The Information Security LinkedIn group released a new survey from its 200,000-member community on the state of bring-your-own-device (BYOD) and mobile security initiatives in their enterprises. We provide our take on some of the findings from this comprehensive survey‘s 1,100 responses.

To BYOD or Not?

According to the survey, over 60 percent of enterprises allow or tolerate employee use of personal devices to access enterprise data. Only a small minority of enterprises, 11 percent, have no plans to allow such usage. Enterprises that allow BYOD expect the primary benefits to be improved employee productivity and satisfaction and better overall security, and 58 percent expect related budgets to increase or stay flat.

Our Take: Device ownership is destined to become a nonissue, and IT organizations must adopt new capabilities to secure enterprise applications and data on a shared personal or corporate data device. Enterprises are embracing BYOD programs as an opportunity to invest in the secure productivity of their employees as opposed to a “cost of doing business.” Securing corporate data without making assumptions on device security makes enterprises less complacent and more rigorous in assessing and addressing security risks.

Enable Flexible Data Access

According to the survey, email access allowance is still king at 86 percent of responses, followed by access to documents, custom mobile applications and cloud services. Overall, structured data in enterprise databases is still deemed most valuable, with unstructured data a close second.

Our Take: Our devices enable access to critical enterprise resources. Sensitive data and transactions are accessed, stored locally and exchanged not only with data center apps, but also third-party services. BYOD enables a “personal” device image, but enterprises must take steps to secure local app execution, encrypt enterprise data where applicable and detect access and transactional risk.

Data Loss Doesn’t Equal Device Loss

The biggest mobile security risk, according to the survey, is losing enterprise data. In essence, the risk categories can be divided into three main areas: data (stolen, lost, unauthorized access), threat (fake apps, malware, exploits) and management (endpoint security, regulatory compliance).

Our Take: Enterprises must address each of these three dimensions through a holistic framework. Many enterprises have made progress on addressing the “lost device” scenario and data-loss risk with enterprise mobility management suites that enable a remote wipe of enterprise data from mobile devices. However, securing devices against compromise has a long way to go; this is partly due to the restrictions enforced by mobile OS vendors on the security community, which limits the ability to secure mobile platforms.

Mobility Impact: Tools and Resources

Enterprises are investing in resources (mostly security personnel) and tools (mobile device management and endpoint security solutions) to address the emerging mobile threats.

Our Take: Enterprises are taking steps to reduce mobile-related security risks. To minimize the burden, such resource allocation should occur in the context of a comprehensive plan that addresses enterprise-specific risk factors. For example, banks that provide online banking services to customers must address transactional risk from both laptops and mobile devices that they have absolutely no control over. Malware and phishing risks that are common to that environment should be assessed when new capabilities are rolled out (e.g., remote deposit capture).

Reducing Attack Surface: Beyond the Basics

Simple steps are the easiest to implement. Most enterprises require password protection to devices accessing enterprise data; this will deter the occasional thief but is probably no match for a focused adversary. Encryption and remote wipe provide additional layers of security.

Our Take: While these measures are a good start, security should be embedded in the enterprise mobility initiatives. For example, secure development practices and mobile penetration testing will reduce vulnerabilities that can be exploited by malware, thus reducing the attack surface. While the malware threat has quickly grown, its capabilities have slowly evolved on mobile devices. Recent developments should drive security teams to reassess the threat and the possible impact of credential loss on their enterprise security.

Download Full Report: BYOD & Mobile Security Survey

Summary

The survey shows enterprises’ increasing readiness to embrace BYOD programs. Enterprises are making investments in people and tools to manage the key risks to enterprise resources (applications and data), driven by mixing corporate and personal data and the evolving threat landscape. The business rationale for these investments is boosting employee productivity while improving security as a broader set of risks is taken into consideration; this is a no-brainer since we expect BYOD to become table stakes for virtually all enterprises in the next few years. Given the utility and importance of mobile devices to employees’ personal and work lives, this looks like a sound investment.

BYOD & Mobile Security Report from Holger Schulze

 

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response. Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats. Signature-Based Antivirus Software Signature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…