Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security

11/19/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Security Concerns Increasing as BYOD Programs Continue to Grow

Businesses are expanding their BYOD programs to include partners, customers and others, but most are behind in securing their mobile environments, according to a Bitglass survey.

A growing number of enterprises continue to expand the reach of their bring-your-own-device programs, bringing contractors, partners and others into the fold along with employees, but admit to being concerned that their efforts are opening them up greater security risk, according to a recent survey.

In the report entitled "Mission Impossible: Securing BYOD," researchers for cloud access security broker BitGlass found that 85% of companies surveyed have some sort of program allowing at least their employees to use their personal mobile devices, particularly smartphones and tablets, for work.

Some of these same companies have also opened up the BYOD programs to contractors, partners, suppliers and customers, according to the survey.

However, 51% report that the number of threats to mobile devices has grown over the past year, and only 30% are confident they have the proper security in place to protect personal and mobile devices against malware. The BYOD safety concerns range from data leakage and an unauthorized person access data to the inability to control uploads and downloads to lost or stolen devices.

The survey of 400 IT experts illustrates the challenge that BYOD has presented to enterprises over the past several years. There are myriad reasons to embrace the trend, but it also greatly expands an enterprise’s attack surface and highlights the challenges of securing personal mobile devices. (See Cisco: As Business Users Go Mobile, So Do Attackers.)

"Most companies are happy to allow BYOD because of the many benefits cited in the survey results, including enhanced flexibility, mobility, employee satisfaction, reduced costs, and more," Jacob Serpa, product marketing manager at Bitglass, told Security Now in an email. "It's also a good way to attract and retain top talent as many employees are now expecting to be able to work from their personal devices. In other words, IT departments are making the conscious decision to allow BYOD, but aren't always doing so securely."

Serpa noted that, in the survey, 42% of companies are relying on "ill-suited, agent-based tools to secure corporate email on BYOD, and 24% don't secure it at all. If organizations continue to blindly accept the benefits of BYOD without taking the proper steps to secure it, they are rendering themselves highly vulnerable to data leaks."

BYOD has been around for almost a decade, coinciding with the introduction of first smartphones and then tablets. The proliferation of personal mobile devices combined with the growth of cloud computing made it easier for employees to use their smartphones and tablets for work, including accessing the corporate network and downloading cloud apps and services.

It also gave bad actors avenue to steal data and another pathway into a business's IT environment.

"Hackers know that personal devices typically have fewer built-in protections than managed devices, so they see BYOD endpoints as easy gateways into corporate networks and applications," Serpa said. "Typically, attacks targeting these devices are enabled by careless employee behavior. For example, workers checking personal emails or browsing social media at home can easily have their passwords stolen or their devices infected with malware if they click on malicious links or download suspect files. Stolen credentials can be used to grant direct access to enterprise resources, while malware can spread throughout an organization's systems via files uploaded from infected devices."

The problem is that endpoint protections that organizations traditionally have relied on are difficult to install every mobile device workers use during the course of their workdays, he said. In addition, one in five organizations in the survey said they lack visibility into basic cloud-native apps -- such as email -- on employees' devices.

"As you cannot secure what you cannot see, visibility into cloud apps is the first step towards data protection," the researchers said in the report. "Unfortunately... organizations do not have sufficient visibility into applications on BYO devices. Only 55% of firms can monitor files sharing apps, like Box and Dropbox, that can easily be used to share highly sensitive files. Likewise, only 49% of enterprises can see what is done with their information in messaging apps alike Slack."

The lack of visibility and control over data downloaded to personal devices means the data on the devices are frequently targeted by threat actors, highlighting the need for such tools as selective wipe, which enables businesses to remotely remove corporate data from personal devices while keeping the personal data unharmed.

Bitglass's Serpa said many companies may be overestimating of what their traditional security tools -- which were made to secure managed devices on-premises -- can do at a time of the cloud and BYOD and may believe that their devices and the data they hold are more secure than they are. There also may be a reluctance to invest in the tools they need in light of the massive amounts money they've spent over the years on the security solutions being used to protect their on-premises infrastructure.

"Unfortunately, many companies are getting blinded by BYOD's many benefits and are treating proper cybersecurity like an afterthought," he said.

Serpa said there are multiple tools companies can buy, such as identity and access management (IAM), single sign-on and multi-factor authentication. In addition, user and entity behavior analytics (UEBA) that detect anomalous user activity and agentless security solutions deployed in the cloud also should be used.

Fifty-six percent of those surveyed put remote wipe and mobile device management as the technologies they use or are planning to use, while other tools included device encryption and anti-malware.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24213
PUBLISHED: 2020-09-23
An integer overflow was discovered in YGOPro ygocore v13.51. Attackers can use it to leak the game server thread's memory.
CVE-2020-2279
PUBLISHED: 2020-09-23
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.74 and earlier allows attackers with permission to define sandboxed scripts to provide crafted return values or script binding content that can result in arbitrary code execution on the Jenkins controller JVM.
CVE-2020-2280
PUBLISHED: 2020-09-23
A cross-site request forgery (CSRF) vulnerability in Jenkins Warnings Plugin 5.0.1 and earlier allows attackers to execute arbitrary code.
CVE-2020-2281
PUBLISHED: 2020-09-23
A cross-site request forgery (CSRF) vulnerability in Jenkins Lockable Resources Plugin 2.8 and earlier allows attackers to reserve, unreserve, unlock, and reset resources.
CVE-2020-2282
PUBLISHED: 2020-09-23
Jenkins Implied Labels Plugin 0.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to configure the plugin.