February 6, 2017
It’s 2016. Your parents and grandparents not only have smartphones, but they are incessantly texting you and liking all your posts on Facebook. It seems that just about everyone has a smartphone these days. If you go to the developing world, you will be surprised just how common they are, even with people who don’t have much else. A Statista report estimates that there will be 4.77 billion mobile phone users in 2017, with even more tablets. Mobile devices have truly swept across our world.
Why this explosive growth? Perhaps the simplest explanation is that they have immense practical value and are available at a cost that is accessible to many (even more so than computers). From basic math to history to cutting edge science and memes, we can learn anything we want, whenever we want. Our devices enable us to keep in constant contact in ways we never thought possible and ways we probably don’t need (Snapchat). But don’t think being able to use your phone to waste a Saturday night Facebook-stalking people from high school comes with no sacrifices. Despite the convenience and wealth of information that mobile devices bring us, they also come with considerable risks.
Your phone records a lot. It has a camera (in some cases two), a microphone, and a GPS. Most of our lives go through them, whether through calls, messages, or other miscellaneous apps. You can even link up your credit card. In the wrong hands, this is a goldmine of information. The “Metaphor” exploit earlier this year reminded us that not all vulnerabilities can be addressed with software changes alone.
There is an app for everything. Even one that replaces every word with Hodor. Some of them are extremely useful, others not so much. What many have in common is that each app brings increased amounts of risk. Some are poorly coded and can leak your data, while others are susceptible to malware.
The internet is rife with malware, whether you are on your desktop or mobile. Devices are just as vulnerable to drive-by downloads, browser exploits, and phishing. In some cases, an innocent-looking website link can turn your phone into a digital spy.
Every day we are inundated with a massive amount of wireless networks. The scariest of these are the untrusted networks that we know nothing about. How do you know that “FREEAIRPORTWIFI” is actually free airport wifi and not some honey-pot wifi node? By making the assumption that every connection is legitimate and safe, we put ourselves at risk of allowing our sensitive information to fall into the wrong hands. The information gathered can be as innocent as our browsing history, or as sensitive as our banking and medical records.
Gone are 9-5 desk jockey jobs. Many positions require people to be available near 24/7, regardless of where in the world they are at any given moment. While this can be great for boosting business productivity, it comes with problems and complications.
A BYOD policy involves allowing employees to link their devices to the company network. For many businesses this is a necessity, not just something that’s nice to have. Every device in a BYOD business is a bundle of unknowns (existing malware, access to insecure networks, weak passwords, etc.). If an employee’s device is compromised, then problems can easily spread to other parts of the network. This can lead to data breaches, network issues, and ultimately, loss of productivity.
An effective BYOD environment requires significant management to ensure that the core if the business stays safe. Steps need to be taken to limit device privileges so that they only have access to the business functions they require. Giving more access than necessary just opens a network up to greater risk. Just because BYOD policies allow employees to work from their own devices, it does not preclude management from mandating the use of critical business software, such as VPN clients and antivirus software.
A lot more data, in fact. Incorporating mobile devices into your organization will result in a huge jump in the amount of data being produced. Are you prepared to handle it all? Will your network be able to cope with the increased load and at the same time effectively monitor and control it? Do you have adequate storage systems? You must plan for this increase before moving toward a more inclusive mobile device policy; otherwise, you might end up with denial of service (DoS).
As we pepper ourselves with more and more devices, we are opening ourselves up to attacks that use our devices against us. DNS attacks target not only our devices, but they can use them to attack other devices on the network. Depending on how the rest of these devices are networked, this could also have a ripple effect and bring business to a halt. To prevent this and other similar types of attacks, it is important to ensure that your devices are configured correctly and that company infrastructure is kept up-to-date with the latest security patches.
Have you ever gone to install an app, only to stop and look the permissions it requests? A photo app will want to use your location for some reason. A puzzle app wants all of your contacts. A co-working app wants your social security number. So many applications seem to want permission for everything, even if it is only tangentially related. The issue with this is that giving unnecessary permissions brings excessive amounts of risk into your organization. All of these permissions give hackers more opportunities to find vulnerabilities and leverage their way in.
Employees will often want to install other software on their work devices, or on their personal devices that they use for work. Many of these apps may not have the same security standards as the work software. To keep out unnecessary risks, your workplace needs to implement a solid review and management process for what can be installed on work related systems.
It’s always better to get the legal department involved before you do something, rather than after. You want to be asking, “Are there any legal concerns with this plan?” rather than, “Can you please get me out of hot water?” If you are gathering and storing data from employee’s devices, there could be laws that you need to consider. This is certainly true if you are a healthcare provider using a device for patient information.
Many employees don’t realize that their personal device and data can be embroiled in legal proceedings. To expedite any potential problems, it is important for your organization to have a clear bring your own device (BYOD) policy, specifying exactly how personal devices can be used and any potential repercussions. As stated by Ben Wright, these policies “must be firm and must try to avoid ambiguity. Otherwise, when controversy or investigation arises, the enterprise is exposed to delay and litigation with employees.”
Use your legal team to form an effective policy from the start, rather than pay them to clean up a messy court case. We all know which one is more expensive.
Like many aspects of technology, mobile devices bring a tremendous set of advantages but also many drawbacks. A good BYOD policy can help with accessibility, productivity, and convenience, but there are many risks that need to be considered. Your organization needs a comprehensive plan on how mobile devices will be incorporated, with measures taken for the known (and unknown) threats lurking in the corner.
Want to learn more about your security readiness and risk factor? Try out our risk assessment tool to see if there are any gaps in your security plan. We’re here to help to establish or bolster your defenses so that your organization can own the day rather than being owned by your mobile devices.