WHITE PAPER
BRING YOUR OWN DEVICE
Are all of your employees applying all
security updates to all of their devices?
WHITE PAPER
BRING YOUR OWN DEVICE
BYOD refers to the policy of allowing employees to use their preferred laptops, tablets and smartphones for both private and corporate use. Employees are therefore able to access a plethora of non-corporate applications and communicate via cloud-based personal email accounts, social media networks and instant messaging; as well as connect to the corporate network.
A study by Cisco concluded that “By 2014, the average
number of connected devices per knowledge worker will reach 3.3, up from an average of 2.8 in 2012.” (2)
With new technologies rapidly appearing within the consumer sphere – and a growing cultural need for a work-life balance – employees are now entering the workplace with expectations of using their own devices. Some are even willing to sidestep security requirements in order to do so.
A global survey on the behavior of ‘first generation’ BYOD users and the challenges for corporate IT systems revealed that:
• Private employee communication via social media networks and SMS are seeping into work day activities, with 35% and 47% of respondents respectively not being able to go a day without accessing these resources.
• “More than 1-in-3 employees would contravene a
company’s security policy that forbids them to use their personal devices at work or for work purposes.” - Fortinet 2012 (3)
Consumer behavior is reshaping
corporate IT
A new technology age has dawned –
commonly referred to as the consumerization
of IT. Bring Your Own Device (BYOD) is the
trend that is driving this evolution and it is
moving like a speeding train through global
corporate culture. In fact, 83% of businesses
have entered the world of BYOD.
(1)WHITE PAPER
BRING YOUR OWN DEVICE
While organizations are recognizing that BYOD is a necessity due to the benefits it brings in terms of employee flexibility, productivity levels, job satisfaction, staff retention and return on investment; there is a notable downside to such freedom.
The danger is that with BYOD, employee-owned devices are largely unmanaged – and the security state of them is obscured – as IT teams have to relinquish some of their control to end-users who are not IT experts.
The simple truth is that many organizations do not have the full picture of how much corporate data exists in the cloud and if it is appropriately safeguarded. This ultimately creates a huge security risk.
“The influx of computing devices, from
laptops to smartphones and tablets, into
the workplace might bring convenience
and increased productivity to individual
employees. However, this
bring-your-own-device (BYOD) trend also surfaces a range
of security risks and challenges in terms
of securing corporate networks and data,
mobile device management, and having
granular security policies.“
- ZDNet, 2013
(4)Freedom versus Security
of large organisations had a security or data breach in the last year relating to social networking sites.
14%
4%
4%
9%
of large organisations had a security or data breach in the last year involving smartphones or tablets.
of respondents had a security or data breach in the last year relating to one of their cloud computing services. of the worst security breaches
were due to portable media bypassing defences.
WHITE PAPER
BRING YOUR OWN DEVICE
No organization or individual is immune to the risks, or the financial implications. Naturally, the financial cost of cybercrime will vary from sector to sector and according to company size. However, a sample study involving a cross-section of 56 U.S. organizations revealed some interesting insights: the average annualized cost of cybercrime for this sample group in 2012 was nearly $9 million – a considerable amount by anyone’s standards.(6)
Thousands of new applications (‘apps’) for smart devices are introduced to the market every day, with many unseen and unapproved apps systematically slipping through the net into forbidden corporate territory.
“The greatest rise in IT security risk is occurring across mobile devices and third-party applications… The risks caused by mobile devices such as smart phones and removable media and vulnerabilities in third-party applications have gained significantly since 2010.” - Ponemon Institute, 2012(7)
Vulnerable software on endpoints is one of the most popular attack vectors with hackers. This is because the method of exploiting vulnerabilities creates the doorways into corporate networks – and the valuable data stored within. Just one insecure app that is left undetected and unremediated has the potential to poison your entire IT infrastructure. For example, there have been cases of undetected apps streaming information to external servers for months before detection.
Bring Your Own…Vulnerability
All CISOs should be worried about the BYOD trend. In the last year alone, multi-sector companies
ranging from government agencies and iconic brands to Internet start-ups and financial institutions
were all impacted by data security breaches.
