BYOD 2015: Data Loss, Data Leaks & Data Breaches

The growth of employee-owned devices in the workplace is placing new demands on enterprises struggling to protect both personal and professional data.

Subbu Sthanu, Director, Mobile Security & Application Security, IBM

November 4, 2015

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Historically, corporate-owned desktops and laptops were obligatory. They not only saved employees time and money, but also enabled IT to carefully control their use and minimize risks associated with using them for work. Anti-malware, data loss prevention (DLP), web access control and VPN were some of the security capabilities that were commonly enabled to company-issued devices. 

Bring Your Own Device programs and the rise of employee-owned devices in the workplace have dramatically transformed how companies can (or can’t!) control the risks of these devices Over the years, employees have come to expect their devices to be under little or no scrutiny from their employer. At the same time, many major mobile operating systems are designed in a way that restricts the visibility and enforceability of an enterprise’s security capabilities.

But device ownership is only a small part of the current problem. An even greater concern is the content – work files, emails, enterprise resource planning records – that are increasingly stored on the devices themselves. Historically, the objective of enterprise security controls has always been to limit the risk of data exposure on laptops and desktops. Today – with the growing use of smartphones and tablets – data exposure has now become a top priority.

To capitalize on the benefits of BYOD without sacrificing security, it’s essential for security teams to fully understand potential threats, and preemptively develop plans to mitigate the risks to enterprises’ data. Here are three examples of these types of threats, and how companies can proactively defend against them.

Risk #1: Data Loss: Data loss is relatively straightforward to handle; enterprises should be able to remotely wipe lost or stolen devices. However, when the personal is intertwined with the professional, enterprises should only be empowered to remove work-related content. So – in case the device is recovered – the employee’s personal data can also be recovered.

Encrypting enterprise content and improving device security through access passcodes and ensuring the OS is up-to-date can help prevent criminals from extracting sensitive data from the device. But new  research from IBM Security into one million BYOD and corporate-issued devices found that nearly 80 percent of companies enforce only the most basic option to protect their data on employees’ phones: a 4-5 digit PIN. As hackers increasingly recognize mobile as an emerging attack vector, it’s essential that organizations update their mobile security policies accordingly, and require their employees to use lengthier passcodes to protect their data.

Risk #2: Data Leak: When an employee shares company data from a mobile device with an unauthorized app or third party, he or she is a mere click away from placing corporate data at a significant risk. In order to  prevent data leakage, companies need to develop centralized policies offering granular control of how data is accessed,  used and shared with specific applications and users. Data leak prevention can be enforced within individual corporate mobile apps or within content containers on the device.

Data leaks can also be caused by application vulnerabilities exploited by malware. According to a March IBM-Sponsored Ponemon Institute Study (registration required), nearly 40 percent of companies, including many in the Fortune 500, aren’t properly securing the mobile apps they build for customers. That’s why IT directors must ensure enterprise apps are vulnerability free in order to improve resilience to data leakage. 

Risk #3: Data Breach: If an employee-owned device connected to the company’s network becomes compromised by malware ­­from downloading a malicious app or faulty device security,  the whole network is susceptible to a data breach. This requires a different level of data breach prevention at the point of network entry, one that involves a deeper understanding of the risk profile of the device and the user. High risk factors include compromised and vulnerable devices, the context of the access (time, location) and historical access patterns (what is being accessed, how often).  Context- and risk-aware access control can enable enterprises to minimize the risk mobile devices pose to their networks.

Looking ahead, understanding and building a plan to lessen the risks to company data is an essential part of realizing the benefits mobility brings to employees and businesses alike. 

About the Author

Subbu Sthanu

Director, Mobile Security & Application Security, IBM

Subbu Sthanu is the Director of Mobile Security and Application Security at IBM. Prior to IBM, Subbu served on the leadership teams of security software vendors like Novell, NetIQ, Trustwave and BeyondTrust, heading up product management, marketing, corporate development and business operations functions for Data, Network, Web, Email, People and Cloud & Managed Security solutions.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights