Are Employers and employees aware of the risks of BYOD to business? – A Literature Review.
BYOD or Bring Your Own Device came to light many years ago as a change in the way we conduct business, many companies traditionally had the technology to build closed networks and provide the equipment to access their network, BYOD now allows personal devices to be connected to these networks and cost companies much less as there is not a need to buy any extra equipment for a user/employee to use. The BYOD boom exploded into popularity as smartphones and mobile devices such as laptops were now costing much less for general people to buy, meaning companies do not have to issue any more hardware to complete work.
BYOD can be a useful tool in business as it allows employees to be more productive by allowing them to use the tools they prefer to work, employees previously needed many devices i.e. to make calls, laptop for work and any other device they may need to carry for business, but that need has now been eliminated due to having one device that can now do all these. BYOD can also decrease support costs of the IT department by reducing a need to purchase any new hardware.
The infrastructure needed to support BYOD must allow BYOD access to the network as approved devices, not allowing any unauthorised devices to run on the network. When a person leaves or is terminated from the company so should their device and data access for the company, security precautions should be put in place such as a Mobile Device Management (MDM) system to protect the data stored within the BYOD.
This literature review will analyse the research conducted by other people to see the main risks of BYOD to business, the risks will be highlighted and analysed with academic reviews to support the theory
What the risks to businesses are? (Scientific / Academic Content):
Increased risk of Data leaks:
As more people bring BYOD devices to work each person creates an extra Risk to data been released into the Open Networks i.e. The Internet, this creates a bigger reliance on IT departments to secure BYOD. Mobile devices like tablets and Phones are the biggest risks as they are more prone to attack and require regular updates and patches (US et al, 2018).
Employees who share work related data from BYOD through unauthorised or third party apps, are potentially risking company data being corrupted. To prevent this kind of attack companies need to have certain policies and procedures in place to offer control of how data is accessed, controlled, used and shared between applications and users. Data leaks can be prevented by proper employee training, company owned apps or in certain content protocols input to the device (Sthanu, 2018).
A study conducted by (Skycure 2016) found that BYOD is becoming a recognised trend within enterprise and becoming a modern company advantage, most companies allow employees to use BYOD without any security, 61% of participants wanted BYOD to improve mobility of employees and 51% wanted to increase job satisfaction for employees. 30% of companies partaking in the study made plans to increase time and budgets into BYOD security. The main four concerns (Skycure 2016) survey found about BYOD were: (Kholi, 2016)
• 72% Data leaks or Data loss
• 56% Unauthorised access to Data and Systems
• 54% Users downloading non-secure apps and content
• 52% Malware
Targeted attacks and vulnerability exploitations are key security issues for current organisations the “DressCode malware family” disguised itself as themes and games within the mobile marketplace and shows just how easy it was to infiltrate a company network to steal data, BYOD used in such a manner to download these 3rd party applications on a company device, open up doors for attackers to gain company information (Sans.org, 2018).
Users often place business at risk themselves by not applying regular patches and updates on their personal device, out of date software, unpatched and even jailbroken and rooted devices can be exploited for vulnerabilities and be used for exploitation purposes, rooted phones can sometimes be impossible to patch and although give great functionality it leaves a massive compromise to security. (Trendmicro.com, 2018).
This is also noticed by (Romer, 2018) who states that “Until the new technologies mature, security teams find themselves racing to patch vulnerabilities, educate users, fine-tune processes and deploy new security solutions.”. This shows the current awareness surrounding BYOD is in the early stages of been properly managed or governed by an official representative i.e. the government.
Recently there have been things put in place called Mobile Device Management (MDM) programs that allow organisations and business’ to block malicious and 3rd party applications before they can be installed, companies would be more likely to look into “endpoint security solutions that can provide comprehensive features such as behaviour monitoring, vulnerability and browser exploit protection, web reputation, and anti-malware features.” (Trendmicro.com, 2018).
Mixing of Business and Personal Data:
The saying “never mix business with pleasure” holds a good hand in todays connected society, currently social and business lives are very mixed and work hours and personal time are now a distant memory as more and more people are opting to complete work either at home or out of the office on BYOD, therefore technology needs to advance to allow this dramatic change. (Romer, H. 2018.)
A study conducted by Tech pro Research show that 74% of companies they tested are currently using or planning to implement BYOD policies into the workplace. With BYOD becoming a dynamic change, companies are either having to adapt to these new changes of device use or suffer the potential consequences of having data leaked by personal devices. (Romer, H. 2018.)
currently there is software available by the name of Virtualized Mobile Infrastructure System or VMI that can allow users / employees to gain access to company data through a virtual portal that is running on a company server, the server allows for personal and company data to be kept separate from each and provide extra security to the company as no files will be allowed to be saved locally on the users operating device. (Trendmicro.com, 2018).
