If businesses want to ensure sensitive corporate data remains secure, then they should think long and hard before enabling employees to carry it on mobile devices – especially those that aren’t owned and managed by the company.
That’s what Dr Siraj Ahmed Shaikh, reader in cyber security and leader of the digital security and forensics research group at Coventry University, told Computing in response to a new report by identity security software firm Intercede.
The report suggests corporate data is at risk because workers either do not know what their BYOD obligations are or are simply willing to ignore them.
“By bypassing companies’ BYOD policies and not taking regulations into account when accessing sensitive data, employees are leaving the back door open to hackers. CIOs are currently in a difficult position. They either ban BYOD completely or implement long, complex passwords, which are vulnerable and unfit for use on mobile devices,” said Richard Parris, CEO of Intercede.
“The widespread apathy towards company data shown by the report highlights the need for companies to act quickly and robustly to protect their own data or risk major security incidents,” he added.
In light of the report’s key finding, Dr Shaikh said businesses should think about placing stricter restrictions on what information employees can access using their personal mobile devices, which are still widely viewed by IT leaders as a significant risk to cyber security.
“From a corporate perspective, they need to start thinking about this in terms of better control on their networks as to where the data is coming from. We may need to go back and say if your data is very valuable to you, then maybe BYOD needs to be reconsidered entirely,” he said.
Dr Shaikh explained that while data could be lost if a phone was misplaced, the technology within smartphones also leaves them vulnerable to being breached by outsiders with bad intentions.
“With mobile devices, it’s not just the mobility and the fact they’re portable and vulnerable to theft, but also the fact that Bluetooth and Wi-Fi interfaces are accessible and vulnerable to the fact that they’re nearby for anyone to try to compromise,” he said. “That probably isn’t so much of a corporate problem, but a universal problem that’s something we need to acknowledge.”
Part of the problem, Dr Shaikh told Computing, is that data protection technology on mobile devices is still not as secure as it is for desktop and laptop computers.
“Enforcement of security policies on mobile phones hasn’t really come about yet to a point where we can say it’s effective,” he said.
“On traditional machines you’d have several sign-on policies, good monitoring mechanisms, but a lot of those things are still to be developed on mobile platforms.”
[Please turn to page 2]