According to a survey on mobile device utilization, the quantity of the exploitation of the mobile devices will be increased approximately 10 billion to 1.5 for every people on the globe (Ripley, 2013). Since the mobile devices are incorporated into everyone’s life, most of the employees prefer to work in their own devices. The organizations made a conclusion that the employees should be aware of the safety mechanisms in order to control their device.
Currently, the workers are insisted by the companies to be more productive in their work. For this purpose, a legible application is required to let the employee devices to be operated in a secured environment in order to attain higher economics advantage and productivity. So, BYOD seems to be an appealing choice to more enterprises.
By means of asset possession and physical locality, the conventional security prototype for security the IT firm’s outer limits is influenced. The company mails, office applications, reminders, etc. can be accessed anywhere by using the personal gadgets (Brad, Trinkle, Crossler & Warkentin, 2014).
In order to properly define the safety standards and procedures in such a way to keep upright the staff requirements and security issues, the firms are in exertion.
So, this report illustrates the major BYOD risks and the essential steps required to confront the security issues depending upon the firm’s imperative and prevailing challenges.
Concerns to be contemplated in BYOD environment
The safety risks of employing BYOD in organization are based on the following key aspects:
- Risk Profile of Organization
The selection of security management mode employed in the organization largely depends on the risk definition and treatment provided by the organization for various security risks.
- Existing and Imminent Mobile Use Case
The organizations should be aware of the sorts of operations and data, which are exploited during BYOD implementation. For an example, the online payment processing performed using mobile devices need PCI-DSS acquiescence in the corresponding gadgets. Hence, a single use case does not comply with all the mobile devices (AirWatch, 2012).
- Geographic Exploitation for Mobile devices
The risks are accelerated not only by the geographic disbursement of the mobile devices, but also due to the inappropriate lawful regulations in the corresponding areas.
In order to achieve a safe and profitable level in the organization, the aforementioned steps need to be followed by the firms during the initiation period of BYOD implementation.
Definition of BYOD Risk
The BYOD environment imposes several threats to an enterprise. An organized approach ought to customize the confronted risks and facilitate to confirm that the manipulation presents to keep up the safety and compatibility of the mobile devices inside the organization (Cisco, 2012).
The organization tends to describe the effects of the BYOD risks since more issues related to risk contour, characteristics, and utilization have been considered. The BYOD risk that are similar to the impacts caused by other types of hazards, have certain prospective to accelerate the risk factors.
The risk environment can be distinguished based on the specific factors as depicted below:
3.1. Security of Mobile Devices
The conventional mobile devices tend to be uncomplicated in the aspects of security and management, since they are manufactured by a single company, which impose more restrictions for accessing the organizational data (Cook, 2013). Hence, the organizations had no limitations in applying the unified security procedures for all the devices distributed by the same fabricator. But the BYOD platform completely changed this secured environment by permitting all the employees to bring their own devices of distinct configuration and models.
The risks are expanded because of the assorted gadgets environment and due to the extreme number of mobile devices. The same security procedures applied for the constant administration interface need to be modified due to the implementation of BYOD of various device range and operating systems. Moreover, the users having more devices prefer to connect them with the organizational framework that intensifies the security risks. So, all those devices should be protected and self-assured.
Conveying great business value to the customers is the prime objective of the technological devices. But the productivity can be decreased if the personal mobile devices are not allowed due the mitigation of stringent security policies. This risk-aversion process makes the employees to perform an illegitimate and unsafe access to the confidential information. So, the security programs should be well drafted in such a way that it comply with various kinds of users and user divisions. The local device accessibility, mobile network contributor, and utilization conventions should be adopted by the international enterprises. The customer experience can be enhanced by employing the eloquent use cases since the inefficient use cases results in catastrophe (Drew, 2012). By acquiring the user’s product and the technology, the customer satisfaction can be obtained.
The expertise on these risks can help the enterprises to procure the vital portions so that the users can protect their gadgets and the improved information safety can be endorsed. Based on the concerns mentioned below, the security risks can be categorized.
- Corporeal Approach
- Missing and whipped devices
- Available on through augmented data contact
- Insufficient knowledge on risks
- Operational functionality of user device
Missing and whipped devices
Large number of mobile phones and smart phones are missing every year. About 22 percentage of the mobile devices are lost and about 50% of these stolen devices are not recuperated (Robert, Crossler, Long, Tina, Loraas & Trinkle, 2017). Many devices are stolen for the intention of selling their hardware for second-hand. And so, the information stored in the devices is accessed by somebody without the knowledge of the device owners. In order to wipe the information stored in the device, certain security mechanisms like password fortification, robust safety policies, and encryption must be incorporated within the device.
