The Dangers of BYOD in Small Businesses

Paul Mah
Slide Show

BYOD: User Policy Considerations

Questions and key points companies should consider when establishing BYOD policies.

Much has been said about the security risks inherent to the BYOD (bring your own device) trend. What is often not spoken about though, are the dangers that BYOD could bring about. This lack of information on possible attack vectors makes it difficult for some organizations to convince executives and enact measures or tools to mitigate these risks.

 

On this front, I want to highlight three explicit dangers that small businesses face in the event of a stolen or misplaced smartphone, tablet device or laptop.

 

Wi-Fi Passphrases

 

The fact that Wi-Fi is built into every laptop, tablet and smartphone these days means that few SMBs are untouched by the deployment of wireless networking. Small businesses, however, are almost guaranteed to rely on the use of static passphrases to secure their wireless network, which the loss of a single stolen device can jeopardize. To be sure, though, some devices try to protect passphrases by encrypting them; a PC laptop on the other hand, will allow a logged-in user to see the passphrase by clicking on the "show characters" checkbox.


 

Email Snooping

 

Another danger of a stolen BYOD device is the risk of email snooping from downloaded messages. While the exposure of one's email is never a tolerable state of affairs, smaller businesses are at a heightened risk due to the correspondingly larger proportion of company emails that each account represents. This can allow the crafting of sophisticated phishing email messages, or the silent monitoring of new emails should the device not be promptly disassociated.

 

Theft of Common Password

 

What many businesses may not realize is the amount of cached or saved passwords that can be found on a smartphone or tablet. Unless passwords are quickly changed, hackers or skilled opportunists can extricate these passwords and misuse them. And because the majority of users don't change their passwords, the chances are high that other unrelated systems could be compromised using a password that has been reused.

 

Conclusion

 

Fortunately, small businesses can protect against the above threats by implementing measures such as enforcing password protection and data encryption for portable devices. This should put up a sufficient level of difficulty as to deter most against criminals engaging in crimes of opportunities from accessing the above data.

 

Of course, the persistence of untethered jailbreak tools does put a huge dent in the security of iOS devices, offering hackers the opportunity to access password repositories. Ultimately, unless your SMB is prepared to only deploy a security-hardened platform such as the BlackBerry smartphone - which is hardly affordable to small businesses - SMBs will have to bear with a certain level of vulnerability with BYOD.



Add Comment      Leave a comment on this blog post
May 22, 2012 5:37 AM kevin kevin  says:

A very thought provoking post, however I don't see the difference in security risks between a standard SMB setup (without a skilled IT dept.) who provide you with IT hardware and one who ask you to BYOD?

These days, with cloud hosting technology, there should be no real concerns about data security for SMBs. Yes passwords are vulnerable, but we should all be making the most of things like 2-step verification as offered with Google accounts. I for one use Gmail for business use so do my staff and with 2-step verification enabled, I am confident we are safe and secure... Touches wood as type's last comment

Reply
May 22, 2012 11:25 AM Spencer Parkinson Spencer Parkinson  says:

Paul, interesting that you should mention a lack of information about potential mobile attack vectors. I don't disagree at all. However, I would like to point out a recent experiment the company I work for, Symantec, did in which we intentionally lost control of  50 smartphones. We then monitored them to see what happened as they were found by strangers, especially to the information on the devices. The results were a little startling. Here's just a sampling (the full report can be read here http://bit.ly/KgXvli):

- Attempts to access a corporate email client occurred on 45 percent of the devices.

- Obviously sensitive business-related information, such as files names 'HR salaries' and 'HR Cases,' were accessed on approximately half the devices.

- A 'Saved Passwords' file was accessed on 57 percent of the phones.

All that said, the various risks associated with BYOD aren't impossible for SMBs to mitigate. In fact, with a few good mobile security policies (i.e. all corporate-connected mobile devices must be password protected, etc.) and the use of straightforward tools such as mobile device management to enforce those policies (as well as perform other management functions such as remote wipe and lock), SMB BYOD implementations can indeed be done securely.

Spencer Parkinson

Symantec

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.