Searching for images: Cybercriminals embed drive-by downloads in popular images, which leads to the unintended download of software from the Internet. They then make sure those malicious images show up in searches.
Clicking on an ad: Attackers can take advantage of layers of ad syndication to plant malware-infested ads on trusted, high-profile Web sites.
All of these malware risks can turn trusted companies, employees, partners, or customers into unwitting attackers of internal applications and data. Users are rarely aware that their devices are infected with malware. The end result of malware is often identity theft, so attackers can connect to businesses using legitimate login credentials from their own devices.
Shift focus from devices to logins and transactions
Much of the discussion around securing BYOD involves controlling the devices themselves. For example, enterprises can set personal device policies and use MDM solutions to encrypt and control data and applications on remote devices.
However, it is difficult to control the devices that don't belong to businesses. MDM solutions take time to deploy and only address part of the puzzle. Aside from employee mobile devices, businesses have to worry about customers' and partners' personal laptops and desktops as well as tablets and mobile phones.
Businesses may not control the devices, but they do have control over logins and transactions on corporate systems. If companies shift focus to applications, they can make an immediate impact on risk exposure from unmanaged devices, whether they belong to employees, customers, contractors or even partners.
As always, the best defense is a layered defense, consisting of the following technologies:
Device identification. Today's device identifications technologies can find anomalies like disguised location, IP address or device types that can indicate a stolen identity. They can also detect devices belonging to known threats and botnets, which consist of devices whose security defences have been breached and controlled by an unknown party.
Client-side protection. For an added layer of security, give trusted visitors (partners, contractors and employees) the tools to identify and lock down malware on their systems, ensuring safe interactions with business systems.
Any applications that connect individuals to sensitive data can use these extra layers of protection. This includes employee-facing applications such as webmail: an attacker accessing your CEO's emails can do a great deal of damage.
By managing the connections to applications, rather than the devices connecting to them, businesses can mitigate the growing risks of malware and identity theft while taking advantage of the economic and productivity benefits of BYOD trends.