3.1.2. Corporeal Approach
The hackers can corporeally make access to the user’s sensitive information stored in the device. But the corporeal access is not possible in inert hardware like terminals and servers. If a hacker obtained corporeal access, the device cannot be secured properly (Forrester, 2012).
If the employees fetch older and insecure mobile devices to the organization, the device’s entire security state will be affected, thereby increasing the risks to device operating system, applications, and hardware components. The iPhones manufactured before the introduction of 3G technology lack in some security features (Edwards, 2013). And the risk is increased if this scenario is followed in the BYOD environment. Hence the organizations should set the security standards to match with all the employee’s personal device requirements.
3.1.3. Operational functionality of user device
The ownership of the devices used by the employees at work dominates the management of the devices. This results in jail breaking of the operating systems and lets the organizational data to be vulnerable to much type of threats. By this way, the security aspects of many operating systems will be vanished. Hence, the loss of the device will not be notified to the organization due to the sense of ownership possessed by the employees.
3.1.4. Insufficient knowledge on risks
The acknowledgement of the aforementioned hazards in the organization is needed in case of the absence of client security. Being aware of the security techniques for safeguarding the devices is an essential element against the different type of risks. The danger derived from the gadget itself ought to be surveyed as a constituent of the organization’s hazard appraisal system. In order to manage the fluctuating degrees of danger related to work capabilities, single layered gadget design is feasible. For an example, a custom application incorporated in the mobile devices for presenting the sensitive financial data to the board will invariable more exposed to accidental theft when compared to a mobile device having access to applications like email and calendar.
3.1.5. Available on through augmented data contact
The associated worker’s capacity which is one of the best favorable circumstances of a portable empowered workforce sadly increases the quantity of the occurrence of the hazards. The representatives are currently venturing to the planet far corners having access to corporate information anyplace and anywhere when they leave their information at work. Both the business information situated on the telephone and corporate information will be trade off by the lost or stolen cell phone. In addition to that, the security bugs presented in the individual applications such as online networking, websites, etc. can be conceivably connected through this new availability (Gessner, Girao, Karame & Li, 2013).
3.2. Dealing the risk of mobile application
In everyday life, applications embedded inside the mobile device plays a major role. The apps ranging from map, games, office productivity, to social networking improved the significance of the smart phones. The risk of BYOD devices can be increased by the apps crafted by the innovation of the app developers in an enterprise (Gajar, Ghosh & Rai, 2013).
Since the organizations allows the employees to bring their devices to procure the data associated with their work, can enviably leads to security breaches enlisted below.
- App Susceptibility:
The application created by the enterprise for accessing the job related information can open doors to more type of risks.
The application containing malicious security holes will tend to infect the whole device and other devices in the organization.
3.2.1. Malware Apps
The apps containing malicious code embedded within it affect the security of the enterprise data. These types of apps copy the format of the legitimate apps and modify the code by inserting the malevolent data within it (Johnson, 2012). This code arrives either from an external interface like NFC, File sharing server, or from a malicious website.
Nowadays, the malwares are generally available as a free to use app in illicit play stores. These malicious apps run on the user’s mobile device and hacks the sensitive information of the user.. Mobile malware mostly exists on the Android devices while writing. According to Kaspersky, 98% of the malwares are detected on the Android platforms (Leavitt, 2013). And when the employee devices contain malware apps within it, there is a chance of exploiting the confidential information in the organization to third party persons. So the personal devices containing the Android operating system should be protected against the malware attacks.
3.2.2. App Susceptibility
The app susceptibility comprises security concerns within the customized software and the susceptible app supports the hackers to steal the confidential information from the organization (Singh, 2012).
The conventional web app and personal computer app susceptibility is similar to the mobile App susceptibility which impacts on the local data stored on the mobile device (Krahel, Miklos & Vasarhelyi, 2014). The organization data, employee data, and even the entire organization will be affected by this vulnerability. If the mobile devices are not administered by the IT department of an organization, the risk caused by app susceptibility will be increased further. In order to defeat this risk, administration of all the apps and partition of the confidential data and task are suggested. By acquiring less maintenance over the employee devices and due to the ownership nature of the employees, the organizations have to deal with more number of apps installed on the employee devices. There is a chance of installing the unauthorized apps for utilization like to edit, hold, and transfer the enterprise data by the employees.
