This document discusses the risks and benefits of BYOD (bring your own device) policies for companies. It notes that BYOD can improve productivity and reduce costs but also increases security risks if devices are not properly secured and managed. The document provides recommendations for developing a BYOD security plan including identifying risks, forming a working group, enforcing policies, implementing remote management solutions, and periodically reassessing the program. Overall, the document advocates for a balanced approach that harnesses the benefits of BYOD while mitigating risks through governance, education, and technology solutions.
2. Risky business - balancing BYOD risk with mobility
Increased productivity
Lower cost to the company
Flexibility
Technology Familiarity
Support of many different devices
No control over what is on device
Increase attack surface
Device Disparities
3. BYOD improves productivity.
• BYOD support average nearly three hours of
productivity gains per week.
BYOD promotes business agility.
• BYOD helps employees collaborate more
quickly, efficiently and creatively.
BYOD responds to employee demand.
• Supporting users’ own devices can be a
recruitment selling point.
Risky business - balancing BYOD risk with mobility
4. Risky business - balancing BYOD risk with mobility
Security enforcement.
• BYOD creates more weak links that can be
exploited both internally and externally.
• Requires significant user education and buy-in.
Management and governance.
• Without governance arrangements, BYOD can
quickly run out of control.
• IT to actively collaborate across the organization
to identify workable solutions.
Direct and indirect costs.
• BYOD often reduces device acquisition costs.
Can increase direct costs associated with
network infrastructure and complexity
5. Secure foundations – 7 points to building a BYOD security plan
1. Identify the risk elements that BYOD introduces
• Measure how the risk can impact your business
• Map the risk elements to regulations
2. Form a working group to embrace BYOD and understand the risks, including:
• Business stakeholders, IT stakeholders, Information security stakeholders
3. Decide how to enforce policies for devices connecting to your network
• Mobile devices (smartphones) Tablets (e.g., iPad) Portable computers (laptops, netbooks,
ultrabooks)
4. Build a project plan to include these capabilities:
• Remote device management, Application control,
• Data and device encryption, Wiping devices when retired
• Revoking access to devices when end-user relationship changes from employee to guest
6. Secure foundations – 7 points to building a BYOD security plan
5. Evaluate solutions
• Consider the impact on your existing network
• Consider how to enhance existing technologies prior to next step
6. Implement solutions
• Begin with a pilot group from each of the stakeholders' departments
• Expand pilot to departments based on your organizational criteria
• Open BYOD program to all employees
7. Periodically reassess solutions
• Include vendors and trusted advisors
• Look at roadmaps entering your next assessment period
• Consider cost-saving group plans if practical
7. In 2013 Cybercriminals made use of some exceptionally sophisticated methods to infect mobile
devices.
Infecting legal web resources helps spread mobile malware via popular websites - water holes.
Distribution via alternative app stores. There are numerous app stores containing programs that
cannot be found in Google Play.
Distribution via botnets. Bots self-proliferate by sending out text messages with a malicious link
to addresses in the victim’s address book.
Criminals are increasingly using obfuscation, the deliberate act of creating complex code to make
it difficult to analyse.
Cybercriminals also exploiting the Android Master Key vulnerability and have learned to embed
unsigned executable files in Android installation packages.
Cyber crime
9. Trend of the year: mobile banking
Trojans
2013 was marked by a rapid rise in
the number of Android banking
Trojans
Threats from mobile devices
10. Collects information about the smartphone (IMEI, country, service provider, operating system
language)
Acquires logins and passwords to online banking accounts, and bank card information
Extorts money from users by threatening to block the smartphone
Monitors SMS messages and information about voice calls.
Threats from mobile devices
11. Today, the majority of banking Trojan attacks affect users in Russia and the CIS. The
cybercriminals’ interest in user bank accounts, the activity of mobile banking Trojans is expected
to grow in other countries in 2014.
Infections caused by mobile banking programs
13. Mobile spyware, such as MobileSpy and FlexiSpy, is on the rise.
In the BYOD context these spyware applications pose a huge threat because they can be
installed surreptitiously on an employee’s phone and used for industrial or corporate espionage.
The mobile phone is also a fully functional network device. When connected to the company
Wi-Fi, has the ability to probe the network for vulnerabilities and assets.
Mobile Spyware, BYOD and Corporate Espionage