By now, most people have accepted that Bring Your Own Device (BYOD) is here to stay. What some considered a short-lived trend, or something that other companies allowed, has now largely become the standard for most businesses, as employees fully expect to be able to use their own mobile devices for work.
Obviously, this has created some security challenges for in-house security teams, who have been tasked with protecting corporate networks while still allowing dozens of devices to access said networks from just about anywhere. Most of the security chatter related to BYOD up until now has been focused on “what ifs”: What if a device falls into the wrong hands? What is someone intercepts a transmission from the device to our network? What if the user downloads a malicious app that causes a data breach?
According to new research from Gartner, that last issue may be the one that companies need to be the most concerned about. Based on a new study released in June, Gartner predicts that by 2017, more than 75 percent of all mobile security breaches will stem from misconfiguration by users, and not targeted attacks on a specific company or person. Misconfiguration, according to Gartner, can include everything from downloading apps from sources other than official app stores (like Google Play or iTunes) to jailbreaking or rooting devices. Gartner also noted that using consumer-level apps (like Dropbox) to send and receive business data also presents a significant risk in the BYOD landscape.
So what are corporate security teams to do? Clearly, BYOD is not going away, but user behavior — intentional or not — presents a significant risk to corporate networks and data. The answer lies in a strict mobile device management program that includes a number of facets, including multi-factor authentication.
Preventing Security Breaches in a BYOD World
Since the majority of employees at most organizations are using their own mobile devices for work, security teams are scrambling to find solutions that maintain the flexibility and convenience of BYOD while still protecting sensitive networks. After all, a security tactic is only good if it is usable; if users seek workarounds or ignore the protocols, it’s likely to create even greater risks.
Most companies with BYOD policies have already implemented certain policies in order to prevent breaches. These policies address many of the problems associated with user misconfiguration, and include:
- Prohibitions on jailbroken or rooted devices
- Prohibitions on using unapproved third-party applications
- Opting in to a mobile device management program, which includes the capability to remotely lock or wipe a device if it exhibits certain characteristics (i.e., too many failed logins)
- Installation of antivirus/antimalware protection
However, experts note that it’s important to include multi-factor authentication in your mobile security plan as well. One survey predicts that by 2016, 33 percent of companies will [tp lang=”en” only=”y”]include two-factor authentication solutions[/tp][tp not_in=”en”]include two-factor authentication solutions[/tp] in their mobile device management plans. This is largely in response to the fact that traditional enterprise security measures are simply not enough in the mobile environment; most traditional measures were developed to meet security needs within a specific perimeter, but in the mobile environment, that perimeter no longer exists.
That is why mobile security requires additional precautions. However, there are some challenges associated with 2FA in the mobile environment. In many organizations, mobile devices are one of the two factors used for authentication; for example, in addition to entering a password, the user must enter a one-time use code sent via text message to gain access to corporate networks. In this sense, the mobile device satisfies the “something you have” dictate in two-factor authentication.
Clearly, sending a single use password to the mobile device that is attempting to access the network is counterproductive, so companies have been looking for other ways to implement two-factor authentication. One solution is to implement strict password rules for accessing the device, and then using the two-factor authentication to access the corporate asset once the phone is unlocked. Biometrics, image-based authentication and card or token-based solutions are also potential options for controlling access to mobile devices.
BYOD has significant benefits in terms of employee satisfaction and productivity. While it does present some security risks, with a comprehensive security plan that includes strict rules regarding which devices can be used and how, as well as protocols such as two-factor authentication, those risks are lessened considerably.