BYOD: User Policy Considerations
Questions and key points companies should consider when establishing BYOD policies.
Much has been said about the security risks inherent to the BYOD (bring your own device) trend. What is often not spoken about though, are the dangers that BYOD could bring about. This lack of information on possible attack vectors makes it difficult for some organizations to convince executives and enact measures or tools to mitigate these risks.
On this front, I want to highlight three explicit dangers that small businesses face in the event of a stolen or misplaced smartphone, tablet device or laptop.
The fact that Wi-Fi is built into every laptop, tablet and smartphone these days means that few SMBs are untouched by the deployment of wireless networking. Small businesses, however, are almost guaranteed to rely on the use of static passphrases to secure their wireless network, which the loss of a single stolen device can jeopardize. To be sure, though, some devices try to protect passphrases by encrypting them; a PC laptop on the other hand, will allow a logged-in user to see the passphrase by clicking on the "show characters" checkbox.
Another danger of a stolen BYOD device is the risk of email snooping from downloaded messages. While the exposure of one's email is never a tolerable state of affairs, smaller businesses are at a heightened risk due to the correspondingly larger proportion of company emails that each account represents. This can allow the crafting of sophisticated phishing email messages, or the silent monitoring of new emails should the device not be promptly disassociated.
What many businesses may not realize is the amount of cached or saved passwords that can be found on a smartphone or tablet. Unless passwords are quickly changed, hackers or skilled opportunists can extricate these passwords and misuse them. And because the majority of users don't change their passwords, the chances are high that other unrelated systems could be compromised using a password that has been reused.
Fortunately, small businesses can protect against the above threats by implementing measures such as enforcing password protection and data encryption for portable devices. This should put up a sufficient level of difficulty as to deter most against criminals engaging in crimes of opportunities from accessing the above data.
Of course, the persistence of untethered jailbreak tools does put a huge dent in the security of iOS devices, offering hackers the opportunity to access password repositories. Ultimately, unless your SMB is prepared to only deploy a security-hardened platform such as the BlackBerry smartphone - which is hardly affordable to small businesses - SMBs will have to bear with a certain level of vulnerability with BYOD.