BYOD Lax Policies, A Problem For All Firms

At the turn of the 2010s decade, companies started to realize that nothing can stop the BYOD (Bring Your Own Device) trend. Smartphones and tablets who used to be luxury items became commodities; anyone who wants one already has one. Convenient, cheap (depending on the brand/model) and easy to use, smart devices outnumber traditional laptops and desktops being used on the Internet today. More and more user-devices are used inside corporate networks, and it is something that needs careful planning and understanding of the IT team.

The horrors of securing all the make and model of mobile devices that employees use inside the corporate wifi network are understandable, a modern network uses Windows Active Directory Domain Controller to serve as a User Management system. Android and iOS are not fully compatible with it; user group policies do not apply to smart devices, as they operate as independent devices. The mobile platform is the new “territory” where cybercriminals can leverage, as the desktop OS has become mature enough to have a built-in antimalware fresh from day 1.

“Nothing is 100% secure, the challenge for those responsible for IT security is to reduce risk to an acceptable level. But our research found that approximately one third of organizations have knowingly sacrificed security for expediency or business performance. Think about that. One in three organizations that we work with, buy from, turn to for healthcare, and that govern the communities in which we live, have put speed and profit before the safety of their data—and our data. And that’s just the ones that are aware and willing to admit it. The number could be significantly higher,” explained Thomas Fox, Senior Vice President of Verizon’s Wireless Business Group, the organization which released the Mobile Security Index report.

The report covers 700 respondents from various companies, which shows a strong trend towards relaxed BYOD policies as the majority ruling when it comes to mobile devices. Even though smartphones and some tablets have encryption features, VPN compatibility and firewalls offered by their respective operating systems, only a minority takes advantage of those security features. It is difficult for firms to focus on securing the corporate internal network if devices come and go in the organizations, being privately owned by the employees, smartphones are hard to regulate once it connects to the corporate wifi.

The alternative to BYOD is a very expensive undertaking, by establishing a company-issued mobile devices program. As the devices are just being lent to employees, they have legal rights to restrict the capabilities of the device based on the interest of the issuing company. This will help limit the possibility of malware infection for the device at the expense of the convenience of the employees. Unlike the traditional desktops and laptops, smartphones (and to a lesser degree, tablets) have limited resources, hence desktop-class antimalware cannot run on such weaker hardware.

The main issue is the persistence of smart device manufacturers not serious enough to update their device’s operating systems. This is beyond the control of Google, who develops Android in private since they usually release new patches as issues are discovered and fixed. Due to smartphone vendors have profit motivations, they prefer to sell a newer device to their customers instead of updating an old device to the newest Android version.