Forty percent of companies have adopted a company-owned bring-your-own-device (BYOD) policy, according to InfoSec’s 2014 “BYOD and Mobile Security” report. Fifty-seven percent of respondents said keeping employees mobile was the most significant benefit of adoption, with employee satisfaction and productivity close behind. But the report also speaks to IT concerns: 67 percent of those surveyed said they worried about losing company or client data, while 57 percent feared unauthorized network or device access.
Has “breach-your-own-data” become the new BYOD?
Evolving Mobile Apps
The most popular enterprise apps on mobile devices are email clients, calendars and contacts, which makes sense since productive employees are those who can access client and colleague information regardless of their physical location.
Document editing and intranet access are also important to users, but according to a recent TechRepublic article, this is just the beginning. Israel Lifshitz of Nubo Software argues that semi-business apps are starting to emerge in the marketplace but will soon be followed by more complex applications such as customer relationship management and enterprise resource planning. The logic isn’t hard to follow: If employee productivity is enhanced by using mobile devices to communicate and schedule, imagine how much more could be gained with access to consumer history or production data.
Lifshitz also sees this app-based market driving improved device security at the manufacturer level, which may eventually lead to the holy grail of mobile defense: apps that will only run on an uncompromised device. However, the fragmented nature of the device market makes this an unlikely possibility since 40 percent of users still run BlackBerry and almost 70 percent run Android. It’s also worth noting that despite significant growth of alternative operating systems, Apple remains the dominant enterprise player and still marches to the beat of its own security drum.
The New Insiders
Losing corporate, client and employee data weighs heavily on the minds of BYOD-enabled organizations. And while malicious outsiders might attempt to compromise an employee’s device or hack company networks using mobile malware, there’s a more sinister threat: insider access.
As noted by IT Business Edge in a report on a recent Ponemon Institute study, many individuals with permission to access confidential or sensitive data did so without a clear purpose. In fact, 65 percent of those asked said that curiosity, not business roles or responsibilities, drives this kind of internal access; in other words, employees aren’t shy about using role-based permissions to go digging around company servers.
It’s not surprising, then, that while 16 percent of InfoSec’s respondents said the biggest negative impact of BYOD was the actual loss of data, 30 percent lamented the need for additional IT resources to manage mobile security. The bottom line? The risk of insider threats, both out of curiosity and with malicious intent, requires more IT spend.
Taking Control of BYOD
So how do organizations safeguard their mobile deployments?
Sixty-seven percent still primarily rely on password protection, while 52 percent opt for remote wiping, and 43 percent require mandatory encryption. Despite their ubiquity, passwords remain a problem, as noted by Lorrie Faith Cranor of Carnegie Mellon University in a recent TED Talk.
Many users are frustrated with complex password requirements, while password strength meters are too lenient. Passwords like “123456” and “iloveyou” remain common, and users tend to think of simple concepts that make them happy when creating passwords; in turn, this makes them easier to guess. Research into “pronounceable passwords,” which aren’t real words but are easy to remember, has returned some success, but for corporate-wide mobile device policies, passwords — and remote wipes and encryption — simply aren’t enough.
To handle the growing number of devices on their network, companies are turning to mobile device management (MDM) tools, which beat out endpoint security and network access controls for the top spot in the InfoSec survey. According to FierceMobileIT, however, MDM may soon be a thing of the past. Jason McNicol, senior analyst at ABI Research, said that mobile application management (MAM) will dominate the enterprise market in five years with a 60 percent market share.
Why? Because MAM tools follow the data, not the device, and they restrict or enable apps on a case-by-case basis. Ideally, app developers would code in support for MAM products before releasing any application, making control possible no matter what kind of device an employee chooses. In effect, this allows IT to include broader device support without compromising security.
Is breach-your-own-data the inevitable next generation of BYOD? Not quite. While companies see the inherent value (and momentum) in mobile device use, they’re also better at identifying pain points, and the security market is evolving to target data before devices.