Insight. Innovation. Industry.
Risk Management / Technology /  •

The new security risk?

How IT can balance convenience and control with BYOD

Sixty-nine per cent of Canadian companies permit some form of BYOD (bring your own device) — meaning anything from laptops accessing databases every day to iPhones occasionally checking work email — according to a survey by market intelligence firm, IDC. Yet fewer than 41 per cent of companies have official policies on the use of personal devices for work.

flat design concept of BYOD

Even with BYOD policies in place, enforcement is challenging as IT staff lack time to physically check each employee’s device for things such as proper passcoding.

Google BYOD and cybersecurity and you will discover armies of tech gurus, often employed by software marketing companies, pushing mobile device management (MDM) software. These applications are installed onto private devices to monitor all activities, from security upgrades to downloaded games. MDM returns more control to IT security: they can pinpoint which phones have “riskier” apps, or have disabled the passcode requirement.

However, for some, this close monitoring challenges privacy expectations. Ty Heddon, virtual chief information officer with IT solutions company, Smart Dolphins, believes using MDM to enforce security policies may be a step too far. “Monitoring systems tell you where that phone is, so not only is your employer tracking you, but what type of software are they using for this? Who’s managing it? And where does this data go?” says Heddon.

We reasonably expect privacy on our personal devices, but what about the privacy of an organization’s clients? Recently, we’ve heard of major breaches of medical data in Canada, with at least one traced back to a lost device. Heddon agrees that the most common threat to mobile devices is not malware attacks, but lost or stolen devices.

The best way to prevent data breaches is boring old passcode protection — an easy requirement, but challenging to enforce. “People fight passcodes like they used to fight seat belts,” says Heddon.

Once a non-passcoded phone is lost, it’s incredibly easy for a thief to email co-workers and clients to obtain even more secure information. Another major issue is password strength and uniqueness. Fifty-five per cent of adults use the same password across multiple accounts, and 26 per cent use easily guessable passwords, such as pet names or birthdays. Why is this a big deal?

Fewer than 41 per cent of companies have official policies on the use of personal devices for work

Everything is so inter-connected that if your email account is hacked, for example, that person can reset your password and then scoop confidential data, says Heddon. Once a hacker has determined one password, they’re going to try it in every account they can. Heddon suggests using a password manager, such as LastPass, which generates passwords as challenging as each account will allow.

Nearly all cybersecurity departments have the right to wipe personal devices clean if a breach is detected, whether clearing company email, or a full factory reset — dumping an employee’s personal photos, videos, and apps. Even if an employee’s own security practices are impeccable, a co-worker’s breach or an outside attack on the company server could still trigger a wipe of a non-offending employee’s phone. “It’s not always easy to tell which device has been compromised,” says Heddon. “You might decide to wipe them all.”

Even apps like Facebook and Dropbox can be breached. But, says Heddon, “the risk of Facebook being hacked and stealing all of your info is probably less than that free ashlight app that’s only
been downloaded 1,000 times and written by who knows who.” He also cautions against some untested productivity apps. “If you’re using a to-do list app and putting in your client’s details for an appointment, who are you sharing that information with?

BYOD is on the rise. Make sure your organization’s security protocols keep pace. ◊