While most IT departments have started implementing Bring Your Own Device security policies, both employees and IT policymakers need to do more to boost their knowledge of the risks involved.
Sound IT policy making, employee education and a sense of personal responsibility remain vital to a secure workplace. However, most businesses are struggling to implement adequate BYOD policies.
"While businesses are generally good at implementing IT security, this mentality is not transferred to mobile devices, nor to their users," says Paul Gainham, Juniper Networks’ senior director of solutions for EMEA.
Nearly one-quarter of European companies (24%) report they have experienced a security breach as a result of personal mobile devices accessing company data. In China, that number grows to almost two-thirds (69%).
The problem is that these mobile devices, such as iPhones and iPads, are considered ‘low-risk’ when compared to laptop or desktop PCs. Computers have developed the habit of updating their anti-virus and firewall software, and this mentality needs to be carried over to smartphones and tablets, says Gainham.
This is becoming a major problem as consumer devices enter the workplace in greater numbers.
According to research by Juniper Networks’ Trusted Mobility Survey, mobile users already average three internet connected devices. Of these users, 18% own 5 or more devices.
Nushin Hernandez, Enterprise Security Analysis services, Canalys, says that smartphones have grown by 62.7% in 2010-11 and tablets by 274.3%. In the same time, PCs grew by 14.8%.
This phenomenal growth is predicted to slow, over the next 4 years, to around 20% for both smartphones and tablets. PCs will slow to 11%.
Hernandez agrees that the consumerisation problem requires more than just quick IT fix-its, but a holistic view across the entire business that incorporates education for end users.
"The perception is that these devices are ‘just’ mobile phones, not the highly sophisticated computers they actually are."
Whereas historically workplace data was generally limited to a single server in a backroom – with limited access outside the workplace beyond physical media – the modern consumerised workplace, combined with networks, the cloud and the internet means that data is very fluid.
"The new security perimeter for a business is where the data resides – today that means everywhere," said Gainham.
Worryingly the Juniper’s research shows that nine out of ten (89%) business users say they use their mobile device to access sensitive work information, even though only 15% have confidence in the security of their mobile device.
Outside of the enterprise, 60% of consumer respondents reported that they connect to unsecure Wi-Fi hotspots, and do not even know the difference between a secure and unsecure network.
Put simply, trust in mobile security is uncertain. This lack of consumer confidence could put mobile adoption rates at risk.
18% of U.K. respondents said they had little confidence in the security of their mobile devices, while 60% simply do not know.
The survey found that all it would take is a single security vulnerability for users to change their behaviour. This includes abandoning certain mobile services altogether.
The majority of people questioned in the U.K. (74%) said they would stop using critical services. This rose to 83% with online banking. 62% said they would no longer send private communications, and more than half (53%) would stop viewing work-related information.
Interestingly, where the finger of blame gets pointed is quite different. End users are first to point the finger at the mobile network operator (62%), 36% at the antivirus company, and 35% at the device manufacturer.
Gainham disagrees with those that claim mobile malware claims have been exaggerated by anti-virus companies. Apple users especially seem to think themselves immune on smart devices, much as they do on Macs.
Juniper’s Research is showing a 155% increase in malware for phones – across all platforms.
"It is not just a bunch of security companies looking for a new market… We are. But the threat here is real," said Gainham.
Beyond malware, malicious intent is a big problem. Oliver Croften, director of Vigilante Bespoke and ethical hacker agrees that awareness of the issues remains limited amongst most users. Given the endless variants of mobile phones available, even getting a stable platform across the company is difficult for IT departments.
While much attention is focused on ‘hacking’ of phones, many of the tricks used by criminals and mischief makers are often quite simple – such as impersonating a familiar phone number or renaming an unsecured wi-fi hotspot as BTOpenzone, and then freely accessing the users device.
End users need to be made aware of this, much as they were when opening strange .exe or .bat files on floppy disks in the 90s. Nowadays, mobile apps are also becoming a problem.
Consumers often download these apps giving them access to Facebook or their contact book without even thinking. While that is fine (if risky) on a personal device, it is not safe – nor responsible – on a work device or a dual use device.
The problem is not so much these apps farming personal contacts, but the targeting of company property – such as Microsoft Exchange email contact lists. This blurs the line between a personal data ‘hack’ and an enterprise data ‘hack’.
As Croten puts it, in the IT department security sense, "they are theoretically two completely unrelated problems."
They can’t do anything about someone’s personal device, which has been used on the company network, from being a trojan horse. The solution?
"There is no one size fits all solution. Education is the only answer."
