August 6, 2014 By Douglas Bonderud 3 min read

Forty percent of companies have adopted a company-owned bring-your-own-device (BYOD) policy, according to InfoSec’s 2014 “BYOD and Mobile Security” report. Fifty-seven percent of respondents said keeping employees mobile was the most significant benefit of adoption, with employee satisfaction and productivity close behind. But the report also speaks to IT concerns: 67 percent of those surveyed said they worried about losing company or client data, while 57 percent feared unauthorized network or device access.

Has “breach-your-own-data” become the new BYOD?

Evolving Mobile Apps

The most popular enterprise apps on mobile devices are email clients, calendars and contacts, which makes sense since productive employees are those who can access client and colleague information regardless of their physical location.

Document editing and intranet access are also important to users, but according to a recent TechRepublic article, this is just the beginning. Israel Lifshitz of Nubo Software argues that semi-business apps are starting to emerge in the marketplace but will soon be followed by more complex applications such as customer relationship management and enterprise resource planning. The logic isn’t hard to follow: If employee productivity is enhanced by using mobile devices to communicate and schedule, imagine how much more could be gained with access to consumer history or production data.

Lifshitz also sees this app-based market driving improved device security at the manufacturer level, which may eventually lead to the holy grail of mobile defense: apps that will only run on an uncompromised device. However, the fragmented nature of the device market makes this an unlikely possibility since 40 percent of users still run BlackBerry and almost 70 percent run Android. It’s also worth noting that despite significant growth of alternative operating systems, Apple remains the dominant enterprise player and still marches to the beat of its own security drum.

The New Insiders

Losing corporate, client and employee data weighs heavily on the minds of BYOD-enabled organizations. And while malicious outsiders might attempt to compromise an employee’s device or hack company networks using mobile malware, there’s a more sinister threat: insider access.

As noted by IT Business Edge in a report on a recent Ponemon Institute study, many individuals with permission to access confidential or sensitive data did so without a clear purpose. In fact, 65 percent of those asked said that curiosity, not business roles or responsibilities, drives this kind of internal access; in other words, employees aren’t shy about using role-based permissions to go digging around company servers.

It’s not surprising, then, that while 16 percent of InfoSec’s respondents said the biggest negative impact of BYOD was the actual loss of data, 30 percent lamented the need for additional IT resources to manage mobile security. The bottom line? The risk of insider threats, both out of curiosity and with malicious intent, requires more IT spend.

Taking Control of BYOD

So how do organizations safeguard their mobile deployments?

Sixty-seven percent still primarily rely on password protection, while 52 percent opt for remote wiping, and 43 percent require mandatory encryption. Despite their ubiquity, passwords remain a problem, as noted by Lorrie Faith Cranor of Carnegie Mellon University in a recent TED Talk.

Many users are frustrated with complex password requirements, while password strength meters are too lenient. Passwords like “123456” and “iloveyou” remain common, and users tend to think of simple concepts that make them happy when creating passwords; in turn, this makes them easier to guess. Research into “pronounceable passwords,” which aren’t real words but are easy to remember, has returned some success, but for corporate-wide mobile device policies, passwords — and remote wipes and encryption — simply aren’t enough.

To handle the growing number of devices on their network, companies are turning to mobile device management (MDM) tools, which beat out endpoint security and network access controls for the top spot in the InfoSec survey. According to FierceMobileIT, however, MDM may soon be a thing of the past. Jason McNicol, senior analyst at ABI Research, said that mobile application management (MAM) will dominate the enterprise market in five years with a 60 percent market share.

Why? Because MAM tools follow the data, not the device, and they restrict or enable apps on a case-by-case basis. Ideally, app developers would code in support for MAM products before releasing any application, making control possible no matter what kind of device an employee chooses. In effect, this allows IT to include broader device support without compromising security.

Is breach-your-own-data the inevitable next generation of BYOD? Not quite. While companies see the inherent value (and momentum) in mobile device use, they’re also better at identifying pain points, and the security market is evolving to target data before devices.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today