Six Perils of BYOD Data Security Exploitation

13:30 ET, 3 February 2014

By Vinod Mohan, SolarWinds

Bring Your Own Device (BYOD) is not a new story in today’s IT world, and all organizations—across all sectors and geographies—are feeling its effects, ranging from severe financial and reputational losses to smaller incidents of security breaches and policy violations. However, this doesn’t make BYOD an insurmountable threat, and there is no need to block all employee-owned devices from corporate networks. On the contrary, these harsh regulations would rob companies of all the benefits and flexibility that BYOD brings to the business, such as improved employee productivity and satisfaction, on-the-fly data access, and cost savings.

However, BYOD is getting more difficult to manage due to both the increasing number of employees favoring it and the induction of newer types of devices supporting the technology. By now it’s clear there is no stopping BYOD, so the only possible solution is to deal with it. But dealing with BYOD poses a great challenge for the IT security teams at organizations as they have to assess the various threats associated with it while also implementing proper security measures and policies to prevent security lapses and mishaps. To help IT pros understand this new threat landscape, outlined below are six critical, attention-seeking data security risks posed by BYOD.

1.     Dicey Network Access

One of the foremost challenges associated with BYOD is controlling network access on employee devices. Most organizations have a Wi-Fi password that employees are aware of, and this allows employees to gain direct access. An employee can just connect his personal laptop, tablet or smart phone to the corporate network and download malware from the internet on his personal device. However, if the device is not equipped with the required level of malware protection, it can be potentially dangerous to network security. Also, if the Wi-Fi password is exposed or leaked, any unauthorized outsider crossing over the organization’s Wi-Fi space can gain immediate network access and pose security risks.

2.     Plain Sailing with Data Theft

Once company data is on an employee’s handheld device, it can just walk out of the door unnoticed. Once it’s outside the company premises, it’s not within reach of the IT security teams and can be leaked or stolen anytime and anywhere by gaining direct access to the device, or by exploiting any end-point application vulnerability or encryption channels.

Additionally, almost all handheld devices are also mass storage devices that allow connectivity to enterprise servers and workstations via USB cables. For IT pros who monitor all device connections on the network to detect data mobility and backup, this introduction of mass amounts of data via BYOD poses a major challenge.

3.     Gateway for Rogue Devices

As employee devices are not equipped with enterprise-level IT security measures, it’s highly likely that they can be easily compromised by cyber criminals. When introduced on the network a rogue device, in the guise of a legitimate employee-owned device, can wreak major network havoc and security breaches. An unprotected personal laptop can be hazardous to the health of the entire network. The user and device may unknowingly fall prey to hacking and phishing attempts, cause data loss and even jeopardize network security.

4.     Insecure Data Transfer

Secure file transfer server is a common norm in most organizations, and it requires companies to enforce a certain level of encryption and access permission for transferring data over the corporate network. But, with BYOD giving way to so many personal devices, it’s possible that employees may resort to using consumer-grade file transfer protocol and tools to share and transfer data between enterprise systems and handheld devices, which in turn puts data at high risk of infiltration and theft.

5.     BYOD Policy Not Up to Snuff

It’s nothing less than a herculean task to impose IT security policies and guidelines for monitoring and securing employee devices both on and off the network facility—especially given the diversity of types of devices, their multitudinous settings, software compatibility and usage. With the expansion of more personal devices on the network, it becomes increasingly complex to detect and blacklist potentially harmful devices.

Devising a BYOD policy is possible to a certain extent when the device usage is monitored and users are granted access permissions on a case-by-case basis. However, this type of protection will fail should a new device be introduced into the network by an employee or a visitor, or in the event of an upgrade or change of settings on the device. These instances would affect the policy at hand and require it to be revisited and likely revised. In reality, creating and instituting strong and foolproof BYOD policy is more of an evolutionary process, and there’s just no immediate solution for it.

6.     Network Management Mayhem

BYOD can turn into a network management nightmare when there are a myriad of devices connecting in and out of the network. Now, there are more IP-enabled devices to monitor,  allow/deny, more IP addresses to manage, more IP conflicts to resolve, and more end-points to monitor network bandwidth usage. It is certainly possible to keep BYOD management under control when you have the right network tools and security solutions in place such as security information and event management.

Though it may appear otherwise, the viewpoints expressed above are not discussed to present an unconvincing outlook on BYOD. BYOD is here to stay, and we just cannot shut it out. By assessing and understanding the security risks associated with BYOD, IT professionals can be more prepared and equipped to face challenges and security setbacks along the way. Do not restrain BYOD, just be ready to gear up, keep the reins tight, and play safe.

   Vinod Mohan is a senior product marketing specialist at SolarWinds, an IT management software provider based in Austin, Texas.