employee-owned devices in the workplace is placing new demands on enterprises struggling to protect both personal and professional data.

Historically, corporate-owned desktops and laptops were obligatory. They not only saved employees time and money, but also enabled IT to carefully control their use and minimize risks associated with using them for work. Anti-malware, data loss prevention (DLP), web access control and VPN were some of the security capabilities that were commonly enabled to company-issued devices. 

Bring Your Own Device programs and the rise of employee-owned devices in the workplace have dramatically transformed how companies can (or can’t!) control the risks of these devices Over the years, employees have come to expect their devices to be under little or no scrutiny from their employer. At the same time, many major mobile operating systems are designed in a way that restricts the visibility and enforceability of an enterprise’s security capabilities.

But device ownership is only a small part of the current problem. An even greater concern is the content – work files, emails, enterprise resource planning records – that are increasingly stored on the devices themselves. Historically, the objective of enterprise security controls has always been to limit the risk of data exposure on laptops and desktops. Today – with the growing use of smartphones and tablets – data exposure has now become a top priority.

To capitalize on the benefits of BYOD without sacrificing security, it’s essential for security teams to fully understand potential threats, and preemptively develop plans to mitigate the risks to enterprises’ data. Here are three examples of these types of threats, and how companies can proactively defend against them.

Risk #1: Data Loss: Data loss is relatively straightforward to handle; enterprises should be able to remotely wipe lost or stolen devices. However, when the personal is intertwined with the professional, enterprises should only be empowered to remove work-related content. So – in case the device is recovered – the employee’s personal data can also be recovered.

Encrypting enterprise content and improving device security through access passcodes and ensuring the OS is up-to-date can help prevent criminals from extracting sensitive data from the device. But new  research from IBM Security into one million BYOD and corporate-issued devices found that nearly 80 percent of companies enforce only the most basic option to protect their data on employees’ phones: a 4-5 digit PIN. As hackers increasingly recognize mobile as an emerging attack vector, it’s essential that organizations update their mobile security policies accordingly, and require their employees to use lengthier passcodes to protect their data.

Risk #2: Data Leak: When an employee shares company data from a mobile device with an unauthorized app or third party, he or she is a mere click away from placing corporate data at a significant risk. In order to  prevent data leakage, companies need to develop centralized policies offering granular control of how data is accessed,  used and shared with specific applications and users. Data leak prevention can be enforced within individual corporate mobile apps or within content containers on the device.

Data leaks can also be caused by application vulnerabilities exploited by malware. According to a March IBM-Sponsored Ponemon Institute Study (registration required), nearly 40 percent of companies, including many in the Fortune 500, aren’t properly securing the mobile apps they build for customers. That’s why IT directors must ensure enterprise apps are vulnerability free in order to improve resilience to data leakage. 

Risk #3: Data Breach: If an employee-owned device connected to the company’s network becomes compromised by malware ­­from downloading a malicious app or faulty device security,  the whole network is susceptible to a data breach. This requires a different level of data breach prevention at the point of network entry, one that involves a deeper understanding of the risk profile of the device and the user. High risk factors include compromised and vulnerable devices, the context of the access (time, location) and historical access patterns (what is being accessed, how often).  Context- and risk-aware access control can enable enterprises to minimize the risk mobile devices pose to their networks.

Looking ahead, understanding and building a plan to lessen the risks to company data is an essential part of realizing the benefits mobility brings to employees and businesses alike. 

Subbu Sthanu is the Director of Mobile Security and Application Security at IBM. Prior to IBM, Subbu served on the leadership teams of security software vendors like Novell, NetIQ, Trustwave and BeyondTrust, heading up product management, marketing, corporate development and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sagiss, LLC
50%
50%
Sagiss, LLC,
User Rank: Strategist
11/19/2015 | 11:45:53 AM
Getting the Word Out
This is a great article. Another vastly important factor that often goes overlooked by businesses is educating employees on these BYOD risks. Simply taking the time to ensure that employees understand their part in the whole has the potential to save companies from massive (and costly) data losses. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.