The move to working from home (“WFH”) and the rise in remote access to systems have given the Bring Your Own Device (”BYOD”) movement a boost. On the one hand, it can save hard-pressed IT Departments the costs of supplying hardware, but on the other hand, it can relinquish control of the devices used and the apps installed on them, thereby introducing new security risks.
BYOD (Bring Your Own Device) is straightforward. In the past, IT supplied the device for use on the corporate network, usually a desktop computer, and a laptop for the mobile user. As remote computing, and now WFH became the norm, users have been encouraged to use their personal smart devices.
On the downside, IT has no control over the make and model of the smart device, and it’s use outwith corporate applications.
The issues around BYOD Security
Many organizations quickly realized the dangers of data leakage by having work and personal data intermingled. There were cases where a personal contact has mistakenly received confidential information. As a result, they introduced Mobile Device Management (“MDM”), an application that allows a degree of remote management of the device, for example, wiping all data.
It was not a roaring success since employees did not like the implications for their private data, and organizations still fretted over data leakage.
The current answer is Mobile Application Management (“MAM”), in which apps are managed remotely. Employees felt their privacy was more secure, and the company only needed to worry about their apps and data.
Before taking a look at BYOD Security in general, what abandoned apps are, and why they are a threat.
A definition of an abandoned app is an app that is no longer available from an app store and cannot be updated to remove vulnerabilities and apply bug fixes. Effectively, it’s developers don’t develop or support it any longer.
Hackers now exploit the app, providing fake updates that include malware or modifying the app to target unfixed vulnerabilities. A good current example is TikTok, which is designed to prevent reverse engineering and debugging. It has known vulnerabilities, but because of the design limitations, and it’s uncertain future, the developers or a third party do not fix them. Some clones have been found, masquerading as TikTok.
That is true of many abandoned apps. Ther risk that they will be malware and hacking vectors increases as new threats develop and the app cannot be updated to counter them.
Wandera estimates that of abandoned apps with live installations, about 40% were in the productivity arena and over 30% in games and entertainment.
Managing the Risk
While abandoned apps may be a security risk, countering them is a small part of a broader BYOD security strategy. A good strategy will balance the need to protect an organization’s data and Intellectual Property, and the user’s need for privacy and freedom to use the device.
The first step is Risk Profiling. The company may operate in a regulated environment with compliance requirements. This is particularly true of International BYOD deployments.
The second step is to ensure that all central systems are up to date with security patches, particularly malware detection, browsers and operating systems.
Another significant issue is lost and stolen BYOD devices, and devices owned by ex-employees. IT and HR must have the ability to wipe at least corporate data from the device. Ideally, they must be able to reset the device to factory settings. Hackers on the Dark Web will pay top dollar for sensitive corporate data.
The organization must also institute a policy for BYOD devices that sets out procedure and rules for use of BYOD devices on corporate systems. The policy will include:
- Preparation of the device for use on corporate systems, including network access, VPN configuration, anti malware software installation and MAM support.
- Acceptable use, setting out things that are allowed and not allowed. Social Media is included in this category;
- Security procedures that must be followed, including forced downloads of anti-malware software;
- What to do if a device is lost or stolen;
- The usage monitoring that the company will carry out; and
- The devices that are and are not allowed.
In summary, assess BYOD policies and procedures to balance vale and risk. Practical rules and guidelines will be needed.