BYOD Security: Small Devices, Big Risks
Researchers recently discovered a new Android app store that exists solely to distribute malware. The malicious app store is almost identical to the actual Android Marketplace, but the app store isn't the real deal and neither are the apps. Instead of a game or social networking tool, users receive a Trojan that sends text messages to a fee-based service. In addition to appearing to be a legitimate, the fake app store also programmatically changes download sizes to avoid detection by security software, according to Security Week.
Only a few years ago, attacks like the fake app store were only a problem for device owners. Those days are over. Increasingly, users are no longer willing to leave their laptops, smart phones and tablets behind when they enter the workplace. They are bringing their devices and the associated threats into the office. Although there are benefits to this trend, such as increased employee satisfaction and improved productivity, many users develop a false sense of security when using their own devices. As a result, they take fewer precautions, making "bring your own device" (BYOD) security a business necessity.
Security a Business Necessity
When the lines between personal computing and business computing blur, in many cases it is the business that suffers. A single infected device can result in widespread financial, reputation-related, and legal impacts for an organization. Users may own the devices in a BYOD environment, but companies are ultimately responsible for any systems and information they access. No organization can afford to idly sit by and ignore this possibility.
BYOD security risks aren't just an issue at large companies with thousands of users. Smaller businesses are just as susceptible to these threats. Ray Boggs of analyst firm IDC said, "Despite the potential security risks, SMBs [small and midsize businesses] continue to allow employees to gain access to the company network and related resources through their own devices." The impact of inadequate security for user-owned devices is even more severe at SMBs since they may not have the resources and expertise to quickly find, analyze and contain threats.
Forbidding these devices from the enterprise might seem like a great option, but it's rarely effective. No matter how stringent the rules, some employees will fail to comply and put the organization at risk. There are number of steps organizations can take to decrease their risk:
- Define and communicate policies about employee-owned devices. Employees should understand the policies and the implications of not complying.
- Pilot the strategy to make sure it's effective and adjust if necessary.
- Ensure that security and management procedures and software incorporates employee owned devices.
Although it is impossible to eliminate all risks, organizations can get it to a manageable level. The necessity for BYOD security isn't going away. Organizations can either sit back and wait for a disaster to occur or proactively put measures in place to mitigate risks. Which approach has your company chosen?
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.