The world’s top companies use wandera Learn Why Try Wandera for Free

BYOD: Security risks and privacy concerns

BYOD: Security risks and privacy concerns

1600 660 Suraiya Datardina

Corporate mobile devices are inherently personal. While being used first and foremost for work, they also hold personal information making them dual purpose. This presents a challenge for enterprises who want to ensure their employees remain productive while maintaining a certain level of security and control over the devices. Another layer of complexity is added when enterprises have a BYOD policy. In this situation, the end user has more control over the day-to-day running of the device. Unfortunately, this means more risk is introduced to the platform.

Security as an afterthought in development

There is a general notion amongst businesses and end users that mobile platforms are secure. For example, there are few security tools out there for Apple devices. At the same time, there’s not been a large amount of impactful and long-lasting iOS security vulnerabilities exposed to the public. There is a general acknowledgement that Apple devices aren’t vulnerable. But these devices are vulnerable and as mobile usage grows, hackers continue to attack them.

Not only do people believe device platforms are secure, but also the apps themselves. In reality, app developers are rushing to deliver their apps to the market and security is often an afterthought in the process. Something simple such as unencrypted payment methods leave users wide open to exploitation. Sensitive information such as credit card details, passwords, email addresses or phone numbers can be intercepted and stolen when apps are not using encryption. From a regulatory perspective, companies are obligated to protect credit card information. However, sometimes their apps haven’t gone through secure development processes.

The BYOD end user risk factor

Mobility has not been treated the same way that classic end-point has within the enterprise. Laptops and desktops have layers of defenses with a variety of different tools. On the mobile platform, enterprises are unlikely to have invested in even one tool, let alone multiple tools to control multiple threat factors.

Girl with BYOD device and coffee

One threat vector which is often ignored, is the user themselves. Investing in end user education is not normally something a business would do. If the individual is putting themselves or their data a risk on a BYOD device which also holds company data, they become the weak link in the chain. Companies need to be mindful of this, more so than ever with BYOD mobile devices. Individuals are using them throughout the day, in the evenings, on the weekends, and when they’re off-hours making them more vulnerable. 

Individuals are often the ones who go around existing security policies using mobile devices. There have been instances of staff tethering their mobile device when they’re in the office, because they want to go to websites that are blocked on the corporate gateway. This is once again opening up security issues for businesses.

Gaining visibility without compromising privacy

Visibility is the key to understanding how devices are being used. Knowing what types of sites are being accessed, what apps are being used and on which connection from where, enables mobility teams to assess the risk of each device. From here it is then easier and more effective to enforce a policy to keep the personal and corporate data on the device secure, without being unnecessarily strict or intrusive.

A young man sitting on a bench, using his BYOD mobile phone

Both the enterprise and the end user have an interest in making sure their sensitive mobile data is secure. But end users also don’t want to feel like “Big Brother” is watching their every move on their BYOD devices. Which is why a solution that simultaneously protects end user privacy, without compromising business-critical reporting, traffic control or device management is so important.

Data anonymization protects users in this way making sure the specific usage information, such as which sites are visited and how much data is consumed, remains available to admins, but user details cannot be linked to a named individual.