BYOD – Security Considerations in a BYOD Culture

The ‘bring your own device’ movement has put security pros on high alert for a new breed of predator who is on the hunt to find ways to exploit the ever-expanding attack surface.

BYOD. When employees started to bring their BlackBerrys and laptops to work more than a decade ago, CIOs had few security concerns. In large part, it was just the C-suite who found it easier to live in the mobile space rather than on a PC.

Once smartphones came along, though, it became clear that employees were intent on using their own devices to conduct work-related transactions. That marked the start of the bring-your-own-device (BYOD) movement – and a new breed of security predators on the hunt to find ways to exploit the ever-expanding attack surface.

“Incident detection such as lost devices versus breached device or actual versus suspected breach is also a problem. Confidential information is being sent or received over an unsecure channel,” researchers wrote back in 2013, in a paper noting the security challenges that evolved from companies enabling BYOD. “Many mobile devices are always on and connected, so the vulnerability to malicious attacks increases through different communication channels.”

The Evolution of BYOD
Let’s start with a look at the BYOD landscape. As it is with most things in technology, security wasn’t the first factor considered when employees started using their personal devices for work purposes. The convenience of checking email on a personal device yielded greater productivity, and that was the main focus.

Security teams accepted this benefit, as well as employees’ growing demand for more control over how and where they worked. This, in turn, enabled the proliferation of devices. Apple’s iOS devices really pushed the needle. It started out as employees saying, ‘I want to have one phone, not two,’ “As the devices got smarter, access to those services became a lot more prevalent, which resulted in a downward adoption that really started from the top.

The Evolution of BYOD Risk
Privacy considerations and the potential that devices could be lost or stolen were some of the security concerns that emerged early on in the BYOD movement. Gradually those concerns grew to include users accessing and transferring corporate data over unsecured networks. Then data leakage and malicious apps raised alarms.

From an attack landscape perspective, these connected devices increasingly became (and remain) an attractive threat vector for attackers. Innovation has rapidly changed the ways we use technology, which has delivered us to a place where the devices themselves are more sophisticated and have greater access to corporate information and other highly valuable assets.

Now, the concerns of security professionals include phishing attacks, business email compromise, and ransomware attacks on mobile devices, according to research recently published.

Increasingly, more emails are opened on devices, and criminals are aware of that rampant acceleration. They are betting on the fact that most employees will open email on a personal device.

But malicious actors aren’t just rolling the dice. As with traditional attacks on the network, the BYOD attack life cycle begins with the first stages of reconnaissance and exploit. Once criminals are able to compromise a device, they can extract critical data and then move laterally.

Cybercriminals are targeting phishing attacks accordingly, with email in particular, because the way it appears in Outlook on a desktop is very different from how it looks on a smartphone. They can optimize the subject line and to/from bars in a way that is easier to spoof.

Blurred Lines
How to secure devices has been one of the greatest challenges that came along with the widespread adoption of BYOD. The issue was not only securing devices, but securing them on par with all other technology within the entire ecosystem.

What stood in the way of finding clear-cut answers to those security questions was being able to identify where the company ended and the personal life began. On one hand, the line between work and personal was getting blurred, but the productivity gains were phenomenal. Employees and the resources they needed were accessible on channels that let employees communicate and collaborate with colleagues.

The question then became, how do we meet in the middle? Over the course of a decade, organizations have been implementing different security strategies. Organizations, IT, and security have started taking BYOD more seriously and looking at solutions from the people, process, and technology perspectives, with more endpoint solutions serving as a first line of defense.

The answer was really wrapped around the company’s ability to get visibility and control of that device when they didn’t own it and actually be refined enough to only apply that visibility and control to the services and capabilities that they wanted.

The Future of BYOD Security
The need for both visibility and control has given rise to technologies that enable access to both the personal and work environments.

The more mature, security-minded organizations are using a model that will likely be the direction many organizations take as they develop their BYOD policies. These companies are driving security into the services that they are allowing for those consumer devices and providing free or corporate owned security capabilities on those devices.

In order to stay ahead of the adversary, organizations need the visibility that comes from the consumer products coupled with the intelligence afforded in the corporate environment.

Now we have more mature solutions to be able to provide security on mobile devices or workstation laptops to make sure the company is not monitoring access to the personal data, while also making sure that malware isn’t encroaching and that those workstations are patched.