Another survey conducted by MSI Research for Intel security (Doyle, 2018), found that “80% of respondents use their work devices for personal use and their personal devices for work. Many employees can work from wherever they happen to be and use whichever device they happen to be using at the time.” The survey found that more and more companies are implementing BYOD policies to encourage the use of personal devices to save on costs of equipment, also because securing one virtual portal is easier than securing many devices, the survey’s respondents believe that it is up the company to keep “work data safe.” This includes any BYOD they may use for company data, 75% of respondents are confident their company protects these BYOD. (Doyle, 2018).
Here are some statistics form the report relating to use of BYOD in personal and business environments:
• 78% indicated that they use their personal devices for work-related activities
• 79% stated that they conduct personal online activities on company-issued devices
• 40% of employees work from home or “wherever”
• 65% of respondents feel the IT department is responsible for protecting personal data on their work device
• 77% of respondents are confident that their employer is taking the necessary steps to protect all important data
• 61% of activity at work is personal, confidential or private (Doyle, 2018).
Many users do not have a sufficient password protecting their BYOD or not opting for one at all, they do not use any form of security on their devices and if they do it is very basic and happen to use very simple passwords for ease, this makes their BYOD compromised in the event the device is lost or stolen or compromised through hacking. (Dacanay, 2018).
For businesses that already implement a BYOD policy to secure usage, “acceptable use policies and passwords were the most popular measures”. Although passwords may be a unique vulnerability to these policies as users do not use a form of an appropriately complex password, an interview with Tom Kaneshige for CIO Magazine, Federal Trade Commission executive Paul Luehr highlighted that even though BYOD policies are in place and may be secure form risk of hacking, the biggest risk would be employees having unsecure devices lying around.
The other risk to password protection is “disgruntled employees” being let go as they face risking leaking the password after they have left, the line between home and work is disappearing and employees now engage in risky behaviour, “like using social media on corporate networks” this could eventually lead to the sharing of information “carelessly or wilfully via cloud services” (Leaver, 2018).
A report undertaken by Bitglass has found that 1 in 4 companies do not have a multi-factor authentication process in pace, this is known to be a “well-known enterprise security gap”. The single-factor authentication, via use of passwords to access company data, has recently resulted in high-level breaches in one of the biggest companies Microsoft. “Enterprises often misjudge the effectiveness of traditional security solutions, many of which are readily bypassed,” says Rich Campagna, CEO of Bitglass. “The BYOD boom exposes organizations to risks that can only be mitigated with data-centric solutions that secure access.” The study gathered that three quarters of businesses already have encrypted and on premise firewalls in place, but more and more are starting to adopt secure web gateways and cloud access to keep up with BYOD security. (Barker, 2018).
Lost and Stolen Devices:
A study conducted by Ernst and Young (2013), found that around 22% of mobile devices will be “lost or stolen during their lifetime” and that 50% of these lost or stolen devices “will never be recovered”. Most of these devices are stolen not for the content but mostly for the device itself, although access gain to these devices for information is also growing. With personal and company data now been mixed on one device, the risk of information leaking into the open is not a very dangerous possibility. (Dacanay, 2018).
Nowadays it is common to find company data on a personal device, which mean s when a device is lost or stolen company data is lost as well, data stored in these lost or stolen devices are more than likely used to breach company systems. It is shown that 46.5% of companies that allow BYOD to access the company network have experienced some sort of data breach (Trendmicro.com, 2018).
“According to Bitglass, over 68% of health care data breaches occur when devices are lost or stolen. You will need to ensure that your employees are using a secure PIN code and that they are keeping all applications up-to-date”. Companies in this instance may use Mobile Device Management (MDM) systems to wipe lost or stolen devices from the company back-end, Sometimes the device does not need to be wiped and companies can just remove their own data from devices in this way, Making sure the IT department can identify devices connected to the network they can regularly perform penetration tests making the system more secure.
The use of BYOD is growing in the business world and reflects the increase in popularity for mobile devices to be used in the workplace, this calls for strict training to be put in place for companies that adopt the BYOD system, this means that most IT departments need to implement an infrastructure that is prevalent to all devices, where users can download applications and content without risking any company data (Training Industry, 2018).
Allowing an employee to bring “any device” can compromise a company’s data, by bringing in malware or other viruses. The IT department may specify which devices would be allowed on the company network, as they will need to perform checks to see if any devices may be “rooted” or “jailbroken”, having a system in place or (MDM) allows the IT department to have a certain amount of control over these devices, with added training users/employees would know what applications would be allowed on their device (Pappas, 2018).
Employees cannot be kept out of the loop when it comes to BYOD as ongoing training and monitoring will be necessary for the IT department to keep tabs on any malicious activity. The only way to get around the BYOD boom is to provide each member of staff with a company registered and monitored device, although this can be very costly it is easier to train staff on the use of their own BYOD while keeping the company’s interests safe (Globalknowledge.com, 2018).
To implement BYOD training every employee needs to be on board, they need to know how to use their devices in a safe manner and know that there is available support when it comes to using their devices within a business setting and also to be aware of the support that is in place for them. Assigning an IT officer for training would be advantageous to any company that employs a BYOD policy, as this person would oversee all and any training towards the BYOD policy (Pappas, 2018).
Aims and Objectives: