What Are The Risks Of Bring Your Own Device (BYOD) Application In Terms Of Information Security?

This article considers the risks of “ Bring Your Device” method that enables using personal mobile devices in business life in terms of information security and the policies that should be followed by the companies. Additionally, solutions for risks that might emerge with BYOD method are considered and statistical information related to the companies that use this method are provided.

Today, mobile devices have continuously increasing usage area. From hospitals to medical applications and ordering in restaurants, mobile devices show differences in terms of information on the devices. Instead of using different devices in private life and work life, completing the work of the workplace from personal devices enables easier access to information. 33% of the employees in Germany work with bring your own device method [1]. However, this method leads to problems in terms of device and information management. For example, connecting a mobile device with a corporate e-mail to a public and insecure network creates security vulnerability for the e-mail and information in the e-mail. To make mobile devices secure in terms of information security, new policies called “ BYOD” that ensure personal device use in corporate workplaces emerged. These policies aim to make corporate use securer and manageable with personal use of the mobile device.

2. What Type Of Policy Should Be Followed?

Undoubtedly, bring your own mobile device applications creates security risks.  Although institutions that have critical information take security precautions in the institution, taking the information outside with the mobile devices make these precautions void. Different information security policies should be followed depending on the sector that the mobile devices are used. For example, applying the same policies for mobile devices that provide educational benefit in schools [2] and mobile devices that have critical information will lead to problems in terms of mobile device use.

If a firm is working with bring your own device policy, it might be assumed that employees will synchronize the mobile devices with their computers at home. Transferring the information on the mobile device to another medium will make the information security unmanageable.  Since users often store the information on the computer (photograph, video, e-mail) on the cloud, critical information can be easily taken outside. Moreover, the computer might have malicious software. Therefore, institutions should first make sure that corporate information is downloaded only on the desired device and there is no information leakage.

67% of the employee use their own mobile devices at the workplace and mainly read their e-mails. Malicious software can inject the mobile device and do various operations from sending SMS to stealing data. In this situation, critical information can be accessed by unwanted individuals. As a solution, it is necessary to organize mobile devices in a way that these e-mails cannot be accessed by third parties and the folders on the mobile device must be stored and managed on a special field.

Connecting mobile devices to wireless networks might cause the mobile device to be infected with malicious software as well as taking critical information outside if the device is connected to an insecure network. If the wireless network is insecure when the mobile device connects to this network, attackers that are connected to the same network might analyse the data traffic. In this case, although critical data is safe on the mobile device, such data might be captured by the attackers if transferred via an insecure network. Therefore, wireless network connection should be limited and necessary precautions should be taken for the information security of the mobile devices.

2.1 Policies That Should Be Implemented by Companies and Some Realities

Here are some realities:

• Without adequate controls and policies, information technologies departments deal with various problems if the user’s own devices are permitted to access to the corporate network.
• By accessing the corporate network and data anywhere, anytime and with their own devices, employees become more flexible and productive.
• BYOD might be adventurous in economic terms. Various companies started to use the BYOD model to decrease costs.
• Generally, mobile users do not worry about managing the security of their own devices. However, these users consciously or unconsciously do things that might risk the company.

In addition to these, employees are held responsible for company information security and these employees might lose their job in case of any data loss. Bill Versen, mobile solution director of Verizon Enterprise Solutions stated that “ Last year, I was sitting with a group of CIO about challenges to transfer to BYOD and how did they create the principles. Some of them said that they have a principle that employees will lose their job if they lose their phone and do not report it in 24 hours.”

In this process, it is important to provide the necessary training to the employee before holding the employees responsible for information security. Kaspersky Lab Turkey General Director Sertan Selçuk stated that it is almost impossible to ensure corporate security with only antivirus solutions against higher and more complex mobile risks. Sertan Selçuk state that the role of HR is to train employees against IT threats. Selçuk also expressed the importance for HR to develop security policies to be implemented in the company and make sure that these policies are implemented.

3. Research Related to BYOD Application

Research conducted together by Kaspersky Lab and B2B International showed that only 9% of the institutions believe that it is possible to prohibit using personal smartphones for the employees. 29% of the institutions provide full-access to access the data on corporate networks with employee mobile devices. 55% of the companies express that they are worried about mobile device management while 29% state that they have already experienced problems related to stolen or lost mobile device. However, only28% of the companies around the world state that they started to use “Mobile Device Management (MDM)” technology.

The results of another study on this topic are as follows:

• 81% of employees use personal electronic devices for work purpose.
• 31% of employees use personal electronic devices to connect to the company network.
• 66% of the companies with employee connection do not have any network security policy.
• 41% of company IT managers are not satisfied with company network security policies.

4. Result

Mobile devices are becoming indispensable every day. If mobile devices that are used more than computers are not managed adequately, security vulnerabilities might emerge. When these security vulnerabilities are successfully exploited by the attackers, critical information can be easily extracted. Today, mobile devices are affected by malicious software more than computers. Supporting bring your own device policies due to ease-of-use and cost-effectiveness, carrying one device instead of two devices, faster operations will continue to increase although there are information security vulnerabilities. Both individuals and institutions are responsible for protecting the privacy, integrity and accessibility of the information on the mobile devices. Employees must comply with company policies. Institutions must both respect personal information of the employees and follow correct policies to protect the critical information.

References

1. BYOD Bring Your Own Device Georg Disterer*, Carsten Kleiner 2013
2. Bring Your Own Device (BYOD)” for seamless science inquiry in a primary school,Yanjie Song,2014
3. http://media.kaspersky.com/en/business-security/Kaspersky-Security-Technologies-Mobile-BYOD.pdf
4. McAfee. “McAfee Labs Threat Report” http://www.mcafee.com/hk/resources/reports/rp-quarterly-threat-q1-2014.pdf