If your company has 100 employees, roughly 80 of them probably use their smartphones, tablets or laptops at work or at home for work, according to a recent survey by the Internet security company ESET.
The laptops and devices used by employees are often better and faster than the computers provided by their employers, so employers benefit from increased productivity.
But, according a number of recent surveys, the BYOD (bring your own device) trend – coupled with a general laxity over computer security – is making businesses vulnerable to security breaches.
In an international study commissioned by Websence Inc., 58% of the Canadian companies surveyed said they had experienced some form of data breach due to unsecured mobile devices.
“Most people, and that includes corporate managers, do not realize just how vulnerable they are to such things as IP theft and cyber fraud,” said Dale Jackaman, president of Amuleta Computer Security and Private Investigations.
Jackaman cites one recent case his company investigated in which a new employee brought a laptop to work and unwittingly infected the company’s network with a bot-net zombie, which finds the outgoing mail port and spews out malware through the company mail server.
The company’s email system was essentially rendered useless for six weeks, Jackaman said, because its emails became blacklisted by spam and malware filters.
The infection cost the company tens of thousands of dollars.
Canada’s privacy commission recently surveyed 1,006 Canadian businesses and found nearly one-quarter of businesses are storing company information on laptops, USB sticks or tablets – all of which are easy to steal or lose – and that 48% did not use encryption to protect the information on these devices.
The Global Study on Mobility Risks found two-thirds of respondents said they did not have a policy that addresses the acceptable or unacceptable use of mobile devices by employees.
Using personal devices like laptops or cellphones at work – or at home for work – is nothing new. People have been using cellphones and laptops in their jobs for years.
But the proliferation of smartphones and tablets has dramatically increased the use of personal devices for work.
Smartphones and tablets are also easy to steal or lose and are highly coveted by thieves, both for resale or data mining.
Another problem is the high discard rate, with people selling or throwing away their old smartphones for new ones without wiping them clean first.
Concerns over the BYOD security gap has prompted Vancouver’s Absolute Software Corp.(TSX:ABT) to develop Absolute Manage 6.1, which provides a secure management system for personal devices used on a company network. It can manage all devices, except BlackBerry, which has its own security features.
Using the Absolute system requires the employee to enrol in a management system and sign a contract that spells out what the employee and the employer can and can’t do with respect to company and personal data.
The system can clearly delineate personal functions (personal email, for example) from work functions (company email), which means the employer’s data is protected, while protecting the worker’s privacy.
“Those things should be sandboxed so the company can’t reach in and touch anything that’s my personal data,” said Stephen Broscoe, Absolute’s program management office director. “You would then be able to use your device as a compatible work and home device. Say you had a Gmail account on that device. We’d have no access to that.
“But likewise, when I have sensitive company data on my phone or on my tablet, if something should happen to my tablet, I have a remediation strategy where that can be wiped or neutralized so that doesn’t get out in the wild and provide a security breach for my company.”
Once the device is enrolled, the user doesn’t have to do anything like sign in when using the device for work or sign out when using it for personal uses.
The company’s IT department can easily manage all the devices on the network and ensure company data is secure. Without such a management system in place, Jackaman believes organizations that allow employees to access company networks with their own laptops and devices at work are just asking for trouble.
“I think any company is nuts to have such devices inside their network,” he said.
“That includes smartphones [and] laptops. The vast majority of companies are compromised without their knowledge, and hackers tend not to advertise their presence.” •
