This post first appeared on Risk Management Magazine. Read the original article.
In the decade since the iPhone was released in 2007, mobile device adoption has exploded in the workplace. Bring your own device (BYOD) policies are proliferating at a faster rate than the use of corporate-owned devices. Many security teams have moved to control corporate-owned devices with enterprise mobility management programs, and some go as far as actually securing these devices with mobile threat defense solutions. For the most part, however, employees’ personal devices are left unprotected.
Some believe that it is the employee’s responsibility—that IT only needs to care about protecting corporate assets and corporate data. But there is now sufficient evidence that BYOD not only brings huge cybersecurity risks to the enterprise, but even poses a major national security concern.
In October, Politico broke the news that White House Chief of Staff John Kelly’s personal device was compromised as far back as 2016. Kelly reported that his phone stopped working properly in December, after he entered the transition office space, yet he kept using his device until he turned it in to the White House IT team in August. During that time Kelly also served as secretary of Homeland Security.
Officials are scrambling to determine how Kelly’s device was compromised—whether it was signed onto an insecure wireless network, whether a malicious actor or foreign government had physical access to the device, or whether a remote exploit was leveraged. The White House is also exploring new rules for personal devices, including banning them from the president’s residence and the West Wing. But at present, no rules have been implemented and many aides continue to use personal phones in the workplace.
The National Security Agency warned White House staffers during the transition to avoid using personal devices and email. With multiple cameras and microphones that can easily be controlled remotely, smartphones make the perfect spy tool. If attackers gain control over a mobile device, they can monitor a user’s every move, read all communication, including text messages and emails, access the address book and calendar, and record videos or pictures.
Reports also emerged in October that Russia is hacking into the personal devices of NATO soldiers who are stationed near the Russian border. The hackers are not only compromising these personal devices, but also the soldiers’ online accounts like Facebook and iCloud. The malicious actors are reportedly using highly sophisticated tools, including special antennas and drones specifically equipped to compromise phones.
Addressing the BYOD Threat
By now, we should all know that personal mobile devices are being used at work. These devices often access corporate email, documents and Wi-Fi networks. That should be reason enough to manage and protect these devices with enterprise mobility management and mobile threat defense solutions. Even in environments where users are given a corporate device but are allowed to have personal devices on their person, the recent news confirms that BYOD risk is a real concern in any workplace. Even if it does not have direct access to corporate data, a compromised personal device could easily record sights and sounds, enabling attackers to access private or privileged content and conversations.
In order to combat this threat, IT and security teams first need to acknowledge that mobile devices present a huge cybersecurity threat to their organizations. All mobile devices, whether BYOD or corporate-owned, need to be managed and protected.
Some worry about the privacy implications of managing a personal device, but most enterprise mobility management products have “privacy modes” that enable IT to secure the devices without “spying” on users. Further, employees are hungry for mobile security solutions to protect their own data and privacy.
That means user education is crucial. Without addressing the human element and changing user behavior for the better, they will make the same security mistakes over and over. Users do not download risky or malicious apps or connect to risky Wi-Fi on purpose. They do so because, without being armed with the right security solutions, they do not know any better. The good news is that, unlike with other enterprise security concerns, mobility creates an opportunity for IT and security teams to make it personal. If you ask an employee to help protect the company network, they may not be interested, viewing that as an IT concern. If, however, you communicate that mobile security is a benefit the company is providing that allows employees to better protect their personal data and mobile devices, adoption may increase exponentially.
Plus, by providing real-time user education on mobile risks and how to remediate them, users learn to safeguard their data and privacy and, in turn, improve the enterprise’s security profile at the same time. Minimizing the number of threats and stopping them before they get into the enterprise environment is the best way to manage security at the perimeter. By running automated detection and remediation mechanisms simultaneously for when employees do not auto-remediate in a timely fashion, IT and security teams will be able to thwart mobile attacks.