BYOD = BYOM: Bring Your Own Malware

Posted by virtualization.info Staff   |   Monday, February 9th, 2015

This is a guest post by Debra Shinder.

BYOD – Bring Your Own Device – is still a big deal, but a little of the initial shine is beginning to wear off as organizations deal with the reality of a workplace full of laptops, tablets and smart phones that they don’t own and thus can’t completely control. The idea of shifting hardware and some of the Internet service costs to employees – and having them not only go along with the idea but be happy about it and bump up productivity – is the stuff of a budget-minded manager’s dream.

A study last year from mobile management company Visage found that for companies paying for the cost of mobile services to employees, the typical cost is almost $1500 per employee per year. That includes a great deal of personal use of those “work” devices.

That explains why so many organizations so enthusiastically embraced the concept and have expanded it to stop even reimbursing personnel for service plans. Gartner predicted in May 2013 that by 2017, around half of the companies in the world will stop providing company-owned devices to employees altogether, with another 40 percent offering BYOD as an option. In a study released last year, Cisco estimated the savings of a BYOD program at over $3000 per worker.

However, those numbers tell only part of the story. Depending on your already-existing security mechanisms, the savings can be offset by the need to implement new and stronger security measures to counter the increased risk.

The problem with BYOD is that users of mobile devices who think of those devices as “their property” are often more concerned with usability/convenience than with security, and IT pros know that the two reside at opposite ends of a continuum; in most cases, the more you have of one, the less you have of the other.

Mobile users fail to update their operating systems and applications regularly, many allow other people to borrow their devices from time to time, most won’t activate password/PIN/pattern/biometric lock screen protection unless they’re forced to do so, many think nothing of logging onto unsecured wireless networks when traveling with their devices, and a large number have at some point lost their devices or had them stolen.

At the same time, hackers and malware authors/distributors are increasingly focused on designing malicious code for mobile devices. This can take the form of spyware, SMS Trojans, backdoors, etc. Many users download and try out numerous apps, often on a whim and with little or no regard for security.

When users go “off the clock” and venture into the wild west of the Internet with unmanaged devices, they are at high risk of incurring malware infections. They then bring that malicious software back to your network and may access sensitive corporate files and unknowingly put confidential data at risk. That’s why it’s imperative that a part of every company’s BYOD program be implementation of a mobile device management (MDM) system that will let you force security best practices on those devices that connect to your resources.

It might have been iOS that started the mobile revolution, but currently Android is the most popular mobile operating system in the world, with approximately 85 percent of the worldwide market as of the second quarter of 2014. It’s no surprise, then, that Android is also the favorite target for attackers and malicious coders. Forbes reported a few months ago that 97 percent of mobile malware is found on Android devices. It’s worth noting that the vast majority of these malicious apps are downloaded from third party sources, not from the Google Play Store.

But regardless of the mobile operating system(s) in use, it’s essential that companies deploying BYOD do a thorough risk assessment and take steps to protect against the mobile malware threat. Otherwise, the cost savings of employee-owned devices could pale in comparison with the cost of a security breach, which the Ponemon Institute’s 2014 report pegs at an average of $3.5 million.

To find out more about mobile device security go here to read more about security in the cloud go to Security Section on CloudComputingAdmin.com