Dude, where’s my phone? BYOD means enterprise security exposure

You should be worried, very worried, if an employee loses a smartphone or tablet—especially if that employee accesses any enterprise resources using that device

BYOD means enterprise security exposure

Sally called the security desk. She can’t find her personal smartphone. Maybe she lost it. Perhaps it fell behind her sofa. Maybe she left it at a restaurant last night. Perhaps someone stole it. Or maybe she put it down somewhere this morning.

Whatever the case may be, it's not good—especially since Sally is a well-regarded and trusted mid-level manager with mobile access to many corporate applications and intranet sites that have a lot of sensitive and proprietary information.

Now what?

There are several types of dangers presented by a lost Bring Your Own Device (BYOD) smartphone or tablet, and many IT professionals and security specialists think only about some of them. They are all problematic. We’ll run through some of the scenarios in a moment, but first: Does your company have policies about lost personal devices?

+ More on Network World: BYOD leading to increasingly risky behavior among employees +

If you have those policies, what are they? Does the employee know about those policies? Does the employee know how to notify the correct people in case his or her device is lost? Let’s say the employee calls the security office and says, “My personal phone is gone. I use it to access company resources, and I don’t think it was securely locked.” Does the company have all the information necessary to take all the proper actions, including the telephone number, carrier, manufacturer and model, serial number, and other characteristics? Can the company respond in an effective way? Can it respond instantly, including nights, weekend and holidays? 

If not, you’ve got a real problem.

Obvious threats from a lost BYOD device

Email and Chat. If your employee has linked her smartphone’s email client to your corporate server, it’s bad if evil-doers get access to it. The same is true with other messaging platforms, including business-class systems such as Exchange, Symphony and Yammer.

On-device Data. That includes the address book or contacts database, as well as all downloaded documents set up for native app access and third-party apps such as Kindle. You don’t want a thief accessing sales presentation templates, pricing sheets or inventory reports.

Mobile Apps and Cloud Services. Salesforce mobile app? Oracle mobile app? HubSpot? Office 365? Google Docs? SharePoint? NetSuite? SAS OnDemand? Zendesk? SAP? Dropbox? Evernote? Box? If the employee uses official company-blessed applications and services and doesn’t have to authenticate each time the app is opened, the service is vulnerable to an unlocked phone.

Password-protected Websites. If the mobile browser stores passwords, or if cookies "remember" the visitor, every secure website is vulnerable, including your private business resource pages. Many organizations have such private intranet sites and have opened them up for mobile access.

Shadow IT. I mentioned Dropbox, Evernote and Google Docs above, but that was in the context of official business accounts. Shadow IT is a huge problem for those services as well in addition to a myriad other platforms, such as Google Drive and Microsoft OneDrive. Perhaps your official chats are on Slack, but some employees have been caught carrying on business-related conversations with What’sApp Messenger and Google Hangouts.

What Can You Do?

Your IT security team can almost certainly kill company-issued smartphones and tablets once they find out they are lost. (That goes back to some earlier questions: Does the employee know how to notify, and will there be a rapid response on Saturday night?)

Personal BYOD devices? Not so much. That doesn’t absolve your security team of responsibility, however; the organization is vulnerable. It would be helpful if they could work with the employee in that situation, either coaching Sally on contacting her carrier to kill the device or perhaps making the call on her behalf.

What about application access? If the phone or tablet can’t be shut down, access to internal and hosted applications needs to be blocked as quickly as possible, either by temporarily freezing the account or forcing a password change. In both cases, that means having a solid understanding of which applications Sally has access to—and the ability to administer that account. If you don’t know Sally is on Dropbox, Salesforce or Google Docs, you are out of luck. (Don’t expect Sally to remember all the apps she’s authorized to use.)

Stored website passwords and business data stored natively on the phone: Both of those are problematic, especially if the device can’t be killed or if there’s been sufficient time that information on the phone could have been copied or backed up by potential thieves.

It would be easy to say that BYOD is an unacceptable security risk, but in all but the most tightly regulated industries, organizations must balance productivity against risk, and security often takes second place. Banning BYOD from any business access is rarely successful, again, except in those highly regulated industries.

Words of advice

Know about your employee’s mobile devices, including the technical details. Set policies where employees need to tell the company if the device is lost and stolen, make sure they know where to call, and make sure there is a rapid response team. Keep tabs on which official applications and services your employee can access on a mobile device, and know how to turn them off or force a password reset. Try to get a handle on shadow IT. And whenever possible, use true secure business-class services, such as Symphony, Salesforce and Office 365, that give your administrators the ability to rapidly act on potential security breaches on a per-user basis.

Good news: Sally just called. Her phone was hiding under a pile of magazines. Fortunately, she hadn't killed it yet. (If so, that would be another problem.) Crisis adverted. For now. 

Copyright © 2016 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022