(5)Here are some facts:
• Unknown third-party access via mobile apps is identified as one of the top five threats faced by companies in the BYOD era. (4)
• According to Gartner, users regularly play games, check personal e-mails and run Apple iTunes or Windows Media Player on their work computers. (1)
• In 2012, 243 vulnerabilities were discovered in Apple iTunes alone. (8)
• 739 vulnerabilities were discovered in the top five most popular browsers in 2012; an increase of 17% since 2011. (8)
• Cybercriminals are increasingly targeting mobile devices, such as the Android platform which represents 80% of the global smartphone OS market. (9)
• An industry report highlighted that corporate board members were particularly vulnerable to cyber-attacks because:
1. 75% stored sensitive information on personal mobile devices,
2. 79% stored sensitive information on home computers and
3. 73% sent documents from their personal e-mail addresses. (10)
If apps are deployed in an unmanaged and fragmented way, they can cause serious consequences on both corporate and employee levels:
• Theft and exposure of confidential data • Financial losses
• Extensive downtime • Reduced productivity levels • Identity fraud
• Hijacked corporate communication (E.g. Twitter, Facebook, etc.)
• Damage to brand image and reputation
Do you have an overview of what apps your employees are downloading and how secure they are? What about the apps already installed on their devices?
WHITE PAPER
BRING YOUR OWN DEVICE
Security updates issued by software vendors (commonly referred to as ‘patches’), remediate the root cause of vulnerabilities and thereby neutralize a large number of attack vectors. (11)
However, the main barriers to patching are: • The sheer complexity of the process. • Inadequate Patch Management routines and
resources.
• Updating software for security reasons is not considered a priority for private users. • How to know what programs to patch. A snapshot of a typical private PC in the U.S., for example, paints a worrying picture. Secunia’s Country Reports(12) analyzing the amount of insecure software
present on private PCs in various countries show that: • 52% of U.S. PC users who had Java 7 with known
vulnerabilities installed, hadn’t patched it even though a patch was available.
• 13.9% of U.S. users had an unpatched Operating System.
• 61% of U.S. users had Apple QuickTime 7 installed on their PC. 42 % hadn’t patched it.
The reality is that a device like this could be logging on to your corporate network right now.
It’s not the Microsoft programs you should worry about
There is a general assumption that you only need to update Microsoft programs to stay secure. This is a myth and an extremely misguided approach.
Why?
Secunia’s Vulnerability Review for 2013 (8) revealed
that 86% of vulnerabilities in the top 50 most popular programs in 2012 affected non-Microsoft programs. In addition to this, an average PC user (13) typically has 73%
programs from 24 different vendors installed on their system: 26 (36%) of these are from Microsoft and the remaining 47 (64%) are non-Microsoft programs. If only the Microsoft programs are patched, this leaves 47 unmonitored programs floating around on the system; programs that could be insecure.
Non-Microsoft programs/apps are undoubtedly where the danger lies. Tackling these attack vectors is a major challenge for any user or IT team to address without the right knowledge and tools in place.
However, this is just the PC perspective of BYOD. Another important element to address is mobile devices.
Attack vectors: the endpoint perspective
To address the issue of BYOD and security, you must firstly look at the threat that insecure endpoints
(both private and corporate) pose to your organization’s security. The combination of private users
who do not update their software and the proportion of the workforce bringing their own device to
work is a risk-filled dilemma to address.
“Imposing security apps on employees’ mobile devices is a “headache” since
the software requires constant updates and are easy to circumvent…The user
can simply uninstall the app if they dislike it. Worst of all, these apps impact
device performance and degrade user experience by stretching the already
limited processor and memory resources on the mobile device.”
-ZDNet, 2013
(4)“
WHITE PAPER
BRING YOUR OWN DEVICE
BYOD
Without a BYOD policy, your organization must be prepared for a greater exposure to threats and attacks, despite the best efforts of your IT team. The interrelationship between the BYOD trend and vulnerable software on endpoints is unquestionable – if this bond is broken, it can allow end-user behavior to determine your organization’s security posture. In contrast to this; implementing and embracing a successful BYOD policy organization-wide enables your company to reap the benefits of the trend as well as successfully handle the associated IT challenges, mitigate the organizational risks and secure your business. Here are some reasons why endpoint security should form the foundation stone of your organization’s BYOD strategy:
• A central component of Enterprise Mobility Management (EMM) – the industry term for the process of managing BYOD challenges – is the control of apps on endpoints: Application Management. (14)
• “Ignoring apps” is listed as “Mistake #1” in Forbes’ article on developing a best practice BYOD strategy.
(15)
• Vulnerability assessment is considered one of the most valuable approaches for meeting organizations’ IT risk mitigation requirements. (7)
• “Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and be detectable via security monitoring.” - Gartner, 2012(16)
To protect endpoints that are connected to the corporate IT infrastructure from the root cause of security issues: vulnerabilities in software, it is necessary to have visibility of the entire software portfolio at all times and be able to prioritize and patch the vulnerable programs. Vulnerability Intelligence and Patch Management tools are therefore critical elements for any best practice BYOD strategy and vulnerability remediation plan.
