Executive Report
The Top Four BYOD SecurityRisks and How Enterprise Firms Combat Them
2 CyrusOne Enterprise Data Centers | 855-564-3198 | CyrusOne.com
For employers, BYOD offers tremendous advantages: it reduces IT costs, improves
productivity, increases employee satisfaction and offers much-valued flexibility.2
But along with these gains come increased cybersecurity risks.
Just as BYOD blurs the line between personal and business hours, this method
of accessing enterprise content and networks threatens security. Another
survey found that nearly three-fourths of organizations that permitted BYOD or
corporate-owned personally enabled devices had experienced a data breach as
a result of a mobile security issue.3
While some organizations choose to ban personal devices for business use outright,
progressive companies realize the benefits of these tools while appropriately
managing the risks. These companies impose forward-looking and secure policies
and practices, delivering proactive training to staff and deploying protection
technologies that defend against the top four BYOD threats.
1. MalwareMalicious software, or “malware,” is the most commonly cited BYOD-related threat.4
Malware infected some 16 million mobile devices worldwide in 2014, a 25 percent
increase over the previous year, according to a study by Alcatel-Lucent’s Motive
Security Labs.5
Personal devices are particularly vulnerable to malware because they may be running
on outdated operating systems and lack basic security protections such as anti-virus
software. Malware can enter personal mobile devices:
• Through unsecured local networks.
• Through apps that contain security vulnerabilities.
• When employees download third-party apps with malicious intent from social
media sites or app stores.
Malware can spy on users, pilfer confidential corporate information, steal money,
download contact lists and emails, and allow outsiders to become unauthorized
users on corporate data plans. It also can hold data hostage in return for money,
a tactic known as ransomware. A 2016 survey of 800 cybersecurity professionals
found that 39% of organizations worldwide had found malware downloaded on
BYOD or corporate-owned personal devices.6
To combat malware threats, many successful organizations rely on a combination of
robust technology and education.
Bring your own device (BYOD) – the use of personal tablets, computers and smartphones for work – is becoming commonplace. According to ComScore, in 2015 the number of mobile users outstripped desktop computer users for the first time. These mobile users also spent an average of three hours a day on their devices.1
Market researcher Gartner Inc. predicts that almost four in 10 organizations will rely exclusively on BYOD for work-related projects – meaning they will no longer provide any devices to employees – by the end of 2016, and 85 percent of businesses will have some kind of BYOD program in place by 2020.
3 CyrusOne Enterprise Data Centers | 855-564-3198 | CyrusOne.com
TechnologyTo add an extra layer of security to mobile devices, companies
can install mobile device management (MDM) software on their
employees’ personal devices. This software:
• Allows organizations to remotely wipe a device if an employee is
terminated with cause.
• Segregates corporate data from personal data.
• Secures emails and corporate documents.
• Offers a safe browser through which employees can access the
internet.
EducationIt is critical to train employees extensively on mobile device security
and share the risks associated with downloading apps that come
through third parties, such as an app for a retailer not offered on its
website.
Companies also should require that workers keep personal device
operating systems up to date, which enhances cybersecurity. It is
good practice to discourage downloads of apps from any place
other than trusted sources, such as Google Play and the Apple
Store.
2. Connection HijackingEmployees working on the road, in-between errands or at odd hours
increases the likelihood that they will encounter an unsecured or
even malicious wireless network.
Unsecured networks do not require passwords and do not adhere to
any wireless security standard. They make it possible for someone
sitting in the same coffee shop as one of your employees view their
browsing session and hijack it, or analyze traffic patterns from
everyone on that network sitting around them.
Malicious networks are set up to look like public networks, with the
intention of tricking people into connecting with them in order to
steal sensitive information. Such networks may also enable
compromised devices to enter the network and infect those
around them.
To address the threat of unsecured networks, organizations should
develop an acceptable use policy for employee devices that
prohibits the use of unsecured wireless networks to connect to their
corporate network. Companies can also facilitate the use of
cellular data for laptops and tablets by providing employees who
travel extensively with mobile personal hotspot devices, which offer
high-speed cellular connections.
4 CyrusOne Enterprise Data Centers | 855-564-3198 | CyrusOne.com
3. Phishing and SMiShingPhishing and its cousin, short message service (SMS) phishing (also known as
SMiShing), continue to grow in popularity as social engineering tools for cybercrimi-
nals. The problem occurs when employees click links sent in SMiShing texts, phishing
emails or on social media sites that lead to webpages prompting them to enter personal
information. The goal is to gain access to sensitive information such as usernames and
passwords, and then use those to access corporate, personal and financial data.
Organizations should educate employees to beware of these types of campaigns
promoted through social media sites, texts and emails. Tell employees to always be
wary of clicking any link in an email or SMS that they received unexpectedly (even if it
comes from a friend, because their account might have been hijacked). Additionally,
companies should regularly share examples of the latest phishing and SmiShing scams
with their employees.
