By Christine Vanderpool
[Excerpted from “Bring Your Own Device Policies and Practices,” which is published in SCCE’s The Complete Compliance and Ethics Manual – 2016]
Allowing people to bring their own devices into a corporate environment and network does mean increased risk to the organization. A company should weigh the savings associated with a BYOD program against the risks associated with allowing users to bring their own devices. The risks can be partially mitigated by putting in place the right safeguards. The best safeguard to begin with is a policy that outlines the proper requirements, practices, restrictions and procedures related to bringing your own device. Other safeguards include tools, processes and education.
When an enterprise is building its BYOD guidelines, procedures and policies, there are several important risks to address. Below are several risks to consider; though not all inclusive, they are among the key risks that can exist when moving to a BYOD model.
- Jailbreaking and rooted devices
The first area to address is not allowing the use of jail broken or rooted devices. Jailbreaking is when a person removes the preset restrictions of the iOS operating system on an Apple device. Rooting is when a person obtains privileged control or administration level access over an Android device. Both of these activities can leave the device vulnerable to attacks, which include but are not limited to:
- Command and control attacks
- Insertion or extraction of files by a malicious user
- Use of key logging, sniffing or other malicious software to obtain user credentials to critical applications
- Installation of application flaws or malicious or harmful un-vetted applications.
- Vulnerable software and devices
When individuals own and control their own device, they own and control the updates made to the device and the applications on the device, which can mean that known vulnerabilities will not be addressed in a timely manner. Operating systems have regular updates to address issues, which often include security risks. The same is true for applications. It is important to keep both the operating system and all applications on a device up to date with the latest releases.
- Wireless access points
Most mobile devices are set up to allow a connection to any Wi-Fi access point or network as soon as one is recognized or found. The device will automatically connect to it without verification of any form. This can be a big risk when the person has company information or data on the device and connects to a network that is not secure. A scenario such as this now presents the opportunity for a man-in-the-middle attack, which could allow someone to use that public access point to get into the company’s corporate data and resources.
- Email exposure and cross pollination
When a person is using his or her personal device, he or she will often have multiple email accounts accessed by the device. These accounts are usually loaded into the native email client on the device. The device will have preset configurations to specify what email account to use as the default sender when email is utilized by other applications such as photo sharing, SMS texts messages, etc. The person may accidentally send an email to or from a personal email that should have been sent using the company email address or vice versa, which could lead to data loss or exposures of confidential or sensitive data.
- Cloud-based storage services
Similar to the risks associated with email and data loss prevention are the risks that exist with the use of cloud-based storage services on mobile devices. Data is easily accessible today from anywhere at any time and on any device with the use of cloud-based storage services. It is difficult for an enterprise to control the loss of sensitive or confidential data, since the access controls to this information are managed and distributed by the content owners of the data. In addition, most people auto log in to these applications (they do not enter a user id and password each time they open an application), which means greater risk of exposure if the device is not controlled by a screen lock or screen password.
- Lost or stolen devices
Losing or having a device stolen can occur regardless of ownership of the device. The big differences between company-issued devices and a BYOD model involve the reporting of the incident and what additional controls exist to protect what is lost or stolen (example: screen locks/screen password controls or device wiping capabilities). If an enterprise is not made aware of a lost or stolen device, it cannot assess the potential risk associated with the incident and take the proper steps to limit the exposure. In addition, the company may or may not have capabilities to remote-wipe the device to remove or, at a minimum, limit the exposure of data loss.
- Harmful or malicious applications
Although the iTunes and Google stores do attempt to control what applications are available for download, there are applications that can introduce harmful or malicious code onto the device. Additionally, such applications may request and, with the user’s permission given through such steps as acceptance of terms and conditions, gain access to the device’s location services, pictures, SMS text messaging, etc. The user may be unaware that he or she has allowed the device to report back this information to a potentially harmful source.Bring Your Own Device Policies – Identified RisksClick To Tweet
For more information on The Complete Compliance and Ethics Manual – 2016, see http://www.corporatecompliance.org/Products/ProductInfo.aspx?productcd=MANUAL2016.