BYOD Programs Leave Several Security Holes Open

Just 21 percent of more than 1,100 IT security practitioners said their organizations have fully implemented BYOD policies, processes and infrastructure, according to a Vectra survey.

BYOD and mobile security

Users bringing downloaded apps or content with embedded security exploits into their organization, as well as malware infections, are top bring-your-own-device (BYOD) security concerns, according to a report from Vectra Networks.

The second edition study, independently conducted by the Information Security Community on LinkedIn, collected responses from more than 1,100 IT security practitioners, finding 60 percent of respondents believe malware protection is a requirement for mobile security.

Among all mobile devices considered for BYOD (including smartphones, tablets and laptops), Apple’s iOS is still the dominant mobile platform with 76 percent, while RIM (40 percent) declined in popularity compared to last year and Android (69 percent) and Windows (66 percent) made gains.

Just 21 percent of their organizations said they have fully implemented BYOD policies, processes and infrastructure, and less than one-quarter (24 percent) of respondents' organizations have no mobile device policy.

In addition, 21 percent of respondents said that privately owned devices are widely in use in their organizations, but are not supported within their organizations.

The most common risk control measures for mobile devices were password protection (67 percent), followed by remote wiping of data (52 percent) and use of encryption (43 percent).

"Mobile and BYOD devices are used inside and outside an organization's firewall. When used outside, they are exposed to exploits designed to attack vulnerabilities in operating systems, applications and browsers," Mike Banic, vice president of marketing at Vectra," told eWEEK. "Exposure outside the firewall means that these devices could be infected with malware that will lead to a botnet or targeted attacks, and then carried into the organization and be undetected by their security systems."

The most popular tool to monitor and manage mobile devices was mobile device management (MDM), in use at 43 percent of respondents’ organizations, followed by endpoint security tools (39 percent) and network access controls (38 percent).

"While MDM may be an important part of a BYOD program, it doesn’t protect your organization from the threat of malware, making network analysis an even more important solution to evaluate," Banic said. "With today’s advanced attacks and malware, organizations are realizing that they need advanced threat detection solutions to solve their biggest BYOD security challenges, which is malware detection."

When it comes to sensitive data and intellectual property being accessed over BYOD, respondents were most concerned with protecting business data (74 percent), customer and employee data (69 percent) and documents (66 percent).

Accessing email, calendar and contacts was the most popular usage for BYOD devices (86 percent), but the survey indicated other business apps and data are also being routinely accessed by BYOD devices.

For example, document access and editing apps are used 45 percent of the time, while Sharepoint and Intranet access happens 41 percent of the time and apps for file sharing and company-built applications are accessed 34 percent of the time.

Banic noted one way to detect the presence of malware on mobile and BYOD devices is with security that sits in the network and listens to traffic to detect anomalies that indicate a phase of an attack such as an opportunistic attack like ad-click fraud or a targeted attack such as reconnaissance.