The consumerisation of corporate IT, fuelled by a blurring of the lines between personal and work-related devices, could pose one of the most significant challenges to face information security professionals for some time.
In its wake, many corporates have relaxed their previously staunch opposition to let staff use their own personal smartphones and tablets. However, in a growing number of organisations, existing ‘bring your own device' (BYOD) strategies are leaving critical systems and confidential information exposed to data loss, malware, hackers and espionage.
As some employers have found to their cost, conducting internal investigations or responding to subpoenas can suffer from complicated legal issues when the device is not owned by the company and contains both personal and corporate data.
Against the backdrop where usability, design and functionality have been pushed to the fore at the expense of corporate-grade security, what options are available to address such threats?
The most important issue is the clear separation of personal and corporate data and usage. As a major sports club found to its cost, a lack of clarity on this separation can cause both data protection and access issues. The club had originally issued a full set of IT devices to key staff, but also allowed individuals to use personal computers and devices for work.
A senior member of the club's management opted to work exclusively on his personal devices, which meant data was only backed up to the corporate network on a sporadic basis. However, when he left the club, it quickly became clear that up to date copies of confidential and important files were missing.
With the individual objecting to his personal devices being reviewed by the ex-employer, it was left to external forensic specialists to unearth the data. This failed implementation of a BYOD policy could have left serious data protection and reputational consequences for the club, with significant caches of confidential data, including medical records of players, found on the devices.
Direct action was the approach adopted by another employer, when it became clear its BYOD policy had failed to protect confidential information. Following the resignation of a member of staff who had been working on a very sensitive project, an initial attempt had been made to delete the relevant data.
When the employer was denied access to the device, in their view, the only remaining option was to use their servers, to which the phone was still communicating, to execute a remote wipe. As a result, he lost much of his personal data and made a claim against the company for its destruction.
BYOD smartphones are rapidly becoming a potential exfiltration point of data when employees leave. Frequently, employers are unable to gain access for review and reassure themselves that corporate data stayed within their control.
A more easily managed strategy is to issue each member of staff with a dedicated corporate device where usage can be restricted to work-related tasks, whereas a BYOD strategy can see companies lose control over what software is installed and how it is used.
The sheer diversity of devices that can come into play in a BYOD environment can also make it difficult to manage software updates and support effectively, which could increase the risk of data breach.
With employee-owned devices, individuals often add their own content, access whatever websites they want and even allow others, for example, their children to use the device. In practice, a lack of clear boundaries could see staff unwittingly infecting the device with malware or expose confidential data, which could leave an open door to corporate systems.
Accessing some websites can introduce viruses and having personal and corporate email on the same device means some emails will not go through the corporate virus scan. Some software applications can introduce vulnerabilities, but as these will be beyond the reach of the IT department in a BYOD environment, employers are unable to effectively mitigate these risks.
If implementing a BYOD environment, organisations must take active steps to isolate corporate usage on such devices. Purpose-specific secure software, which allows access to corporate systems over an encrypted channel, can be preferable to approving generic apps for corporate use. However, this approach is not without cost as it can make devices less integrated and, in some eyes, less user friendly.
The implementation of an actively managed BYOD policy must be used as a trigger for a wider mobile computing review. Repeated failures by both private and public sector organisations to protect sensitive data on laptops and mobile storage, has seen heightened interest from the Information Commissioner.
A key challenge for organisations across all sectors is to ensure the BYOD policy does not become a gateway to sensitive data, offered in one convenient package, for competitors or criminals to target.
Spencer Lynch is director of digital forensics in the UK with Stroz Friedberg