Although employees like bringing their smartphones to work with them, and employers are letting them do so, new research released at this week’s RSA Conference shows that BYOD (bring your own device) raises security risks. Also at RSA, though, security vendors announced new technologies that might help to make BYOD a safer practice.
91% of corporations are now allowing “removable storage devices” — including smartphones, tablets, USB drives, and optical storage — on their internal networks, according to a new study by the Harris Interactive on behalf of Imation. Yet 40% of “IT decision makers” at these companies admitted to “unintentional exposure of corporate data” due to the loss or theft of these devices,
While it stands to reason that a lot of this data might be escaping on USB thumb drives, another study points to security hazards specific to BYOD smartphones, tablets and PCs.
25% of employed adults are now using their own smartphones to access and/or store company information, according to a new survey by ESET. The same holds true for 41% of personal laptops and 47% of personal desktop PCs, but only for 10% of tablets.
A ‘compelling reason to get that app’?
“I’m sure you’ve seen this scenario. Halfway through [a] flight, a user switches from super-critical pieces of corporate work to checking out the app they downloaded while waiting in the airport terminal,” said Cameron Camp, an ESET security researcher, in a blog post.
“Maybe there’s a compelling reason to get that app, but is there a security context in place whereby this activity is vetted, especially when they are connecting the device to the company network? Beyond that, are basic measures in place to protect the data on the device if it falls into the wrong hands?”
According to ESET’s survey results, most BYOD devices are not well protected. Encryption of company data is occurring on only one-third of BYOD phones, tablets, and PCs. Auto-locking with password protection is enabled by less than half of all laptop users, less than one-third of smartphone users, and one-tenth of all tablet users.
Many would argue that if users are buying their own devices, there’s no reason why they shouldn’t be able to download any app they want. However, according to security software vendors such as Symantec and Kaspersky, incidents of mobile malware are skyrocketing, especially on Android OS. Users have been known to download fraudulent apps masquerading as legitimate ones, which are laden with malware. Trojans embedded into SMS messages are also an emerging threat.
To safeguard company data as well as other users on the network, businesses need to both develop and enforce policies around encryption, auto-locking and password authentication, according to security analysts. Anti-malware software ‘is also available for mobile devices.
Android Security Options
Mail encryption can be important, too, especially in industries such as healthcare which are federally mandated to protect sensitive information, said Goutham Sukumar, NitroDesk’s founder, in an interview with Brighthand.
NitroDesk produces TouchDown, an email client app already deployed among about three-quarters of a million Android end users, which lets users sync their Android phones and tablets with corporate email, contacts and calendars running on Microsoft Exchange servers.
At the RSA show, Ecohworx announced a partnership with NitroDesk to deliver PKI credential management to TouchDown users over the cloud, so that companies will no longer need to run their own complex PKI encryption infrastructures to issue, revoke, or suspend the ID credentials needed for encrypting and decrypting emails.
Other companies announced products in categories which, while initially targeted mainly at online banking and eCommerce, might also be used to help protect internal networks at government agencies and corporations, either directly or indirectly.
German-based Kobil, for example, announced the mIDentity App Security Toolkit (mID AST), a software development kit aimed at securing apps from unauthorized duplication and preventing the creation of fake apps.
Yubico, a Kobil partner, unveiled YubiKey Nano, a hardware token for secure authentication small enough to fit into the USB port of a laptop or tablet. While it can’t be used with the mini-USB port on a smartphone, it is capable of NFC wireless communications, said Stina Enhrensvard, Yobico’s CEO, in another Brighthand interview.
The Nano can be inserted into the Apple Camera Connection kit for use with iPads and is designed to be carried around on a keychain. Beyond providing an additional “layer of protection” for online access, it might also be used for giving employees access to brick-and-mortar company grounds and facilities, for instance.
Also at the show, TeleSign announced TeleBureau, a “fraud clearinghouse” aimed at letting companies share information about online spammers, fraudsters, and other cybercriminals based on the mobile phone numbers of the perpetrators, rather than their IP addresses.