by Ross Dyer
Bring Your Own Device (BYOD) has for the past few years been both a cause of sleepless nights for security bosses and a major flash point between the business and IT. To that we can now add wearable technology – smart watches, fitness trackers, head-mounted displays and the like which threaten to leak corporate data and expand the enterprise risk surface even further. IT consumerisation took another hit this month when new research revealed that some of the most popular apps in the world have password brute force vulnerabilities, exposing as many as 600 million Android and iOS users.
Of course, when it comes to BYOD and consumerisation, threats affecting personal devices can present major risks to corporate security too. This is why we regard consumerisation as one of the key pillars of cyber security strategy.
The research in question pointed out what many people have known for some time: developers are more concerned about rushing products out to market than making sure they’re as secure as possible. The disappointing thing about AppBugs’ findings is that many of the apps tested were from popular brands which should have known better. And even when contacted, few appeared to have fixed an issue which gives hackers an unlimited number of tries to guess the password. The researchers estimated most of the 53% of apps affected by the vulnerability could be cracked within 24 days.
Now there might not be any significant or immediate threat to corporate data if a hacker gets into an employee’s Soundcloud or Expedia app. This research is more a worrying reflection on the little heed paid to security generally in the mobile world. And this becomes more serious to IT managers when the same mobile device is used for business and leisure: because more often than not there’s no air gap between the two.
Internet of Threats
Wearable tech, on the other hand, has yet to fully infiltrate the enterprise, but it’s on its way. Trend Micro research earlier this year found that 79% of European and Middle Eastern IT professionals have seen increasing numbers of staff bring wearables into the workplace. On the plus side, there is recognition of the potential security risks, with over half admitting they’d need to restrict what kind of data can be captured by such devices. A further 90% said security policies would need to change to take account of them.
IT professionals are right to be concerned. There’s not just the risk of devices syncing and downloading corporate data, but also of user location data being used in social engineering attacks, or even to carry out physical crimes against employees. Device mounted cameras could also be hijacked to spy on board room meetings.
A few best practice tips
So what’s the answer? Well, no organisation is the same – either in terms of adoption of IT consumerisation, or in their risk profile. However, here are a few ideas on where to start:
- Declare a company-wide amnesty to discover who’s bringing what to work, and which devices are accessing corporate data
- Do your research on these devices, operating systems and apps. Work out what is acceptable and what isn’t according to your corporate risk profile
- Consider app whitelisting to limit the risk of malware/adware downloads
- Draw up and enforce an IoT/BYOD policy. Any device which doesn’t meet the requirements can’t join the network
- Consider Mobile Device Management for secure management of devices. It could include encryption, compulsory password lock screen, remote wipe, centralised management and patching, etc
- Mobile device security tools can help minimise risk of infection
- Adapt staff security training and awareness programs to educate users about BYOD/IoT risks