BYOD employee freedoms compromise security, expert warns

Companies may be embracing bring-your-own-device (BYOD) strategies at a rate of knots, but without a more holistic approach to security even managed device protections can be easily or unintentionally circumvented by employees, one security expert has warned.

“If you take out your credit card and pay for a SaaS service, you can get around security,” Ian Yip, identity, security and governance business manager with security firm NetIQ, told attendees at a recent NetIQ security seminar.

“Employees may buy it from Amazon or get it for free from Google Apps, then collaborate with colleagues using their own personal identities. But Corporate doesn’t know about it, and they’re exposing corporate information into the cloud without IT knowing about it.”

Services such bring-your-own-cloud (BYOC) reflect the difficulties inherent in locking down corporate data using conventional means, Yip said, offering as another example the ability of modern mobile operating systems to directly post data to Facebook and Twitter directly, in circumvention of conventional Web-based access controls.

“As you move down the stack to the application and then down to the operating system layer, it’s harder to do security and harder to secure,” Yip said.

“There are more holes – and more and more technically savvy people joining the workforce. They may not be part of the IT department, but they can easily spin up an Amazon Linux server and decide to build everything on top of it without the IT people necessarily being aware.”

Indeed, while most organisations recognise the need to manage employees’ mobile devices to ensure their security, Yip says many companies making BYOD investments find their efforts stymied by users’ discomfort with the idea that their activities may be controlled or monitored.

One large and well-intentioned company, Yip said, bought 15,000 licenses of mobile device management (MDM) software to support all of its employees’ smartphones, but found that only 400 were actually taken up by employees that had declined to install the opt-in software. This left it significantly out of pocket and lacking the kind of security framework it needed to make BYOD work. This sort of experience, Yip said, highlights the need for companies to look past their preconceptions about BYOD – in particular the idea that it will save money. Rather, many employees may not only introduce problems through their mobiles – but will make them even worse when the users try to fix the problems themselves.

“It’s not a cost saving,” he said. “You’re actually just shifting the cost to having to deal with this new thing you have no control over. Don’t be mistaken into thinking this is a benefit.”

To ensure that BYOD, cloud and other user-empowering trends don’t compromise security, companies need to look past the devices and ensure that the data itself is appropriately protected.

This includes the enforcement of access control policies, encryption of data in situ and in the cloud, monitoring of data access, and implementation of identity and access management (IAM) frameworks that provide federation of identities across applications both online and off.

By focusing on protection of the data rather than fostering the sense of personal empowerment that BYOD can bring, companies can both reward employees for being forthcoming about their activities, and encourage positive behaviour that comes with the privilege of BYOD.

“The lines between personal and business are blurring,” Yip said. “Know what you are protecting, monitor and know what’s going on. Policy will make it easy to understand, and make it easier for people to do the right thing. Without it, you’re flying blind.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: BYOD security

Data volumes making security-log centralisation trickier: ManageEngine

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Security Risk Management Solutions

Protect resources and ensure security compliance through incident detection, response, and remediation.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.