The proliferation of smartphones and the convenience such devices offer to the users have resulted in many organizations allowing a BYOD environment wherein the employees get to log in to the corporate networks using their personal mobiles. This ensures that the employees remain connected to the ‘mother hen’ on a 24x7x365 basis, even when on the move. Considerable savings on hardware and electricity are the spin-off benefits. However, such benefits come at the cost of security. BYOD devices pose security risks that can wreak havoc with the corporate network and cause major security breaches.
The threat from BYOD comes in two dimensions—external and internal.
The external threat in the BYOD environment comes when a hacker tries to infiltrate the network using a BYOD device. Unless the organization has taken meticulous care in actually implementing the security rigmarole required for BYOD devices, hackers can exploit an outdated app or the vulnerable OS without the latest patch to gain entry into the BYOD device and enter the corporate network as the employee logs in using the device.
However, a far bigger yet underestimated threat is the internal one. Employees and other stakeholders with access to the network come from many seedy backgrounds that background checks do not always detect. The BYOD device makes it very easy for many of such people—like the disgruntled employee, the corporate spy, the opportunist bounty seeker or the secret member of the local hacktivist collective—to try to steal some intellectual property as they have legitimate and unrestrained access to wreck the network from within. BYOD offers such malcontent more ways to connect to the network and move the data around without the restraining checks or snooping eyes that may deter such tasks as with office desktops. Then there is always the possibility of an enterprising bounty hunter stealing the device itself to simply steal the data.
The internal threat need not even be intentional. With employees using the BYOD device for both work and personal purposes, the odds of the device storing sensitive corporate information, be it credit card numbers of the customers or trade secrets, are very high. Hackers and cyber snoopers, anticipating such a big haul, may already have slipped in apps that have secured permission to access all data in the smartphone and presto, sensitive information is passed on ‘officially’ and no one will be any the wiser. There is also the chance of careless employees letting sensitive information slip through when accessing the social media through the same device, taking the backup of the smartphones or happen to attach the wrong file when sending an email.
The way out is seemingly obvious: laying out comprehensive policies and procedures. Rolling out polices is easy. The hard part is actually implementing the same in the face of a myriad of devices that come in all hues and the absence of any standardization at any level, be it in device configuration or OS. Many companies do not bother as they find themselves restrained by budget, time and lack of resources. Those who surmount such impediments may find themselves without the infrastructure or technology to actually enforce the BYOD policies. There is unfortunately no easy way out—reaping the benefits of BYOD without compromising security requires hard grind and sizable investments.