Forty percent of companies have adopted a company-owned bring-your-own-device (BYOD) policy, according to InfoSec’s 2014 “BYOD and Mobile Security” report. Fifty-seven percent of respondents said keeping employees mobile was the most significant benefit of adoption, with employee satisfaction and productivity close behind. But the report also speaks to IT concerns: 67 percent of those surveyed said they worried about losing company or client data, while 57 percent feared unauthorized network or device access.

Has “breach-your-own-data” become the new BYOD?

Evolving Mobile Apps

The most popular enterprise apps on mobile devices are email clients, calendars and contacts, which makes sense since productive employees are those who can access client and colleague information regardless of their physical location.

Document editing and intranet access are also important to users, but according to a recent TechRepublic article, this is just the beginning. Israel Lifshitz of Nubo Software argues that semi-business apps are starting to emerge in the marketplace but will soon be followed by more complex applications such as customer relationship management and enterprise resource planning. The logic isn’t hard to follow: If employee productivity is enhanced by using mobile devices to communicate and schedule, imagine how much more could be gained with access to consumer history or production data.

Lifshitz also sees this app-based market driving improved device security at the manufacturer level, which may eventually lead to the holy grail of mobile defense: apps that will only run on an uncompromised device. However, the fragmented nature of the device market makes this an unlikely possibility since 40 percent of users still run BlackBerry and almost 70 percent run Android. It’s also worth noting that despite significant growth of alternative operating systems, Apple remains the dominant enterprise player and still marches to the beat of its own security drum.

The New Insiders

Losing corporate, client and employee data weighs heavily on the minds of BYOD-enabled organizations. And while malicious outsiders might attempt to compromise an employee’s device or hack company networks using mobile malware, there’s a more sinister threat: insider access.

As noted by IT Business Edge in a report on a recent Ponemon Institute study, many individuals with permission to access confidential or sensitive data did so without a clear purpose. In fact, 65 percent of those asked said that curiosity, not business roles or responsibilities, drives this kind of internal access; in other words, employees aren’t shy about using role-based permissions to go digging around company servers.

It’s not surprising, then, that while 16 percent of InfoSec’s respondents said the biggest negative impact of BYOD was the actual loss of data, 30 percent lamented the need for additional IT resources to manage mobile security. The bottom line? The risk of insider threats, both out of curiosity and with malicious intent, requires more IT spend.

Taking Control of BYOD

So how do organizations safeguard their mobile deployments?

Sixty-seven percent still primarily rely on password protection, while 52 percent opt for remote wiping, and 43 percent require mandatory encryption. Despite their ubiquity, passwords remain a problem, as noted by Lorrie Faith Cranor of Carnegie Mellon University in a recent TED Talk.

Many users are frustrated with complex password requirements, while password strength meters are too lenient. Passwords like “123456” and “iloveyou” remain common, and users tend to think of simple concepts that make them happy when creating passwords; in turn, this makes them easier to guess. Research into “pronounceable passwords,” which aren’t real words but are easy to remember, has returned some success, but for corporate-wide mobile device policies, passwords — and remote wipes and encryption — simply aren’t enough.

To handle the growing number of devices on their network, companies are turning to mobile device management (MDM) tools, which beat out endpoint security and network access controls for the top spot in the InfoSec survey. According to FierceMobileIT, however, MDM may soon be a thing of the past. Jason McNicol, senior analyst at ABI Research, said that mobile application management (MAM) will dominate the enterprise market in five years with a 60 percent market share.

Why? Because MAM tools follow the data, not the device, and they restrict or enable apps on a case-by-case basis. Ideally, app developers would code in support for MAM products before releasing any application, making control possible no matter what kind of device an employee chooses. In effect, this allows IT to include broader device support without compromising security.

Is breach-your-own-data the inevitable next generation of BYOD? Not quite. While companies see the inherent value (and momentum) in mobile device use, they’re also better at identifying pain points, and the security market is evolving to target data before devices.

More from Endpoint

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…