With the entrenchment of the BYOD trend, businesses are facing increasing security pressures. Rajiv Shah, communications, data, and security solutions director at BAE Systems Detica Australia, warned that with the increasing intermingling of work and personal devices, companies must have an effective risk management strategy in place.
“Companies are looking for ways to offer more flexibility to employees. Allowing staff to use their own personal devices can bring major benefits to a business, but also brings risks that need to be understood and managed,” Shah warned.
According to Shah, there has been a significant increase in malware attacks on mobile devices in the past 18 months. While such attacks were very rare two years ago, he estimated that they have increased tenfold since then, according to anecdotal evidence. The increase is driven both by the proliferation of smartphones and tablets, but also by the fact that they tend not to be as well secured as traditional desktop computers, Shah said.
“When we all had one PC on our desk or at home, people were generally quite good about keeping security software up-to-date,” Shah explained. It’s harder to secure mobile devices for a number of reasons: they are much easier to lose, they’re connected, it’s difficult to keep track of diverse devices, and security software is often not available on mobile devices.
Due to the popularity of BYOD, these devices present weak spots that render corporate networks vulnerable to attack. There are four main areas that organisations need to focus on: prepare; protect; monitor; and respond. Preparation involves understanding the benefits of a BYOD programme, as well as its risks, and using this knowledge to write a clear policy on the use of mobile devices.
“Our view on protection of mobile devices is you don’t just think about the device – it’s an end-to-end problem…and therefore you need to put in place security at a number of different points,” Shah warned. It’s key to have a number of layers of protection, not just a firewall in one place.
But you can never rely on 100% protection, so organisations need to constantly monitor their corporate network. “If an attacker breaches your systems … you’re there looking at what’s happening on the network, and you can pick up the signs of an attack, work out what it is, and then be in a position to stop it,” Shah said.
Finally, it’s key to have a plan in place regarding how to respond to a cyber-attack so that you know how it happened, the extent of the damage, and how to prevent such an attack being repeated.