BYOD: Risks And Remedies

Due to the explosion of smart devices, the term ‘Consumerisation of IT’ is gaining ground in the enterprise IT space. It works both ways - the employees are demanding personal devices to be used for work related purpose and companies are proactively providing smart devices for enhancing employee productivity. However, it comes with a caveat - risks from a multiplicity of mobile devices.

ISACA recently conducted a global as well as India specific survey with IT leaders on online shopping done by employees during work hours using work provided or personal mobile devices.

The survey helps gauge current attitudes and organisational behaviours related to risk and rewards associated with online shopping and the blurring boundaries between personal and work devices.

The study is based on October’11 online polling of 298 IT leaders from various organisations in India. The key findings from the survey reveal that more than half of IT professionals in India (56 percent) believe that the risk resulting from employees’ use of personal mobile devices for work activities currently outweighs the benefits.

Majority of IT leaders surveyed believe that employees’ use of personal devices for work activities exposes the company to information security risk. At the same time, almost 41 percent of respondents in India say their enterprises don’t provide security guidance.

Given the fact that the survey was focussed on online shopping, the findings of which are startling, the overarching inference points towards a serious issue in the minds of Indian IT leaders – The risks resulting from the use of personal devices at enterprises outweighs the benefits. This is alarming when India is one of the fastest growing mobile markets in the world and the domestic mobile phone market is increasingly moving towards smart phones.

Risks Associated With BYOD

As with the rise of the adoption of the smart phone/smart device in India, the demand to use these devices in and for the enterprise has also been rising. However, IT leaders are still hesitant to cave in because of the high risks posed by BYOD phenomenon.

The greatest risk with BYOD is of Advanced Persistent Threat (APT) . While APT has always been a risk lurking in the background, the BYOD will further amplify the possibility of such attacks as the smart devices with high processing power will prove to be a bridge point for the hackers to get an entry into the enterprise network.

Kartik Shahani, Country Manager, RSA, explains, “APT is not a direct threat to the organisation. It actually goes through various intermediary steps before its final attack is launched. The hacker (who is a part of a larger group) knows exactly what he wants from the final customer or user. But to get to that organisation he will go through intermediate stages. One of those stages will be the mobile device.”

An obvious risk will be managing a whole gamut of smart devices with different operating systems, “The challenge is to maintain and monitor the different kinds of devices. The enterprise network is at a grave risk if the IT team fails to lay out appropriate security policies on the respective devices. The task would be to make the security tool fit into securing all kinds of smart devices,” opines Niraj Kapasi, International VP, ISACA.

Apart from the device explosion risk, companies will have to take care of the risk emanating from the usage of generally available Internet connections used by the employees for personal use. These connection points are not found as secure as the company’s network. Even if the device is secured when using the company’s network, what if it gets infected from a poorly secured connection?

Shahani observes, “What if the personal device is connecting to other applications and social networking sites, the same device has also got a link into the corporate network, which may not allow any of these social networking sites, etc. In such a case, the BYOD device becomes a bridge point.”

Managing Risks

The answer lies in real-time and integrated analytics where information exchange sessions are viewed as a whole and not in parts. Shahani specifies, “Real-time analytics will pick the odd sessions. During the instance of an APT attack, at that point in time, the organisation’s IT department will find an anomaly in the traffic pattern.”

He further explains with an example. He says that if the hacker is coming through a valid ID trying to get into an un-patched machine to access some personal information, it may seem to be a usual information exchange session if seen individually, each activity in an isolated action. But the session (in its entirety) is a potential threat and that will be revealed by the integrated analytics solution. The simple reason being, that a valid ID is accessing an un-patched machine and that too to access personal information, is a sign of caution. That’s how APT attacks are thwarted before they inflict any damage.

To make the process more sustainable, such incidents should also be reported in the governance, risk and compliance module which will allow the organisation to evaluate the level of threat and take preventive action. For example, “If the incident happens once in a year, it might seem to be an aberration however if it happens frequently, the company will have to accordingly make suitable changes in the policies,” suggests Shahani.

The CISO’s office will soon be prompted to make policy changes to fit in the BYOD implications. “Enterprises will have to closely demarcate the rights of the company and the employee on the data and the device,” recommends Kapasi.

It also remains to be seen where the push for BYOD comes from. Many companies in the west have adopted BYOD where the real trigger came from the top management. This trend has moved on to an extent where companies are not supplying any devices, the employees are asked to buy the device of choice and the cost (within certain limits) is reimbursed to them. The source of demand for BYOD holds importance because it will determine how easy or difficult it would be to get approvals for risk management.