Should BYOD be banned to ensure corporate data security?

Intercede report suggests businesses are struggling to cope with the security implications of BYOD - is the answer banning it entirely?

If businesses want to ensure sensitive corporate data remains secure, then they should think long and hard before enabling employees to carry it on mobile devices - especially those that aren't owned and managed by the company.

That's what Dr Siraj Ahmed Shaikh, reader in cyber security and leader of the digital security and forensics research group at Coventry University, told Computing in response to a new report by identity security software firm Intercede.

The report suggests corporate data is at risk because workers either do not know what their BYOD obligations are or are simply willing to ignore them.

"By bypassing companies' BYOD policies and not taking regulations into account when accessing sensitive data, employees are leaving the back door open to hackers. CIOs are currently in a difficult position. They either ban BYOD completely or implement long, complex passwords, which are vulnerable and unfit for use on mobile devices," said Richard Parris, CEO of Intercede.

"The widespread apathy towards company data shown by the report highlights the need for companies to act quickly and robustly to protect their own data or risk major security incidents," he added.

In light of the report's key finding, Dr Shaikh said businesses should think about placing stricter restrictions on what information employees can access using their personal mobile devices, which are still widely viewed by IT leaders as a significant risk to cyber security.

"From a corporate perspective, they need to start thinking about this in terms of better control on their networks as to where the data is coming from. We may need to go back and say if your data is very valuable to you, then maybe BYOD needs to be reconsidered entirely," he said.

Dr Shaikh explained that while data could be lost if a phone was misplaced, the technology within smartphones also leaves them vulnerable to being breached by outsiders with bad intentions.

"With mobile devices, it's not just the mobility and the fact they're portable and vulnerable to theft, but also the fact that Bluetooth and Wi-Fi interfaces are accessible and vulnerable to the fact that they're nearby for anyone to try to compromise," he said. "That probably isn't so much of a corporate problem, but a universal problem that's something we need to acknowledge."

Part of the problem, Dr Shaikh told Computing, is that data protection technology on mobile devices is still not as secure as it is for desktop and laptop computers.

"Enforcement of security policies on mobile phones hasn't really come about yet to a point where we can say it's effective," he said.

"On traditional machines you'd have several sign-on policies, good monitoring mechanisms, but a lot of those things are still to be developed on mobile platforms."

[Please turn to page 2]

Should BYOD be banned to ensure corporate data security?

Intercede report suggests businesses are struggling to cope with the security implications of BYOD - is the answer banning it entirely?

A further reason corporate data stored on mobile devices might be at greater risk, Dr Shaikh suggested, is that employees are likely to be more careless in how they use their personal smartphone compared with how they'd treat company-issued hardware.

"Because of the social attitudes to mobile phones, users generally use them [in a more carefree way] than a desktop machine or a company laptop," he said.

"A company laptop has a logo on it, it's in your face, the company has invested in it, you feel more responsible. In contrast, mobile phones are by your pillow late at night or in the morning and people use them to play games or use Facebook. There's therefore a tendency to be more careless when using."

Dr Shaikh said manufacturers of mobile devices and operating systems need to make it easier for companies to enforce their mobile security policies.

"Big mobile phone manufacturers or OS developers, if they want their technology to be widely adopted by corporate users, they need to then provide for those kinds of lockdowns of functionalities on the platform," he said.

"I think mobile phone developers really need to start providing security functionality and making it explicit to app developers to allow for lockdown and access control on sensitive data – all the security functions we have on PCs."

But what should IT leaders do to minimise mobile security risks? Dr Shaikh said the first step should be to raise awareness of the issue and to persuade users to treat their mobile devices with the same care as they treat their wallet.

"If you leave a wallet full of credit cards lying on a table in your office, people have that emotional attachment to it and feel as if they're leaving their cash insecure. When people leave mobile phones lying around, they don't feel the same way," Dr Shaikh said.

"But it's exactly the same; you can do online banking on it, you can order groceries on it, your personal data is on it and all that can be used and abused, so it's pretty much the same thing. We need to convey those kinds of things."

Dr Shaikh and his research team at Coventry University are one of four specialised units at academic institutions to have received a share of £3m in funding from the Engineering and Physical Sciences Research Council to help combat malware distributed through mobile applications.