A growing number of enterprises continue to expand the reach of their bring-your-own-device programs, bringing contractors, partners and others into the fold along with employees, but admit to being concerned that their efforts are opening them up greater security risk, according to a recent survey.
In the report entitled "Mission Impossible: Securing BYOD," researchers for cloud access security broker BitGlass found that 85% of companies surveyed have some sort of program allowing at least their employees to use their personal mobile devices, particularly smartphones and tablets, for work.
Some of these same companies have also opened up the BYOD programs to contractors, partners, suppliers and customers, according to the survey.
However, 51% report that the number of threats to mobile devices has grown over the past year, and only 30% are confident they have the proper security in place to protect personal and mobile devices against malware. The BYOD safety concerns range from data leakage and an unauthorized person access data to the inability to control uploads and downloads to lost or stolen devices.
The survey of 400 IT experts illustrates the challenge that BYOD has presented to enterprises over the past several years. There are myriad reasons to embrace the trend, but it also greatly expands an enterprise’s attack surface and highlights the challenges of securing personal mobile devices. (See Cisco: As Business Users Go Mobile, So Do Attackers.)
"Most companies are happy to allow BYOD because of the many benefits cited in the survey results, including enhanced flexibility, mobility, employee satisfaction, reduced costs, and more," Jacob Serpa, product marketing manager at Bitglass, told Security Now in an email. "It's also a good way to attract and retain top talent as many employees are now expecting to be able to work from their personal devices. In other words, IT departments are making the conscious decision to allow BYOD, but aren't always doing so securely."
Serpa noted that, in the survey, 42% of companies are relying on "ill-suited, agent-based tools to secure corporate email on BYOD, and 24% don't secure it at all. If organizations continue to blindly accept the benefits of BYOD without taking the proper steps to secure it, they are rendering themselves highly vulnerable to data leaks."
BYOD has been around for almost a decade, coinciding with the introduction of first smartphones and then tablets. The proliferation of personal mobile devices combined with the growth of cloud computing made it easier for employees to use their smartphones and tablets for work, including accessing the corporate network and downloading cloud apps and services.
It also gave bad actors avenue to steal data and another pathway into a business's IT environment.
"Hackers know that personal devices typically have fewer built-in protections than managed devices, so they see BYOD endpoints as easy gateways into corporate networks and applications," Serpa said. "Typically, attacks targeting these devices are enabled by careless employee behavior. For example, workers checking personal emails or browsing social media at home can easily have their passwords stolen or their devices infected with malware if they click on malicious links or download suspect files. Stolen credentials can be used to grant direct access to enterprise resources, while malware can spread throughout an organization's systems via files uploaded from infected devices."
The problem is that endpoint protections that organizations traditionally have relied on are difficult to install every mobile device workers use during the course of their workdays, he said. In addition, one in five organizations in the survey said they lack visibility into basic cloud-native apps -- such as email -- on employees' devices.
"As you cannot secure what you cannot see, visibility into cloud apps is the first step towards data protection," the researchers said in the report. "Unfortunately... organizations do not have sufficient visibility into applications on BYO devices. Only 55% of firms can monitor files sharing apps, like Box and Dropbox, that can easily be used to share highly sensitive files. Likewise, only 49% of enterprises can see what is done with their information in messaging apps alike Slack."
The lack of visibility and control over data downloaded to personal devices means the data on the devices are frequently targeted by threat actors, highlighting the need for such tools as selective wipe, which enables businesses to remotely remove corporate data from personal devices while keeping the personal data unharmed.
Bitglass's Serpa said many companies may be overestimating of what their traditional security tools -- which were made to secure managed devices on-premises -- can do at a time of the cloud and BYOD and may believe that their devices and the data they hold are more secure than they are. There also may be a reluctance to invest in the tools they need in light of the massive amounts money they've spent over the years on the security solutions being used to protect their on-premises infrastructure.
"Unfortunately, many companies are getting blinded by BYOD's many benefits and are treating proper cybersecurity like an afterthought," he said.
Serpa said there are multiple tools companies can buy, such as identity and access management (IAM), single sign-on and multi-factor authentication. In addition, user and entity behavior analytics (UEBA) that detect anomalous user activity and agentless security solutions deployed in the cloud also should be used.
Fifty-six percent of those surveyed put remote wipe and mobile device management as the technologies they use or are planning to use, while other tools included device encryption and anti-malware.
- IoT Device Adoption Hampered by Consumer's Security Concerns
- iOS 12: How Apple Keeps Getting Mobile Security Wrong
- IAM Heads to the Mobile Cloud
- Employees Remain the Weak Link in Your Company's Cybersecurity Plans
— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.