Ever since we have been obligated to work from home, our work and private lives have become even more entwined, and BYOD (bring your own device) – using private devices for professional purpose is becoming more and more prevalent. This mixed-use of content brings with it its risks. Managing IT becomes even more difficult and there is a risk that company data can leak out if the data is not neatly compartmentalised. Learn more about BYOD risks and options for data separation in the following blog article.
Mixed-use of mobile end devices
More than ever, mobile working is in vogue, and work and private life are increasingly converging – especially when it comes to IT – not just for senior management, but also for project managers, field staff and, since the introduction of home working, for all employees working from home. BYOD is being done in very many companies today and it means that private devices can also be used for business purposes, so business smartphones are being allowed for personal use. This mixed-use leads to new challenges, particularly in relation to data protection, and data security as well.
The risks of BYOD
New BYOD user patterns bring with them a whole host of security challenges:
- Employees – a risk factor
As standard, smartphones often have only minimal protection, and if personal mobiles are used carelessly, security gaps can arise. For example, if the device does not have PIN protection, if there is no multi-factor authentication for remote login or simply if a smartphone is lost or stolen. There can be serious consequences if the company's IT security is compromised and, in the worst-case scenario, company data is stolen. If damage is caused by cyber criminals using a private smartphone, there are disagreeable liability issues for employers. That’s why employees need to be made aware of data protection and security issues.
- Security gaps in mobile operating systems
Mobile operating systems are another gateway for malware or other stalkerware. There are security gaps in both iOs and Android devices. Many users are completely unaware that their smartphones have been infected and many people don't use antivirus software on their private devices.
- Insecure apps
Another threat to smartphones and the information stored on them are insecure apps from a variety of app stores. These apps may be malware or contain PUAs (potentially unwanted applications) which may include various undesirable applications such as adware or spyware. That's why you should only download apps from official app stores. Therefore, only download apps from the official Apple AppStore or Google PlayStore. The apps on these platforms regularly undergo security checks.
- Access authorisations
Many apps freely access stored information if this is not blocked in the settings, and hence can access sensitive business information such as contact details, appointments and location details. Access permissions are no longer just about offering the user the best possible application experience, but in part about gathering as much user data as possible and then selling it on to “advertising partners”. That’s why permissions should be restricted to allow apps only the access rights they need to have. For example, a phone app needs to have access to contacts and the microphone to function – a torch app does not.
- Lack of data protection
When professional and personal data are stored together on smartphones, this is also problematic from a data protection point of view. For example, if professional contacts are used in an app that transfers data to the USA. In this regard, messenger programmes have come in for particular criticism. This is how certain messenger programmes gain access to telephone numbers, addresses and e-mails – even from people who do not use the service at all and who have never given their consent to their data being accessed. One of the most high-profile examples was where attackers were able to infiltrate Jeff Bezos' smartphone via video and take control of the device, steal data, tap into chat histories and circulate false messages.
- Public WiFi connections
If smartphones are connected to unsecured public Wi-Fi networks, this can also become a security risk. Cyber criminals can eavesdrop on communications using a man-in-the-middle attack. Hence, the use of public Wi-Fi networks should be avoided whenever possible. Secure access to the company network should be done using a VPN connection. Also, read the blog article security of information in public areas.
Controlling IT is made much more difficult with the BYOD scenario. Obsolete mobile operating systems, rooted phones and missing security patches make it almost impossible to make a BYOD device a truly secure component of the company network. The worst-case scenario is where IT is not even aware that the device is being used at all (“Dark BYOD”).
Company data requires additional barriers and, at the same time, a clear separation of personal and professional content should protect the user's privacy and preserve the digital work-life balance. Furthermore, when a user leaves the company, the business data on the smartphone must be removed without the user's personal data being affected. All of these challenges have not been sufficiently taken into account by smartphone manufacturers up to now, which is why the use of the appropriate security solutions, such as the BlackBerry Enterprise Mobility Suite is recommended.
Separating Professional and Personal
To effectively separate professional from private data on mobile devices, we recommend the use of mobile device management software. Tools like this are often part of wider Enterprise Mobility Management (EMM). EMM creates a separate area (or container) on smartphones. The container is administered and monitored by IT to ensure the smartphone's IT compliance in terms of data security and data protection. For the user, this means that they can only process company data on their smartphone within an environment that is protected and encrypted. Apps that are critical to data privacy, such as WhatsApp, also do not get access to business contacts. You can also mobile-enabled your business-critical tools across different operating systems and ownership models – from Microsoft apps to in-house developed apps, all with secure end-to-end security and a full range of multi-factor options for critical apps.
Do you need assistance with Endpoint & Mobile Security?
Private mobile devices connected to the company network and communicating via external networks are posing a risk to your company's security. InfoGuard offers you solutions to provide comprehensive protection for your end devices and for creating targeted user awareness. Contact us now and find out more about how to securely integrate mobile devices (including BYOD) into your corporate infrastructure.