BYOD’s “Circle of Risk”

By David Balazsy, VP for APAC at Good Technology

Mobile technology has redefined the way businesses operate, unleashing unprecedented levels of flexibility, collaboration and communication.

Increasingly, Bring Your Own Device (BYOD) policies are the norm in workplaces around Australia, with research showing adoption of the scheme reaching a critical tipping point with around two-thirds of Australian enterprises now allowing staff to use personal devices for work .

However, while BYOD policies have the potential to usher in new benefits for businesses such as productivity gains, higher employee satisfaction and cost reductions, it also increases security risks.

Results from a Good Technology Mid-Market Mobility Trends Survey showed that 50 per cent of organisations with formal BYOD schemes have more security concerns than those without . The reason for this being that BYOD introduces a variety of potential risks from security, policy perspectives, as well as end-user-privacy. Mobile device management (MDM), which is usually implemented by businesses with the use of employee-owned devices, is anti-BYOD by design. MDM products can only lock down various features and functions of a particular device and conduct inventory of all the apps the end-user has installed. It does not add any additional layers of security on top of what the underlying device operating system provides.

The limitations of MDM as a sole source solution to network security means BYOD programs are exposed to threats from multiple angles, which can be referred to as the “Circle of Risk”.
Device based risk
Firstly within the “Circle of Risk” there is device-based risk. This refers to the transformation over the past several years, where manufacturers have delivered world-class consumer products that have provided users with more power and freedom to share information than they have ever had on mobile devices before. Unfortunately, this also means potentially syncing corporate data to consumer outlets (e.g. syncing corporate content to iCloud, LinkedIn etc.). Enterprise security teams are struggling to keep up with this innovative and powerful consumer functionality and as a result, enterprise data is in regular jeopardy of being leaked.

User based risk

Secondly, there is user-based risk. This refers to end-users who look for ways to take advantage of the same tools they use in their personal lives for work-related tasks, including syncing their work material to iCloud or personal Dropbox accounts for example. Without restrictions in place, employees could use storage services such as these to house sensitive company data, which could pose a leakage risk.

Enterprise based risk

Finally, enterprise based risk refers to users seeking workarounds because the IT department is unwilling to meet user demands around flexibility. Businesses often find that if it does not offer a solution to appease its employees in some capacity, staff will often find their own way. For example, employees may begin forwarding work emails to personal email accounts in order to bypass restrictions imposed by the organisation.

Read more: Peeling back the darknet

Despite these challenges, there are ways to mitigate this “Circle of Risk”. Businesses should adopt security strategies using a layered approach that incorporates ‘containerisation’ as well as policy and end-user education.

Containerisation technology allows for the isolation of personal data from enterprise data on employee-owned devices and can be used in conjunction with MDM tools. As an alternative to taking an all-or-nothing approach in locking down a device (using MDM alone) and setting device-wide restrictions for things such as complex device passwords or restricting Siri and iCloud for example, the containerisation model includes its own security, application level, policy and control and restrictions. This allows IT teams to deploy corporate apps to BYOD end-users, helping them protect corporate data and not just manage the device.

The end user is often the weakest link in any security model, and educating employees on cyber security is just as critical as the technology being deployed across the organisation. Enterprise security strategies should be designed with a consistent end-user policy around how corporate devices, or corporate apps on personal devices are utilised.  Effective end-user training is one of the most powerful security tools an enterprise could deploy. Educating the end-user not only helps protect corporate data, but also helps them in their personal lives because cyber security threats, specifically around smartphones and tablets, are only going to grow and become more sophisticated in the years to come.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

Feb 3rd, Feb 4th, Feb 6th 2015

Join @NirZuk #PaloAltoNetworks for Breakfast (lunch in Auckland) on keeping your enterprise safe from risk. Cyber attacks continue to increase in volume and sophistication leaving traditional security practices completely ineffective. 

Register Today Seats are limited

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Join the CSO newsletter!

Error: Please check your email address.

Tags end useriCloudriskDropbox accountsGood TechnologyenterpriseContainerisation technologyIT departmentCSO AustraliaBYODEnex TestLab

More about CSODropboxEnex TestLabGood TechnologyIT SecurityTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Balazsy

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place