Andreas Baumhof, CTO of ThreatMetrix, a California-based vendor of IT security products and services, writes about how to maximize the potential of BYOD while minimizing risks
Today, customers, partners, employees and contractors alike all want to connect to business applications using their own computers, mobile phones, laptops and tablets. All of these connections from unknown devices elevate risk to corporate data and applications.
The pace of change has caught virtually all IT organizations on their heels when it comes to understanding and mitigating the risks of BYOD. Keeping employees on enterprise BlackBerrys is proving to be difficult, as people want to use their iPads and iPhones for work. Some organizations are adopting Mobile Device Management (MDM) solutions, but these solutions don’t address the risks of unprotected personal laptops or devices belonging to partners, customers and contractors.
The increased flexibility of BYOD initiatives introduces many risks – either on the device or outside of the device. Many examples come to mind; for example, if your employee is using services such as DropBox privately, can you ensure that no corporate data is moved there as well? Do you know if your data has been compromised?
The rising malware risk
The proliferation of personal devices in the enterprise raises many risks, including the potential for data loss. It’s easy for a laptop containing corporate data to be forgotten in a cab. Less visible but no less real is the risk of malware being used to infiltrate systems or steal data. It’s much easier for cybercriminals to steal an employee’s identity than to breach a corporate firewall.
The Aite group found 25 million new, unique malware strains released in 2011 alone. Android malware is rising precipitously, and even iPhones are not immune, with Kaspersky Lab discovering malware in the Apple App store in July of this year.
All of this malware is getting harder to avoid. For example, children are using home computers and their parents’ tablets at younger ages and may unwittingly download malware. Personal devices are often used on insecure Wi-Fi networks or applications. Personal devices can easily pick up malware through common online activities, such as:
Clicking on a hidden URL: Social sites like Twitter use shortened URLs that make it difficult to see where a link will take you.
Searching for topical events: Cybercriminals use breaking news events to display site engine optimized sites that are infected with drive-by downloads.
Searching for images: Cybercriminals embed drive-by downloads in popular images, which leads to the unintended download of software from the Internet. They then make sure those malicious images show up in searches.
Clicking on an ad: Attackers can take advantage of layers of ad syndication to plant malware-infested ads on trusted, high-profile Web sites.
All of these malware risks can turn trusted companies, employees, partners, or customers into unwitting attackers of internal applications and data. Users are rarely aware that their devices are infected with malware. The end result of malware is often identity theft, so attackers can connect to businesses using legitimate login credentials from their own devices.
Shift focus from devices to logins and transactions
Much of the discussion around securing BYOD involves controlling the devices themselves. For example, enterprises can set personal device policies and use MDM solutions to encrypt and control data and applications on remote devices.
However, it is difficult to control the devices that don’t belong to businesses. MDM solutions take time to deploy and only address part of the puzzle. Aside from employee mobile devices, businesses have to worry about customers’ and partners’ personal laptops and desktops as well as tablets and mobile phones.
Businesses may not control the devices, but they do have control over logins and transactions on corporate systems. If companies shift focus to applications, they can make an immediate impact on risk exposure from unmanaged devices, whether they belong to employees, customers, contractors or even partners.
As always, the best defense is a layered defense, consisting of the following technologies:
Device identification. Today’s device identifications technologies can find anomalies like disguised location, IP address or device types that can indicate a stolen identity. They can also detect devices belonging to known threats and botnets, which consist of devices whose security defences have been breached and controlled by an unknown party.
Client-side protection. For an added layer of security, give trusted visitors (partners, contractors and employees) the tools to identify and lock down malware on their systems, ensuring safe interactions with business systems.
Any applications that connect individuals to sensitive data can use these extra layers of protection. This includes employee-facing applications such as webmail: an attacker accessing your CEO’s emails can do a great deal of damage.
By managing the connections to applications, rather than the devices connecting to them, businesses can mitigate the growing risks of malware and identity theft while taking advantage of the economic and productivity benefits of BYOD trends.