In BYOD companies trust -- or should they?
Running a business in today’s digitally-driven world means that most, if not all, of your employees will be using their own personal mobile devices to send and receive work emails, logging into the company’s intranet, posting messages on the corporate Yammer account, sending instant messages to one another and sharing files between computers and the cloud. This BYOD tendency is just a part of corporate life today and there’s no point in trying to fight it.
But just as there are pluses to having a BYOD workforce, there are also minuses. On the one hand, your employees are more productive and efficient -- they can stay on top of urgent business matters without having to physically be in the office. But on the other side of the coin are some serious risks that are often exacerbated by the fact that businesses just don’t know enough about mobile security, lack comprehensive BYOD security policies and aren’t always as diligent about monitoring employee use of devices inside and outside of work.
One thing that businesses often forget is that the devices issued to employees aren’t brand new. They were previously used by other employees -- oftentimes dozens -- before they’re handed to the next employee. Because I’m a firm believer in education and awareness, I thought I’d share a few truths that every business should know about BYOD and mobile security.
Mobile device management does not equal mobile security.
Nothing puts a business into a false sense of security faster than putting these concepts in the same category. Mobile Device Management (MDM) solutions make it easy, convenient and cost-effective for companies to manage device data remotely. This includes being able to erase data remotely should a device get lost or stolen. Unfortunately, this can also create a false sense of security among businesses. To illustrate this, Cambridge University researchers recently discovered that 500 to 630 million Android devices do not completely wipe data from their internal disks and SD cards during remote erasures -- in turn, rendering data recoverable. Frightening still, is that this process is equivalent to the factory reset option. The only way to entirely destroy data is with a USB connection to a computer that overwrites the data and prevents it from ever resurfacing again.
‘Containerization’ widens margin of human error.
The reality is that corporate data and personal data don’t sit in distinct silos. They overlap quite a bit and have to coexist with each other. So while OEMs have built specific platforms to accommodate their coexistence, it still doesn’t account for human error. The fact of the matter is that employees tend to switch back and forth between corporate and personal data throughout the day. And because there is no perfect technology out there to help businesses manage this behavior, it leaves a lot of corporate data vulnerable to exposure. And this has the potential to leave even more sensitive information on the device when it’s "wiped".
SD cards are not so secure after all.
We all use SD cards at some point or another during our workday. Maybe you need to transfer files from your work laptop to an SD card. Or perhaps you have photos from a company event on your personal smartphone that you store onto the SD card to upload and share on the company’s intranet and social channels. Whatever the case, external SD cards make it easy to transfer data, but they also make it just as easy to accidentally leak sensitive information. When you think about the information that is being stored on an SD card (emails, contacts, photos, videos, files, etc.), you’d be a fool if you didn’t realize there is a lot to lose in one easily transferable place. In order to securely erase an external SD card, you need to physically remove the card and insert it into a computer. The computer can actually run the software to securely erase your data.
Don’t forget about the cloud.
Everyone is excited about the cloud and all the flexibility and scalability it brings. But pre-installed data wiping software won’t stop hackers from accessing information that’s been stored on the cloud. The big companies like Apple, Google, Motorola, Microsoft and Samsung have all recently signed pledges that ensure pre-installed data wiping software will be included in all their latest devices. However, this doesn’t affect information that has already been backed up and stored to the cloud. Think about the thousands of photos and videos people take from their smartphones and tablets. If I could tell businesses one thing, it’s this -- Cloud security is far from where it needs to be. Lest we all forget the huge celebrity scandal that ensued when their Cloud accounts were hacked and nude photos were leaked.
What’s that you sync?
As you sync, your devices might be automatically transferring files without your knowledge. Do you charge your phone on your work computer? Or maybe you charge your work phone on your personal computer. Either way, once you are connected, most devices will automatically sync without hesitating. The trick here is to be aware what files may have accidentally been transferred and keep them separated so they cannot be later hacked or extracted.
For better or worse, personal data is often shared unknowingly.
Factory resets -- we’ve all heard this term. It’s what your mobile carrier often tells you to do before you trade in your old device for a new one. But it’s just not that simple. Factory resets don’t completely erase all of the data from your devices. With a quick search online and less than $100, anyone could recover your information. Employers need to keep in mind device malfunctions. When devices go haywire -- be it a battery meltdown, frozen/crashed apps or something else -- employees will take them into their mobile carriers or the device manufacturers to get checked up and repaired, and in the meantime, use a loaner phone. When turned in, loaner phones will undergo a factory reset, however as it does not completely erase, it is completely possible for companies to expose their data this way.
Photo credit: baranq/Shutterstock
Pat Clawson was named Chief Executive Officer Blancco Technology Group in January 2015, bringing more than 20 years of experience in technology and IT security. Most recently, he served as Chairman and Chief Executive Officer of Lumension Security, Inc., where he successfully grew the business to strong revenue growth and profitability. In addition to successfully launching new technologies into the marketplace and guiding four businesses through acquisitions, Clawson has also established himself as an IT security pundit within the media. His insights have been featured in many of the world’s most influential news publications, including WSJ, CNN, CNET, Washington Post, USA Today, Forbes, CIO and Infosecurity Magazine, just to name a few.