4. Device TheftReports show that mobile phone theft is declining7 due to the widespread use of kill
switches, or software that allows device owners to remotely lock and delete personal
data in case of a loss or robbery. Still, device theft remains a top BYOD risk. The fact
is, employees take personal devices to places they wouldn’t take company-owned
devices, such as on vacation or out to dinner. Unlike devices within a corporate building,
these devices cannot be secured through guards and gates, placing them at a greater
risk for loss.
Combating device theft requires employee education, device management and authen-
tication. Educate employees on the risks associated with leaving devices unattended
in automobiles, restaurants and at their children’s sporting events. Additionally, require
employees to use strong passwords on their mobile devices and change those pass-
words frequently.
In the unfortunate event of theft, the company’s mobile device management software
should immediately and remotely delete all corporate data from a personal device used
for business.
Maintaining BYOD SecurityEnterprise businesses like CyrusOne puts industry-leading security standards in place
to mitigate corporate risk and deliver peace of mind for its clients.
As the preferred data center provider of the Fortune 1000, the most demanding global
companies trust CyrusOne for exceptional security, reliability and service. In addition
to the security measures described in this report, CyrusOne’s IT personnel participate
in information security forums and conferences in order to stay abreast of emerging
threats. CyrusOne also reviews internal policies and procedures every year to ensure
that the company and its employees are working in the most secure fashion possible.
5 CyrusOne Enterprise Data Centers | 855-564-3198 | CyrusOne.com
References1Dave Chaffey, “Mobile Marketing Statistics compilation,” Smart Insights. Accessed June 10, 2016. http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/
2Deloitte, Understanding the Bring-Your-Own-Device landscape. 2013. Accessed June 10, 2016. http://www2.deloitte.com/content/dam/Deloitte/uk/Documents/about-deloitte/deloitte-uk-understanding-the-bring-your-own-device%20landscape.pdf 3Kelly Jackson Higgins, “Survey Shows Surprisingly High Number of Breaches via Mobile,” InformationWeek Dark Reading. Last modified Oct. 6, 2015. Accessed June 10, 2016. http://www.darkreading.com/mobile/ survey-shows-surprisingly-high-number-of-breaches-via-mobile/d/d-id/1322513
4Erika Chickowski, “Ransomware Ranked Number One Mobile Malware Threat,” InformationWeek Dark Reading. Last modified Oct. 28, 2015. Accessed June 10, 2016. http://www.darkreading.com/endpoint/ ransomware-ranked-number-one-mobile-malware-threat/d/d-id/1322886
5Alcatel-Lucent, “Alcatel-Lucent report on malware in 2014 sees rise in device and network attacks that place personal and workplace privacy at risk.” Last modified Feb. 12, 2015. Accessed June 10, 2016. https://www.alcatel-lucent.com/press/2015/alcatel-lucent-report-malware-2014-sees-rise-de-vice-and-network-attacks-place-personal-and-workplace
6Holger Schultze, “BYOD and Mobile Security 2016 Spotlight Report.” LinkedIn Information Security Group. Accessed June 10, 2016. http://www.crowdresearchpartners.com/wp-content/uploads/2016/03/BYOD-and-Mobile-Security-Report-2016.pdf
7Consumer Reports, “Smartphone thefts drop as kill switch usage grows,” Last modified June 11, 2015. Accessed June 10, 2016. http://www.con-sumerreports.org/cro/news/2015/06/smartphone-thefts-on-the-decline/index.htm
ER-015-2016 | © 2016 CyrusOne Inc. CyrusOne Enterprise Data Centers | 855-564-3198 | CyrusOne.com
About CyrusOneCyrusOne specializes in providing highly reliable, flexible and scalable enterprise data
center colocation that meets the specific needs of customers across its broad portfolio
of carrier-neutral data center facilities in the United States, Europe and Asia. CyrusOne
employs its Massively Modular® engineering and design approach to optimize design
and construction materials sourcing and enable just-in-time data hall inventory to meet
customer demand.
The company engineers its facilities with redundant power technology, including an
available 2N architecture. CyrusOne customers can mix and match data centers to
create their own production and/or disaster recovery platforms by combining facilities
via the low-cost, robust interconnectivity provided by the CyrusOne National Internet
Exchange (IX).
About the AuthorBlake Hankins Chief Information Officer
Blake Hankins is the Chief Information Officer at CyrusOne. As the CIO, Blake is respon-
sible for all aspects of Information Technology including infrastructure, system administra-
tion, development and network. Additionally, Blake heads our Project Management and
Compliance activities.
Prior to joining CyrusOne, Blake worked at Cincinnati Bell Technology Solutions as the
Director of Business System Development and at Cincinnati Bell as the Director of IT Audit,
Compliance and Revenue Assurance.
He received his Bachelor of Science in Management Information Systems and Finance from
Miami University.