Employees often use their personal smartphones and tablets for work purposes. This bring-your-own-device (BYOD) trend is convenient for employees and inexpensive for employers, who don't have to pay for the devices. As organizations allow more employee-owned devices into the corporate network, BYOD security policies and endpoint security solutions become more important.
Most organizations do not adequately protect their networks from the endpoint security threats that employee-owned devices invite. The Endpoint Protection and Response: SANS Survey found that while over 60% of organizations allow employee-owned mobile devices to access their networks, less than 45% include employee-owned devices in the organization's security management program.
One of the most significant risks to personal mobile devices—as with any endpoint security—is malware, according to the 2019 McAfee Mobile Threat Report. Many malicious exploits use malware as a component. The goal is to steal data, such as credit card numbers, lists of account passwords, and other data that can be sold on the dark web. BYOD devices provide access to personal data and corporate information. Hence, BYOD security is critical for safeguarding both.
There are three main BYOD security risks:
- Ex-employees. When employees leave an organization, they take their personal devices with them. Without security controls on a device, an IT department can't remove applications or content. The organization risks having its data fall into the wrong hands. In addition, a former employee may attempt to access the employer's network in the future.
- Lost or stolen devices. The portability of phones and tablets makes them convenient to use, but also easy to lose. According to one industry estimate, over 70 million mobile phones are lost each year, and a laptop is stolen every 53 seconds. Lost devices, of course, often wind up in the wrong hands, and not even a strong password can deny access to an experienced hacker.
- Cybercrime. Hackers target smartphones and tablets because they have become both more ubiquitous and more powerful. According to the 2019 McAfee Mobile Threat Report, the increased processing power of smartphones allows hackers to conduct more sophisticated exploits. One of these is to encrypt malicious payloads to disguise them on the network. Another is the use of false apps, which users may mistake for games or utilities and download them. Here is a recent example: A hacker sends a user a text with a link to a voice message. Clicking the link downloads a fake app purporting to enable the user to hear the message. In fact, the app turns the phone into a mobile proxy for accessing private networks and servers, and then hides itself to avoid detection.
Despite the security risks that personal devices pose to an organization, the popularity of BYOD continues to grow. IT departments can prevent many BYOD security problems by creating BYOD policies and implementing BYOD endpoint security solutions, such as mobile threat defense (MTD) software.
Creating a BYOD policy
Employees use their smartphones for texting, emailing, reviewing documents, browsing the web, sharing photos online, and many other activities. So the first issue that an IT department faces when crafting a BYOD policy is determining the extent to which employees are allowed to access and download internet resources. The key questions that an IT department might address in a BYOD policy include:
- What device types will be supported? Smartphones, tablets, laptops, and wearables? Only certain devices? Or whatever the employee wants?
- How will employees connect to the network? Will virtual private networks (VPNs) and virtual desktops be required?
- Which compliance issues need to be addressed in the policy?
- What applications and websites will be blacklisted? Whitelisting only approved sites is possible, but more difficult to manage as it greatly restricts employee freedom with their own devices.
- Which work resources can the device access? Email is typically allowed, but not access to sensitive materials such as legal proceedings or personnel records.
- Will access to public Wi-Fi networks be forbidden? Unless the device is equipped with a VPN, connecting over a public network is risky.
- What steps should employees take when their device is lost or stolen?
Each department will have different concerns about device security, so a best practice for BYOD policy creation is to invite representatives from several departments to participate. IT, human resources, security, and legal departments each have different concerns and needs related to device security. Gaining their input helps ensure a more successful policy.
Another important element in creating a BYOD policy is security awareness training. Data and device security can be reinforced with in-person and computer-based training on the:
- Risks to mobile devices.
- Methods that cybercriminals use to compromise employee accounts.
- Potential impacts to the organization.
- Specific measures employees are expected to take to safeguard their devices and work applications.
BYOD endpoint security solutions
Below are some BYOD security solutions to consider:
- Encryption. Encrypting mobile data protects it from prying eyes. Many devices have native encryption that, when enabled, can keep the device encrypted to all but the authorized user. Available software products can encrypt some or all data on a device. Email is a common device app that benefits from encryption. Emails often travel across the internet and encryption reduces the chance of misuse. Texts and calls can also be encrypted.
- Mobile device management (MDM). MDM software provides basic device security. MDM can enforce security policies, update applications, track device location, encrypt files, and remotely wipe the device if it's lost or stolen. It can also create an isolated environment for work applications by dividing the device's resources between work and personal use. Alternatively, it can create a container on the device to house work applications and data. Containerization provides a safe sandbox, with separate password and security policies, for work activities.
- Mobile threat defense (MTD). MTD is a rapidly growing category of mobile security software that offers a more proactive approach to security than MDM. According to the Gartner Market Guide for Mobile Threat Defense Solutions, 30% of organizations will have MTD by 2020, up from the less than 10% in 2017. MTD and MDM together provide complementary protection for mobile devices.
- MTD continuously monitors the device to detect and stop suspicious network or device activities. MTD software can detect malware, changes in settings, and insecure secure sockets layer (SSL) connections. MTD products, such as McAfee MVISION Mobile, may incorporate machine learning to enable them to learn normal patterns of activity and identify malicious activity. Machine learning is helpful in detecting new, or zero-day, attacks. MTD applications may also provide compliance controls to help guarantee that employees and their mobile devices remain in compliance. Another useful feature is the ability to detect phishing attempts in text messages and links, social media applications, and email messages.
- Identity and access management (IAM). While not a mobile security application, IAM is an important addition to BYOD security. Using IAM software, an IT department can assign specific access rights to users based on their jobs. This role-based access gives employees the right access for their jobs, while ensuring that data and applications are not unnecessarily exposed.
BYOD security requires both a thoughtful BYOD security policy and advanced BYOD security solutions. Endpoint security technologies such as encryption, mobile threat defense, mobile device management, and identity and access management can provide the elements needed to ensure an organization's security while providing employees the convenience of using personal devices.
McAfee MVISION Mobile uses machine learning algorithms to analyze device behavior and detect malicious activity. MVISION Mobile sits directly on mobile devices to provide always-on protection no matter how a device is connected—via a corporate network, public access point, or cellular carrier—and even offline.
BYOD security resources