Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security

08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Security Concerns Increasing as BYOD Programs Continue to Grow

Businesses are expanding their BYOD programs to include partners, customers and others, but most are behind in securing their mobile environments, according to a Bitglass survey.

A growing number of enterprises continue to expand the reach of their bring-your-own-device programs, bringing contractors, partners and others into the fold along with employees, but admit to being concerned that their efforts are opening them up greater security risk, according to a recent survey.

In the report entitled "Mission Impossible: Securing BYOD," researchers for cloud access security broker BitGlass found that 85% of companies surveyed have some sort of program allowing at least their employees to use their personal mobile devices, particularly smartphones and tablets, for work.

Some of these same companies have also opened up the BYOD programs to contractors, partners, suppliers and customers, according to the survey.

However, 51% report that the number of threats to mobile devices has grown over the past year, and only 30% are confident they have the proper security in place to protect personal and mobile devices against malware. The BYOD safety concerns range from data leakage and an unauthorized person access data to the inability to control uploads and downloads to lost or stolen devices.

The survey of 400 IT experts illustrates the challenge that BYOD has presented to enterprises over the past several years. There are myriad reasons to embrace the trend, but it also greatly expands an enterprise’s attack surface and highlights the challenges of securing personal mobile devices. (See Cisco: As Business Users Go Mobile, So Do Attackers.)

"Most companies are happy to allow BYOD because of the many benefits cited in the survey results, including enhanced flexibility, mobility, employee satisfaction, reduced costs, and more," Jacob Serpa, product marketing manager at Bitglass, told Security Now in an email. "It's also a good way to attract and retain top talent as many employees are now expecting to be able to work from their personal devices. In other words, IT departments are making the conscious decision to allow BYOD, but aren't always doing so securely."

Serpa noted that, in the survey, 42% of companies are relying on "ill-suited, agent-based tools to secure corporate email on BYOD, and 24% don't secure it at all. If organizations continue to blindly accept the benefits of BYOD without taking the proper steps to secure it, they are rendering themselves highly vulnerable to data leaks."

BYOD has been around for almost a decade, coinciding with the introduction of first smartphones and then tablets. The proliferation of personal mobile devices combined with the growth of cloud computing made it easier for employees to use their smartphones and tablets for work, including accessing the corporate network and downloading cloud apps and services.

It also gave bad actors avenue to steal data and another pathway into a business's IT environment.

"Hackers know that personal devices typically have fewer built-in protections than managed devices, so they see BYOD endpoints as easy gateways into corporate networks and applications," Serpa said. "Typically, attacks targeting these devices are enabled by careless employee behavior. For example, workers checking personal emails or browsing social media at home can easily have their passwords stolen or their devices infected with malware if they click on malicious links or download suspect files. Stolen credentials can be used to grant direct access to enterprise resources, while malware can spread throughout an organization's systems via files uploaded from infected devices."

The problem is that endpoint protections that organizations traditionally have relied on are difficult to install every mobile device workers use during the course of their workdays, he said. In addition, one in five organizations in the survey said they lack visibility into basic cloud-native apps -- such as email -- on employees' devices.

"As you cannot secure what you cannot see, visibility into cloud apps is the first step towards data protection," the researchers said in the report. "Unfortunately... organizations do not have sufficient visibility into applications on BYO devices. Only 55% of firms can monitor files sharing apps, like Box and Dropbox, that can easily be used to share highly sensitive files. Likewise, only 49% of enterprises can see what is done with their information in messaging apps alike Slack."

The lack of visibility and control over data downloaded to personal devices means the data on the devices are frequently targeted by threat actors, highlighting the need for such tools as selective wipe, which enables businesses to remotely remove corporate data from personal devices while keeping the personal data unharmed.

Bitglass's Serpa said many companies may be overestimating of what their traditional security tools -- which were made to secure managed devices on-premises -- can do at a time of the cloud and BYOD and may believe that their devices and the data they hold are more secure than they are. There also may be a reluctance to invest in the tools they need in light of the massive amounts money they've spent over the years on the security solutions being used to protect their on-premises infrastructure.

"Unfortunately, many companies are getting blinded by BYOD's many benefits and are treating proper cybersecurity like an afterthought," he said.

Serpa said there are multiple tools companies can buy, such as identity and access management (IAM), single sign-on and multi-factor authentication. In addition, user and entity behavior analytics (UEBA) that detect anomalous user activity and agentless security solutions deployed in the cloud also should be used.

Fifty-six percent of those surveyed put remote wipe and mobile device management as the technologies they use or are planning to use, while other tools included device encryption and anti-malware.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.