When Oracle Corp. gave Rob Clark a Dell laptop to use for work, it didn’t take long for him to give it back. Clark, a senior director of development, told the company and Sacramento Business Journal that he prefers to use his own iPhone and iPad when he travels between Oracle’s offices in California, Europe and Asia.
Clark has plenty of company. Dubbed BYOD, bring your own device has become the mantra of millions of employees who want to use their own mobile devices to get the job done wherever they are. But if BYOD means more freedom, flexibility and productivity for workers in and out of the office, bring your own device can quickly turn into bring your own disaster when it comes to protecting their company’s security. Avanade, a business technology services company, found that more than half of the 600 IT decision makers it surveyed this year reported a security breach caused by consumer gadgets.
IBM Discovers BYOD Comes with Huge Security Risks
When IBM implemented a bring your own device policy in 2010, the company discovered that its employees’ mobile devices were full of software it couldn’t control. Jeanette Horan, IBM’s Chief Information Officer, told Technology Review that employees were using popular apps that posed a security risk to the company. On top of that, they were found to be forwarding IBM email to public Web mail services and using their smartphones to create open Wifi hotspots, exposing the company’s sensitive information to eavesdropping.
IBM instituted a number of measures designed to protect the company’s sensitive information, according to Technology Review. It banned a number of apps, including public file transfer programs like Dropbox. And before an employee is allowed to use his own mobile device to access IBM’s networks, the IT department must configure it so it can be erased remotely if it’s lost or stolen.
How Mobile Workers Compromise Their Company’s Data
Yet, according to a 2012 iPass Mobile Workforce Report, only 55% of the mobile workers it surveyed said they had enabled remote wipe on their smartphones; and only 30% activated that security feature on their tablets. Given that lapse, it should come as no surprise that negligent insiders were the leading cause of data breaches at U.S. companies and public sector agencies, according to a 2011 study by the Ponemon Institute. The study found that a staggering 39% of all data breaches involved employee negligence; and 37% of data breaches involved a malicious or a criminal attack.
According to security expert Robert Siciliano, when an employee brings in his Android mobile device and connects it to his corporate network, the company has to worry about whether the last app he downloaded is infected and will infect the network when it’s connected to a company PC.
Why do employees circumvent their company’s IT security requirements for their personal mobile devices? According to the iPass report, mobile workers want more flexibility and efficiency while they work. As a result, nearly 25% of those surveyed say they do some kind of workaround on their smartphones to bypass IT controls they believe are too strict and too time consuming. Another 12% do the same end run around IT policies to access corporate data on their tablets.
For mobile workers at large companies, another one of those workarounds is failing to use their company’s virtual private network to conduct company business. To save time, employees will often hop on the Internet without logging in to their corporate VPN because they aren’t accessing the company network. And that can end up exposing their company’s sensitive information to hackers.
Many smaller companies don’t have the IT resources to have their own corporate network or maintain a corporate VPN. And many of them encourage their employees to use their own mobile devices for work as a way to control operating costs. So it’s not surprising that the number of cyberattacks against small businesses is exploding. According to the June 2012 Symantec Intelligence Report, 36% of targeted cyberattacks in the first six months of this year were against small businesses with 250 or fewer employees. That’s up from 18% at the end of 2011.
BYOD has made it easier to work anywhere – whether it’s at home or in a coffee shop, a hotel or an airport. But it’s also blurred the line between our work and our personal lives and opened the door to compromising company networks. Remember, even though BYOD may be an unstoppable trend, it’s not a security strategy. You can protect your company’s sensitive information by following these steps:
∙ Check to see whether your company has a BYOD policy and follow it
∙ Lock down your mobile device in case it’s stolen or lost
∙ Install locate/lost/wipe software on your device
∙ Avoid accessing sensitive information on your device at Wifi hotspots unless you use a corporate VPN or VPN software like PRIVATE WiFi™. VPNs encrypt the data traveling to and from your computer. That makes it invisible to hackers, so your company’s business will be no one else’s business.
Is BYOD a boon or a bane to business? Let us know what you think.