- Employee‑owned mobile devices were responsible for more than half of all corporate data breaches in 2017
- Mobile device management (MDM) tools are adding AI capabilities to provide new layers of threat detection
- Some companies are revising BYOD policies to lower risk
Here’s a sobering stat to consider the next time you check email on your smartphone: People are three times more likely to click into a phishing attack on a mobile device than they are on a desktop computer, according to IBM research.
Nearly a decade after BYOD swept the enterprise, security leaders still struggle to manage the attendant risk. Employee‑owned devices were culpable in 51% of corporate data breaches in 2017, according to an AT&T report. Nearly one‑third of senior executives surveyed by PwC cited mobile devices as the leading cause of their organization’s security breaches.
To mitigate the biggest ongoing risks of BYOD—including data leakage, unauthorized access, and Wi‑Fi vulnerabilities—CISOs must deploy a range of tactics and tools. They include emerging AI tools along with old‑school strategies, such as turning the clock back on BYOD.
Rethinking BYOD policy
With an estimated 85% of companies currently running BYOD organizations, you might think there’s no going back to the days of company‑issued phones and data plans. But with security risks escalating, that’s exactly what some security analysts recommend.
Some large companies may soon make the switch, predicts Joel Windels, global marketing VP at NetMotion Software, a mobility management and security firm.
“Every organization must decide what their risk tolerance is,” Windels says. “Some might think the risk level is not yet great enough to go through the ordeal of bringing BYOD in‑house, but there has undoubtedly been a trend towards this in some sectors.” Airlines, logistics, healthcare, and financial services are at the top of that list.
Companies that aren’t willing to ban BYOD can take intermediate measures. For example, they can let employees choose between the typical “mobile‑expenses‑paid” perk of many BYOD organizations, or a free company‑provided smartphone and data plan.
That can be an expensive trade‑off for many companies. Company‑issued devices and plans cost companies an estimated $3,150 annually per user. By contrast, data plans typically cost less than $750 per user per year.
Companies can also limit the type of phones employees use for work, even if they’re bringing their own. A company might offer only Android or iOS devices as a way to simplify the company’s device management practices and enforce controls, says Craig Koroscil, vice president of training operations for cybersecurity training vendor Circadence.
Advanced security platforms
Regardless of whether employees use their own device or one provided by the company, enterprise mobile security requires mobile device management (MDM) software that monitors and manages employee devices. A typical MDM toolset will monitor not just devices but their connected networks and the data they send and receive.
Most MDM products include advanced encryption for apps and data on employee devices, says Chris Krieger, security solutions architect at AHEAD, a cybersecurity vendor. An MDM platform allows the organization to manage security for their data, without the usability of employees’ devices.
MDM platforms increasingly feature AI capabilities for mobile threat detection and for “reconnaissance” activities, such as detecting suspicious access to mobile devices or compromised ID credentials.
Human security analysts still need to verify threats and breaches manually and implement security plans. But new machine learning techniques can identify anomalous network events that might otherwise remain hidden. That helps “ensure data protection and prevent intrusions by other machines,” says Mihai Corbuleac, senior IT consultant at ComputerSupport.com, an IT and security support vendor. “Most importantly, it can protect data across a large number of endpoints.
Multi-layered security strategy
A typical MDM platform provides several layers of protection, including app management. The software typically requires users to set passcodes and enable storage encryption, and allows administrators to lock or wipe devices remotely if they are lost or stolen.
An additional layer of security tools can limit or scan all apps that employees download onto their devices. That’s important because nearly all popular mobile commerce and fitness apps, for example, contain security vulnerabilities. “Protecting mobile apps is just as important as keeping mobile devices secure,” says Min Pyo Hong, founder and CEO of mobile app security company SEWORKS.
Another helpful tactic is “containerizing” mobile apps on devices by sequestering the most vulnerable ones from other apps and from the device’s operating system. That allows the security team to control what applications can be used on phones and tablets while providing a unified user experience.
As an additional layer of protection against criminal tactics targeting mobile users, some large companies now include fraud prevention tools in their identity and security programs. These techniques focus on SMS authentication and security. They can block phone‑number hijacking and other common attacks.
Some companies block recently ported phone numbers in an attempt to weed out numbers that were transferred without the legitimate owner’s consent. This cuts down on spam calls, which are often tied to scams.
The list goes on. Companies can block or require authentication for certain kinds of phone numbers, such as toll‑free services or virtual phone numbers. They can also block certain carriers, such as overseas providers, or require one‑time passcodes from new callers, preventing employees from being spammed and limiting brute force attacks.
While these tactics might seem primitive compared to AI‑powered security tech, they work. And many analysts don’t think the first‑generation AI tools are ready for prime time.
“Mobile security is very nuanced,” says Steven Aiello, security solutions principal at AHEAD. “Is that command an administrator checking permissions, or is it a compromised administrator account looking to find a hacker’s next point of entry? You simply can’t answer the question without context. As fast as AI tools are, they still aren’t very good at determining intent.”