The BYOD Mobile Security Threat Is Real

Phone and gavel

Phone and gavel

Paul Luehr knows a thing or two about security, the law and "Bring Your Own Device," or BYOD.

Formerly a federal prosecutor and supervisor of the Internet fraud program at the Federal Trade Commission, Luehr is a managing director at Stroz Friedberg, a global data risk management company with a cyber-crime lab. He focuses on computer forensics, investigations and discovery.

BYOD has led to an increase of mobile devices, cloud storage repositories, different kinds of data types, and, of course, data theft by disgruntled employees. "The number of cases we have involving mobile devices has probably doubled in the last three years," Luehr says.

While there's a lot of hand-wringing over BYOD and mobile security-some would say it's "over-hyped"-Stroz Friedberg deals with real cases concerning data breaches. Luehr sat down with to talk about what kinds of threats he's seeing, how companies are reacting, and where they're falling short.

There's been lots of talk about the mobile BYOD security threat. But is it real or hype?

There's a two-pronged answer to your question. Broadly speaking, we usually break down threats against the network into two vectors.

The external vector, which would be the hacker coming in from overseas trying to penetrate the network, continues to come through the traditional avenues and not necessarily BYOD. The people who say that the threat is overhyped may be accurate if they're talking about external threats.

Slideshow: 10 BYOD Worker Types

But this leaves out another large dimension of security. BYOD policies certainly have raised the risk to companies with regard to the internal threat. Probably the most dangerous person to an organization is the disgruntled employee who is about to walk out the door. That person has access to the network. With BYOD, they have more ways to connect to that network and move information around.

I think that the security risk, in terms of the internal vector, is already here and quite large.

Have you seen a rise in BYOD data breaches in your business?

Absolutely, especially in the forensics area around employment matters. There are lots of cases we've nicknamed "Bad Leaver" cases, as in, somebody left and it was bad. When an employee leaves to a competitor, there's often concern that the employee may have taken intellectual property.

In those types of cases, we're seeing BYOD come front and center into the investigation. Rather than just looking at the server, email or desktop computer, now we're often looking at the smartphone, iCloud or Dropbox account, or Gmail.

Most of the breaches we're seeing are still directed at the servers where the most valuable and sensitive data resides. However, more and more mobile devices are an avenue to breach an organization. From a pure security point of view, BYOD is presenting many challenges.

You also have a change in attitude and practices, such as many people are involved in social media. We're seeing the bright line between home and work disappearing. Employees are becoming a little bit lax about the type of sensitive information they bring home to work on, maybe a list of credit card numbers of customers or source code that a company relies upon to really distinguish itself in the market.

Once they bring it home, the [information] could be subject to sharing across different devices and repositories. Have they showed it to a friend or family member?

Companies respond by toughening up BYOD polices. Is this a good countermeasure?

Sound and comprehensive policies and procedures are certainly needed in the modern BYOD environment, but they're often not good enough by themselves. Most policies need to be updated to take into account the various places that employees will be using their devices, such as home use, the avenues through which data can travel, and the different types of communication that are occurring, such as Facebook, Twitter and text messages. They also need to come with good training and practices behind them.

Recently, the head of my lab and I put together a top ten list of security assessments based on the breaches we've seen. One of them is the lack of any consequences for poor security at the individual level. We think it's a good policy to make sure that security is not just part of an overall HR policy but, especially for some people, it's part of their annual performance evaluation.

A bad leaver is going to wreak havoc anyway. Isn't this more of an HR issue than an IT one?

Good policies come from the top down and through the HR department. There should be consequences for both good and bad behavior. That is the human side of it.

But it's not just about the humans. You also have to have a lot of network controls in place. I don't think HR can pass it off on IT, or IT can pass it off on HR. In fact, the number one issue we see in our security assessments is the lack of appreciation for security at the top levels of a corporation.

Does a BYOD policy open the door to hidden legal costs?

Yes. In bad leaver cases, the hidden legal costs come from the additional collection and review that must occur whenever you have a number of mobile devices involved in a case.

You're going to have more data, more types of data, more devices, more repositories. Instead of grabbing a forensic image of a laptop or desktop, now you need to have four or five different forensic images to grab. In the messiest situation, you'll have a lot of co-mingled data typically occurring on a home computer and in a home email or cloud-based account.

Not only do you have the collection costs to deal with, you also have an additional gatekeeping step that must be completed before attorneys can even put eyes on the information. More and more employees are demanding that their personal information be kept separate from the business information subject to litigation. Companies may have to hire a forensics shop like ours to separate the wheat from the chaff.

Have you seen BYOD lead to a security breach?

The most common way BYOD policies affect data security and breaches is in the cross-pollination of passwords. A person is probably using the same or very similar password as the one they use on their home devices.

We actually had a call with a client with the FBI on the line. In one of the large public data breaches that's been highly publicized, the FBI saw the list of published consumer names, addresses and passwords and recognized one of the names - a high profile IT manager or engineer for a significant technology firm. The FBI called up the company to tell them that this person's personal email account had been hacked and that they might want to check up and see if it affects them.

Sure enough, the person had been logging in from home into the corporate network using the exact same personal user name and password. Fortunately, no breach had occurred, and they were able to close that loop. It was just coincidence, luck and a good FBI agent to recognize that person's name.

This shows the cross-pollination that often occurs when people start treating work devices as home devices and vice-versa.

Is there a mobile security blind spot?

Text messaging underlies a lot of interest in what's new and different.

In the old days, you really had two sources of documents that you were concerned about. One was email, the other e-docs, such as a PowerPoint presentation, a Word document, Excel spreadsheets, sometimes engineering drawings. You'd search the file server and email server implicated in the investigation, as well as the employee's workstation.

With mobile devices, you have not just the devices and repositories but the type of information coming off those devices that's different. In particular, text messaging appears only on the phones and nowhere else on the corporate network. Service providers can only provide you with information such as connection times and numbers connected, maybe volume of information, but they're actually not saving the content of individual messages.

So while a bad leaver may have communicated with their new employer through maybe even a personal email account, now it's increasingly common to see them text messaging their buddies across town and conveying private or valuable information that way. In the most nefarious cases, some messages on systems such as Snapchat are designed to disappear even from the phone itself.

Could mobile security be the downfall of BYOD?

If companies turn a blind eye towards mobile devices, they're going to infiltrate the workplace anyway. A sounder course of action is to accept reality and realize that BYOD and mobile devices are part of our future, and then construct sound policies and practices.

You can't control all actions, but what you should do is foresee those actions and control the consequences to the extent possible.

Tom Kaneshige covers Apple, BYOD and Consumerization of IT for Follow Tom on Twitter @kaneshige. Follow everything from on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at

Read more about byod in CIO's BYOD Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags Consumerization of IT | BYODpolicysecurityenterprisemobileIT managementprivacyStroz Friedbergconsumerization of ITBYOD

More about AppleDropboxExcelFacebookFBIFederal Trade CommissionGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tom Kaneshige

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place