By Sean Newman, Field Product Manager, Cisco
It’s the time of year when people start booking their summer holidays, and for employers it is vital that they ensure their BYOD (Bring Your Own Device) policies are rigorous enough to protect their business against any potential data breach while their staff are away enjoying a fortnight in the sun.
The balance between work and social life has become more blurred with employees able to access websites, social media and emails from their smartphones or tablets in or out of the office anytime and anywhere in the world. As a result, concerns around BYOD have increased. While companies recognise the benefits of mobile technology in terms of productivity and competitiveness, they are not always focused on the risk this poses in terms of potential cyber-attack.
There is no doubt that adoption of mobile devices in the workplace presents a challenge that is as much a question of policy and control as it is about the technology itself. According to analyst firm TechMarketView, over 10 million UK employees are predicted to be using personal devices in the workplace by 2016.
For the IT security team this has the potential to be a real headache as they count the ways in which the BYOD trend complicates their work lives. And, as the transition from desk-bound computers to laptops, tablets and smartphones continues gathering pace, it’s no surprise that hackers are choosing mobile devices as their next target. It makes economic sense and they are simply ‘following the mobile money’.
The issue with employee-owned mobile devices is that they can access corporate resources outside of the control of the corporate IT function. This means it can be difficult to identify even basic environmental data for these devices, such as the number and type of devices being used, and the operating systems and applications they are running.
The proliferation of mobile devices and their growing use in the workplace has fuelled a rapid growth in mobile malware, significantly increasing the risk to individuals and their employers. Research indicates that 79% of malicious attacks on mobiles in 2012 occurred on devices running Google's Android operating system, according to US authorities. Given the lack of even basic visibility, many IT security teams certainly don’t have the capability to identify potential threats from these devices.
However, despite the pitfalls, the benefits of BYOD are often too strong to ignore. So, in order to regain control in this mobile world, IT security professionals must be able to see everything in their environment, so they can establish risk level and then secure it appropriately. For most enterprises, the right solution is to implement BYOD policies that clearly define the proper use of employee-owned devices in the enterprise and then have enough checks and controls in place to enforce those policies.
At the end of the day, security of mobile devices is ultimately a question of three phases:
• Before — establishing control over how mobile devices are used and what data they can access and store.
• During — Visibility and intelligence is vital if security professionals can hope to identify the threats and risky devices and monitor their activities on the corporate network
• After — when the inevitable happens and the network is compromised by a threat, be able to retrospectively review how that threat entered the network; which systems it interacted with and what files and applications were run to ensure it can be cleaned up as quickly as possible.
Organisations need to ensure the risks posed by mobile devices don’t expose corporate assets to misuse or theft, otherwise they won’t be the only ones getting burned.