“What you have on a device is a blend of business-based data and personal apps-based data. A lot of these consumer devices…were never designed to be highly secure enterprise devices”, Durbin told Infosecurity.
“I’ve been quite critical about app store providers, such as Google for instance, who are allowing anyone to put their apps up their within the store environment. They are not, in my opinion, paying sufficient duty of care to providing either resilient or safe environments for apps”, he said.
“The reality is that when you download an app, if you are not completely sure of its security, then you need to be taking a circumspect approach to its usage”, Durbin said. He stressed that infected apps will be the way a lot of malware penetrates an enterprise’s security defenses.
Durbin said that organizations could restrict the use of apps to business-related apps or develop their own app stores offering secure apps directly related to the business. “That’s fine if you are talking about enterprise-based apps, but we are talking about a device that is being used for the personal side of things and also enterprise use….Enterprises need to be clear what they will allow”, he added.
ISF’s new report, Securing Consumer Devices, identifies malware-infected apps as one of the risks organizations face in allowing employees to use personal devices at work. Other risks include misuse of the device and its functionality and deployment of unreliable business apps.
The report recommends that enterprises put in place a strong acceptable use policy governing personal devices in the workplace.
“You need to put in place some strong guidelines for users that are both practical and make sense from a business perspective. Clearly what you don’t want to be doing is to destroy the opportunity that exists for taking advantage of consumer devices”, Durbin explained.
“The biggest challenge is how do you get the users to adhere to policies”, Durbin said. “The best way to address that is to create a framework to ensure there is consistent security assurance around the consumer device. This involves getting an understanding of the consumer device penetration within your organization, and identifying…what the requirements are for consumer devices and then producing some form of policy that sits around that”, he added.
In addition to putting strong policies in place, organizations could specify personal devices be restricted to business applications and data if they are to be used at the workplace, Durbin said. He said that organizations should also develop user awareness and education programs for employees.
Securing personal devices in an enterprise environment “involves approaching the challenges from an eyes open standpoint, instead of pretending that the problem doesn’t exist and will go away”, Durbin concluded.