While the use of personal mobile devices improves productivity in the workplace, there is a growing concern among IT administrators about the security risks associated with their use, Wang argues in her report "Managing the Security and Risk Challenges of Personal Devices in the Workplace".
“The number one security risk that every always talks about is data protection”, Wang told Infosecurity. “If employees are accessing sensitive data from mobile devices, especially from personal devices, there is a question about how much control you should have on those devices for data protection”, she added.
In the report, Wang identified four major data security risks from the use of personal mobile devices in the workplace. First, there is a risk of device theft or loss. “From the corporate perspective, device loss could lead to data compromises if sensitive data lives on the device”, the report said.
Second, the mobility and portability of the devices increase the threats to data protection. “To defend against casual data access, you can implement PIN-based entry and device lock. To protect against active attacks, you will need measures like full disk or file encryption”, the report argued.
Third, employees could use personal mobile devices to carry out malicious insider attacks. “If you are concerned with employee misuse or malicious insider threats, encryption alone does not do the job. You need to actively restrict data manipulation operations like cut-and-paste and control which mobile apps can handle the corporate data”, Wang argued in the report.
Fourth, data-stealing malware is increasingly attacking mobile devices. “These malware attacks have the ability to root the device and therefore bypass all local security measures. Personal devices that have the freedom to download any apps are a ripe source for infection”, the report warned.
“When employees bring in personal devices, they may not conform to the company’s security standards. When that happens, the IT department is left with two choices. They can either demand that the employees’ devices conform to those standards, or they take the risk of having nonconforming devices in the environment. Those risks are often unknown”, she told Infosecurity.
Wang recommends that enterprises take a number of steps to reduce the risks posed by mobile devices in the workplace. “The first thing you need to do is have a policy governing the use and operation of these personal devices in your enterprise network. This policy should demand that the owner of the device take on certain responsibilities in safeguarding the corporate information on the devices, as well as keeping the device in a reasonable state regarding security”, she said.
In addition, enterprises should perform a risk/benefit analysis. “Are the risks posed by these mobile devices reasonable enough for you to tolerate. And what sorts of enterprise applications and resources will you allow the device to access”, she added.
Finally, enterprises need to decide whether deployment of additional technologies are needed to secure these devices “in order to meet your security goals and policies”, she concluded.