As the use of personal smartphones and other devices become more ubiquitous in the workplace, managers must balance the risk of the company's security against lowering costs and convenience.
Tightening access to a company's network or Wifi becomes even more critical when employees download apps infected with malware or have used Wifi that has been compromised. Many employees are unaware that their tablet or smartphone has been infected and use it on the corporate network and access sensitive information, said Joram Borenstein, a vice president of marketing of NICE Actimize, a New York-based financial crimes software solutions provider.
"Personal devices can be infected or made vulnerable for any number of reasons including rogue apps being installed, outdated apps being used or infected WiFi," he said. "All of these problems may predate the initial use of the device on the corporate network."
Companies are increasingly allowing the use of bring your own device (BYOD) at the office or when employees work from home. This strategy is causing friction as it "blurs the lines for both employees and employers," Borenstein said.
Since bringing your devices to work is becoming more commonplace, including the surge in popularity of wearable technologies in the workplace, the demand for apps will also continue to rise. Many apps are not very secure, because "developers are working under extreme pressure and on razor-thin profit margins, which is leading to a sacrifice of security and comprehensive testing in favor of lower costs and speed of delivery," said Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security and risk management.
The apps which possess poorer qualities can be "more easily" hijacked by criminals and are a greater risk for the security of the network, he said.
How Companies Are Limiting BYOD
As the proliferation of hacking continues, many companies are fighting the attacks from cyber criminals by requiring their employees to install "certain apps on those devices before allowing them onto the corporate network," Borenstein said.
Companies who hire part-time employees or freelancers must also develop a strategy to prevent infected devices from accessing their networks.
"When contractors and partners are taken into consideration, the picture becomes even less clear, as those individuals are typically not even given a 'corporate-blessed' device and therefore must use their own devices," he said.
Many companies have not established clear-cut policies on when or if an employee can use their own device on the corporate network, said Michael Gregg, COO of Superior Solutions, a Houston-based cybersecurity firm. Since these employee-owned devices are not corporate property, they can remain beyond the control of the company, posing greater threats as the incidences of mobile malware rises.
"The policy should state that the company has access to any device that may connect to the corporate network, along with the capability to revoke access or wipe a device if it is lost or stolen," he said. "If implementation is not done correctly, there is a real potential that personally identifiable information and other types of internal data may be exposed or breached or exfiltrated."
Companies need to be aware of what devices are being connected to their networks, whether it comes from an employee or a vendor. Some of them lack the capabilities to monitor who is using the Wifi or is lax on security.
"First and foremost, organizations need to provide an account for every IP address," said Dan Lohrmann, chief security officer at Security Mentor, a Pacific Grove, Calif.-based security awareness training provider. "Second, organizations should ensure that end-to-end security is provided such as having the right level of security enabled such as changing default passwords and making sure configuration settings and software and firmware updates are current."
Security breaches occur often, because there is a "basic" lack of awareness, said Oscar Marquez, chief technology officer at iSheriff, a Redwood City, Calif.-based provider of enterprise cloud security solutions.
Employees should also be educated often about the most popular cyber threats such as malware, phishing scams, ransomware and advanced persistent threats.
"Update and refresh employee education regularly, and set and enforce BYOD and safe use policies that cover all work environments, including business travel," he said. "Restrict access to sensitive data, require multi-factor authentication and encrypt databases."
When security managers lack the tools to secure the endpoints of a company's network, some administrators are left with the unpopular, but necessary option of over-restricting access and reducing user functionality, Marquez said.
"Companies must be meticulous about creating and enforcing BYOD policies which include a verification capability," he said.
The security threats of the Internet of Things (IoT) could cripple an organization.
"While connected devices and the IoT are still in their early stages, we have a chance to build in new security approaches if we start preparing now," Durbin said.