Bring your own device, lose your employer’s secrets

Just sending one last email from the bar … before my phone gets nicked. philcampbell

A survey of 2,500 British adults has revealed 27% have had up to three devices containing sensitive work-related data stolen or have lost them. Of these, 52% admitted that they were out drinking when it happened.

These are far from the first revelations about the culture of carelessness that poses security threats to UK businesses; and it won’t be the last. The issue is real as more and more employees are using mobile phones for work or bring their own laptops and tablets to the office.

According to a Juniper Networks report, 76% of mobile users depend on mobile devices to access their most sensitive personal information, such as online banking or personal medical information. But even more use their mobiles for work purposes, with 89% accessing sensitive work-related information on their devices.

It is well known that the weakest link in any IT security chain is the user, which makes the Bring Your Own Device trend particularly difficult to navigate. Companies want staff to be plugged in but can’t necessarily trust them not to lose the devices they need to do this.

Worse still, users generally assume everything will work just as it should, relying on a device’s default settings without referring to complex technical manuals to secure them. The research conducted by Trend Micro and Goldsmiths, University of London revealed 57% of smartphone users do not use a password to secure their devices, which makes them an easy target for cyber-criminals.

Rocky start for BYOD

There is always a trade-off between security and access, and we appear to have struggled to strike this balance effectively since BYOD exploded.

Businesses can try to get staff to use passwords with security policies but they cannot afford to be over-complex or they become counterproductive. In our research, we have heard many stories about strict security policies that require employees to use passwords of more than 10 digits, including numbers and letters, and to change that password every three months. As a result, employees struggle to remember their passwords. They end up just writing them down on a post-it and sticking it next to their keyboard – which is about as secure as shouting out your company’s latest sales figures on the bus on your way to work.

As an alternative, at GCU we’re investigating the possibility of having the smartphone implicitly recognise the phone owner, without requiring the owner to always enter a PIN or password. We’re using behavioural information available on today’s phones through the multitude of sensors that measure light, noise and position of the phone to experiment with what’s possible.

If a person follows their normal pattern of travelling to and from work, for example, the phone could automatically recognise them by logging this information. The phone could adapt to small changes in environment and require different levels of security from the user to unlock the information it contains.

Make employees feel the consequences

To tackle the problem of careless data handling, we first need to educate the people who are guilty of it. Employees need to be made aware of the importance of protecting sensitive information, especially on their work devices.

Unfortunately, introducing penalties for those who lose work devices appears to be needed. The Trend Micro research shows that only 11% of those surveyed lost their personal smartphone device but that 27% lost work devices. Almost half were concerned about losing personal data, such as photos or bank details, but only 3% were worried about losing work information.

This implies that less care is taken over a device that doesn’t actually belong to you. Perhaps if there were a little incentive to take better care of it, these figures might be somewhat different. Clearly better security policies are needed, but these need to be implemented with good discipline.

For their part, IT departments should implement more rigorous security into work devices, such as strong password and data encryption. They should also fall back on mobile device management when a device is lost, which would allow them to wipe the data stored on the device remotely.

Be paranoid with Android

Android has emerged as the most risky platform for mobiles and is perhaps not the best option for work devices as a result. Google, which develops Android, relies on its “open security” strategy to offer a wide variety of apps to users, thus gaining market share against rivals Apple and Microsoft. As such, the Android application publishing process is very easy for developers to use, but that also provides too much space for malicious application creators to produce apps that steal your data.

Android currently has more malware compared to other mobile operating system such as Windows Mobile, Blackberry and Apple. IT departments should consider this factor carefully when choosing a standard platform for work devices for employees.

Service content providers and hardware vendors need to be aware of their responsibilities in maintaining network security and content management on the devices they provide. Service providers might also wise up to the business opportunities presented by offering add-on security services to complement the weaknesses of the devices. After all, businesses must be willing to pay to protect their information when it gets taken to the pub in the pocket of its employees every Friday.

BYOD has made it possible for employees to work on the go, access vital information for meetings out of the office and maintain contact with the boss at all times. It has quickly become an important part of everyday working life and there is no going back. We have failed to adequately adapt to this new way of working so far, but it’s not too late to catch up.

The Conversation is a non-profit + your donation is tax deductible. Help knowledge-based, ethical journalism today.