Although implementing a new BYOD strategy and solution within your existing IT systems management infrastructure could be a difficult task; embracing the challenge could actually be a good PR exercise for management and your IT team. IT will move beyond the perception of being mere ‘gatekeepers’ to ‘enablers’ instead – the people who have their fingers on the pulse of technology.
“Consumerization of IT is clearly not going away, so enterprise IT managers cannot simply bury their heads in the sand. The challenge is to accommodate the ‘work anywhere, anytime’ productivity and user satisfaction benefits that consumerization and BYOD can bring, while retaining enough control to keep company data secure and compliance requirements satisfied.” - ZDNet, 2013 (14)
To conclude; it comes down to the question: Is your BYOD ‘glass’ half full, or half empty? If the answer is half empty, then your organization needs to swiftly look at ways to ‘fill’ the glass with the right tools and resources to get up to speed. Otherwise, due to the rate of change in the corporate sphere and the intensifying threat landscape, there is a danger of becoming a relic of a bygone pre-BYOD era.
The foundation stone of your strategy
Is BYOD a cloud-based cocktail or a recipe for disaster? Success or failure, positive or negative – as
always, it is down to approach and attitude.
WHITE PAPER
BRING YOUR OWN DEVICE
1.
“InfoWorld’s Guide to a successful BYOD and mobile IT strategy.” InfoWorld. February 2013http://www.infoworld.com/d/mobile-technology/infoworlds-guide-successful-byod-and-mobile-it-strategy-179111?1375788929
2.
“BYOD and Virtualization – Top 10 Insights.” Cisco: IBSG Horizons Study. 2012 http://www.cisco.com/web/about/ac79/re/horizons.html3.
“Global Survey Reveals ‘First Generation’ BYOD Workers Pose Serious Security Challenges to Corporate IT Systems.” Fortinet. June 2012http://www.fortinet.com/press_releases/120619.html
4.
“Five security risks of moving data in BYOD era.” ZDNet. February 2013 http://www.zdnet.com/five-security-risks-of-moving-data-in-byod-era-7000010665/ 5. “2013 Data Breach Investigations Report.” Verizonhttp://www.verizonenterprise.com/DBIR/2013/
6.
“2012 Cost of Cyber Crime Study: United States.” Ponemon Institute. October 2012http://www.ponemon.org/local/upload/file/2012_US_Cost_of_Cyber_Crime_Study_FINAL6%20.pdf
7.
“2013 State of the Endpoint.” Ponemon Institute. December 2012http://www.ponemon.org/local/upload/file/2013%20State%20of%20Endpoint%20Security%20WP_FINAL4.pdf
8.
“Secunia Vulnerability Review 2013.” http://secunia.com/vulnerability-review/9.
“Android Secures 80% Global Market Share.” PC Magazine. August 2013 http://www.pcmag.com/article2/0,2817,2422611,00.asp10.
“Special Report: Cybercrime.” Accelus Thomson Reuters. 2012 http://accelus.thomsonreuters.com/sites/default/files/L-372712.pdf11.
“How to Secure a Moving Target with Limited Resources.” Secunia. 2013 https://secunia.com/products/corporate/csi/howtosecure2013/12.
“Secunia Country Reports, USA.” Q2 2013 http://secunia.com/resources/countryreports/13.
“Secunia Country Reports: World.”Available upon request. E-mail: [email protected]
14.
“Consumerization, BYOD and MDM: What you need to know.” ZDNet. February 2013http://www.zdnet.com/consumerization-byod-and-mdm-what-you-need-to-know_p2-7000010205/
15.
“Developing a BYOD Strategy: The 5 Mistakes to Avoid.” Forbes. March 2012http://www.forbes.com/sites/ciocentral/2012/03/27/developing-a-byod-strategy-the-5-mistakes-to-avoid/
16.
“Adapting Vulnerability Management to Advanced Threats.” Gartner. April 2012WHITE PAPER
BRING YOUR OWN DEVICE
Secunia can help
Secunia offers corporate and private solutions
for PC and mobile security.
We can assist you with your BYOD questions
and Vulnerability and Patch Management needs.
PSI
Personal
Software Inspector
CSI
Corporate
Software Inspector
VIM
Vulnerability
Intelligence Manager
PSI
Personal Software
Inspector for Android
Further reading from Secunia
“How to Secure a Moving Target with Limited Resources.” secunia.com/products/corporate/csi/howtosecure2013/
“Secunia Vulnerability Review 2013.” secunia.com/vulnerability-review
“Secunia Country Reports.” secunia.com/countryreports
“Educational institutions are treasure chests for cybercriminals.” secunia.com/resources/reports/education-sector-whitepaper
For further information about Secunia’s competencies, please contact [email protected]
Visit us at secunia.com Stay Secure.
