Security Risks of 'Bring Your Own Device' Policy

BYOD security risks, challenges and recommendations for Enterprise Organizations

Introduction and Background

According to a recent survey of global CIOs, half will require employees to supply their own devices by 2017 [1]. Bring Your Own Device (BYOD) is the "strategy that allows employees, business partners and other users to use a personally selected and purchased client device to execute enterprise applications and access data" (Gartner 2013). Recent reports claim 59% of organizations allow employees to use their own devices for work purposes. Another 13% had planned to allow use within a year [8]. As with every initiative that tends to increase usability, security risks are prevalent with BYOD and the need for effective device security controls cannot be over emphasized. In addition to security risks inherent with a BYOD model, there are challenges to adopting this approach and it makes it more cumbersome for organizations that lack in-house resources to mitigate these risks and challenges.

This paper seeks to provide more insights to the security risks inherent in implementing a BYOD approach, and the challenges that Enterprise Organizations face. The paper also provides recommendations for Enterprise Organizations to mitigate these risks.

Literature reviews

This literature review is focused on the security risks and challenges that Enterprise organizations face when the Bring your own device approach is adopted.

BYOD risks

Despite all the benefits of implementing BYOD in organizations, it has also created risks for organizations. Security and privacy are risks faced by both organizations and employees in different ways. Enterprise organizations are usually faced with securing employee owned devices. With a corporate-owned device, however, the employer has complete control of the assets and can install software and control functionality. Organizations tend to be more concerned about the security of corporate data (and how user behavior threatens it) while Employees are more concerned about the privacy and confidentiality of their personal data (and what rights their employers have to access it) [7]. The incidents concerned with security and information have risen in the past, mostly concerning personal mobile devices [2]. 74 percent of businesses experienced a data breach as a result of unsecure mobile device use in 2015 [4].

To capitalize on the benefits of BYOD without sacrificing security, it's essential for security teams to fully understand potential threats, and preemptively develop plans to mitigate the risks to enterprises' data. [5] In a recent study from Bitglass, 30 percent of the 400 IT experts surveyed were hesitant to adopt BYOD due to security concerns such as data leakage, shadow IT and unauthorized data access. [6]. Unauthorized data access and data leakage remain the top of security concerns for Enterprise Organizations that adopt a BYOD approach. Mobile devices are the weakest link when it comes to network security because they are the most susceptible to attacks. Mobile phones and tablets require constant patch updates to secure security loopholes, and even a single missed patch can leave company data vulnerable [9].

Due to the nature of BYOD, companies have minimal control over any corporate data either stored on employee devices or accessed via employee devices. And if an employee forgets to install a security update, connects to a suspicious wifi signal, or loses their phone it could put your data at risk. Also, Having employees use their own devices for work makes it difficult to distinguish between personal data and corporate data. If the device is lost or stolen corporate data can be put at risk. Allowing these two different types of data can also pose significant privacy concerns, especially if an employee leaves the company.

These risks make it pertinent for Enterprise Organizations to adopt a security approach when implementing BYOD strategies.

BYOD challenges

The major challenge that Enterprise Organizations face is to influence the use of personal devices, which are not part of organizational fixed assets, to protect organizational information security on these devices [3]. This makes enforcing compliance very difficult. Certain Organizations, such as healthcare, have incredibly strict regulations about the use and distribution of information. Companies absolutely must comply with these policies, even if the data resides on an employeeowned device [10]. Organizations need effective ways to preserve confidentiality, integrity and availability of sensitive information accessed or manipulated with the rise of personal devices. In addition to this, Organizations need to maintain visibility and control over an ever-changing array of company issued and personal devices as well as manage a variety of users (employees, contractor workers, visitors), all with varying privileges. Lastly, Employee reactions, emotions and observance of BYOD security policies present ongoing challenges for Enterprise organizations to monitor, contain and maintain [8].

Due to all these challenges, BYOD is often seen as complex, dangerous and expensive. And by the way, the end users might have similar concerns as well, how to protect their private sphere and activities from their employer.

References

[1] Gartner, [Online glossary] Available Information Technology Gartner glossary, https://www.gartner.com/it-glossary/bring-your-own-device-byod[Accessed Oct 9, 2019]

[2] H. Romer, "Best practices for BYOD security. Computer Fraud & Security", 2014(1), 11-16.

[3] ZULKEFLI, Z., SINGH, M. M. & MALIM, N. H. A. H. 2015, :Advanced Persistent Threat Mitigation

Using Multi Level Security – Access Control Framework". ISYS 90044 Minor Research Project in

IS| Computational Science & Its Applications -- ICCSA 2015: 15th International Conference, Banff, AB, Canada, June 22-25, 2015, Proceedings, Part IV, 90.

[4] M. Bernhadt, "BYOD: How your business can address the 5 biggest vulnerabilities" ccbtechnology.com Jul 6, 2018 [Online]. Availablehttps://ccbtechnology.com/byod-5-biggestsecurity-risks/[Accessed Oct 9, 2019].

[5] S. Sthanu, "BYOD 2015: Data Loss, Data Leaks & Data Breaches" Apr 11, 2015 [Online]. Available https://www.darkreading.com/mobile/byod-2015--data-loss-data-leaks-and-databreaches/a/d-id/1322994[Accessed Oct 9, 2019]

[6] S. Poremba, "As BYOD Adoption and Mobile Threats Increase, Can Enterprise Data Security Keep Up?" Jan 24, 2019 [Online] Availablehttps://securityintelligence.com/as-byod-adoptionand-mobile-threats-increase-can-enterprise-data-security-keep-up/[Accessed Oct 8, 2019]

[7] P. Hoelscher "BYOD security: What are the risks and how can they be mitigated" comparitech.com Nov 5, 2017 [Online] Available https://www.comparitech.com/blog/information-security/byod-security-risks/[Accessed Oct 10, 2019]

[8] T. Maddox, "BYOD, IoT and wearables thriving in the enterprise" TechRepublic Premium [Online] Available https://www.techrepublic.com/article/byod-iot-and-wearables-thriving-inthe-enterprise/[Accessed Oct 10, 2019]

[9] V. Armour, "Keeping Your Network Secure in a Bring Your Own Device World" virtualamour.com Jan 21, 2019 [Online] Availablehttps://www.virtualarmour.com/keepingyour-network-secure-in-a-bring-your-own-device-world/[Accessed Oct 10, 2019]

[10] Simple MDM, "The Challenges Of A Bring Your Own Device (BYOD) Policy" April 10, 2019 [Online] Availablehttps://simplemdm.com/challenges-of-bring-your-own-device-byodpolicy/[Accessed Oct 11, 2019]

[11] RSI Security, "BRING YOUR OWN DEVICE SECURITY ISSUES AND CHALLENGES" May 10 2019 [Onine] Availablehttps://blog.rsisecurity.com/bring-your-own-device-security-issues-andchallenges/[Accessed Oct 11, 2019]