Forty percent of companies have adopted a company-owned bring-your-own-device (BYOD) policy, according to InfoSec’s 2014 “BYOD and Mobile Security” report. Fifty-seven percent of respondents said keeping employees mobile was the most significant benefit of adoption, with employee satisfaction and productivity close behind. But the report also speaks to IT concerns: 67 percent of those surveyed said they worried about losing company or client data, while 57 percent feared unauthorized network or device access.

Has “breach-your-own-data” become the new BYOD?

Evolving Mobile Apps

The most popular enterprise apps on mobile devices are email clients, calendars and contacts, which makes sense since productive employees are those who can access client and colleague information regardless of their physical location.

Document editing and intranet access are also important to users, but according to a recent TechRepublic article, this is just the beginning. Israel Lifshitz of Nubo Software argues that semi-business apps are starting to emerge in the marketplace but will soon be followed by more complex applications such as customer relationship management and enterprise resource planning. The logic isn’t hard to follow: If employee productivity is enhanced by using mobile devices to communicate and schedule, imagine how much more could be gained with access to consumer history or production data.

Lifshitz also sees this app-based market driving improved device security at the manufacturer level, which may eventually lead to the holy grail of mobile defense: apps that will only run on an uncompromised device. However, the fragmented nature of the device market makes this an unlikely possibility since 40 percent of users still run BlackBerry and almost 70 percent run Android. It’s also worth noting that despite significant growth of alternative operating systems, Apple remains the dominant enterprise player and still marches to the beat of its own security drum.

The New Insiders

Losing corporate, client and employee data weighs heavily on the minds of BYOD-enabled organizations. And while malicious outsiders might attempt to compromise an employee’s device or hack company networks using mobile malware, there’s a more sinister threat: insider access.

As noted by IT Business Edge in a report on a recent Ponemon Institute study, many individuals with permission to access confidential or sensitive data did so without a clear purpose. In fact, 65 percent of those asked said that curiosity, not business roles or responsibilities, drives this kind of internal access; in other words, employees aren’t shy about using role-based permissions to go digging around company servers.

It’s not surprising, then, that while 16 percent of InfoSec’s respondents said the biggest negative impact of BYOD was the actual loss of data, 30 percent lamented the need for additional IT resources to manage mobile security. The bottom line? The risk of insider threats, both out of curiosity and with malicious intent, requires more IT spend.

Taking Control of BYOD

So how do organizations safeguard their mobile deployments?

Sixty-seven percent still primarily rely on password protection, while 52 percent opt for remote wiping, and 43 percent require mandatory encryption. Despite their ubiquity, passwords remain a problem, as noted by Lorrie Faith Cranor of Carnegie Mellon University in a recent TED Talk.

Many users are frustrated with complex password requirements, while password strength meters are too lenient. Passwords like “123456” and “iloveyou” remain common, and users tend to think of simple concepts that make them happy when creating passwords; in turn, this makes them easier to guess. Research into “pronounceable passwords,” which aren’t real words but are easy to remember, has returned some success, but for corporate-wide mobile device policies, passwords — and remote wipes and encryption — simply aren’t enough.

To handle the growing number of devices on their network, companies are turning to mobile device management (MDM) tools, which beat out endpoint security and network access controls for the top spot in the InfoSec survey. According to FierceMobileIT, however, MDM may soon be a thing of the past. Jason McNicol, senior analyst at ABI Research, said that mobile application management (MAM) will dominate the enterprise market in five years with a 60 percent market share.

Why? Because MAM tools follow the data, not the device, and they restrict or enable apps on a case-by-case basis. Ideally, app developers would code in support for MAM products before releasing any application, making control possible no matter what kind of device an employee chooses. In effect, this allows IT to include broader device support without compromising security.

Is breach-your-own-data the inevitable next generation of BYOD? Not quite. While companies see the inherent value (and momentum) in mobile device use, they’re also better at identifying pain points, and the security market is evolving to target data before devices.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read