Thus in order to deal with the security breaches and holes, proper monitoring and software updates are required to be performed by the IT department of an organization.
3.2.3. Method for contradicting app risks
- The antivirus app and legitimate operating system that is defensive against malware and other type of risks should be provided by the organization to their employees.
- For covering the evaluated skill disparity, the security procedures are ensured that they cover all the control tools.
- The applications must be administrated by means of mobile app supervision artifact and domestic application store.
- The services for invoking the information sharing between the BYOD devices must be introduced.
- The need for efficient office apps should be assessed continually for increasing the productivity and profitability of an organization (Leavitt, 2013).
3.3. Administration of Mobile Environment
For administering the precise catalog of the mobile devices and to update the operating system, the enterprise effort is increased in BYOD platform. The conventional personal computer catalog cycle is around 6 years whereas for the mobile space, the device yield is about 2 to 3 years (Li, Peng, Huang, & Zou, 2013). The enterprises are struggling a lot to maintain the precise inventory of the mobile devices and software applications. Multiple up gradation of the operating system is required for the hardware that can be started by the users. The indirect security risk will be encountered by the unidentified devices without enterprise security procedures and scrap administration.
3.3.1. BYOD registration and policy management risks
In the BYOD environments, the hardware and software components of the mobile devices containing the organizational data vary based on the provision of employee access. It creates further overhead for applying the security procedures to the terminals and servers. The proposal variation also makes the wiping process very difficult when the mobile devices are resold, exchanged, or when the mobile carriers are modified (Polla, Martinelli & Sgandurra, 2013).
The system updates required for mobile operating system need higher level of authentication and approval process when compared to the personal computer operating system. Before installing the OS in Android devices, they are appraised at three distinctive intensities. The device manufactures should make ensure that the hardware does not impact with the software update functionality.
3.3.2. Concealed Service Charges for BYOD
The support for BYOD devices can be managed by following the steps below:
- Suitable BYOD assistance and utilization procedure should be employed.
- Self-assistance can be amplified by refurbishing the support for adding up assured stipulation of devices.
- The users are encouraged to upgrade their mobile gadgets by including the patch training.
- The prevailing IT department can be boosted up by including a collective support method.
- The employees can train on their own by the implementation of knowledge base or Wikipedia.
Deliberation for ensuring security of mobile devices
The following steps can be followed to protect the mobile devices from various security breaches.
- The foremost security practices are examined in order to encounter each and every threat source and to investigate the use cases of the mobile devices.
- The utilization and accessibility of the devices should be scrutinized for enforcing the safety procedures.
- The corporate general security procedures like security password, failed login, encryption of the entire gadget, wiping of bugs, etc. must be enforced at a minimum rate.
- A security foundation is constructed and the hardware and the system software like operating systems should be certified by considering this security outline.
- The access to the legitimate and illegitimate sources should be differentiated.
- For maintaining security in business critical applications, strict authorization policies must be embedded.
- The organization must conduct awareness training for the employees regarding various types of mobile device risks.
- Governance and Compliance Concerns
Since the evolution of mobile device utilization is getting matured, the support for organization for achieving their goal remains incompatible. Further issues are also confronted in BYOD implementation.
In future BYOD implementation, the confidentiality legislation will be increased. Well-organized and clear confidentiality procedures are included for designing the BYOD safety mechanisms. For preventing these issues, many organizations are solving the security issues through BYOD strategy.
The data safety is pertained not only for the enterprise data in BYOD implementation. The information gathered from the employees like employee’s gadget, intention, safety, termination, etc. are depicted clearly in the security policy of the organization. An assessment of all the encountered risks are also conducted by the organization based on its defined policy.
If the employee information is accessed by the third-party for cloud email implementation, the information must be secured by a clearly described agreement. Since information transparency is followed in BYOD deployment, the process of data protection must be acquiescence verified.
Many laws, wiping, and monitoring requirements are defined by the organizations where BYOD platform is deployed. The defined privacy laws do not allow the organization to view the personal details of the employees. This imposes a limitation for monitoring and administering the data distributed through mobile devices for ensuring safety.
For avoiding this type of control pitfalls, the software should be chosen for examining the content exclusively for work centralized tasks.
Breach Exploration and Notice
If any incident is occurred, the organization should possess rights to examine the employee’s devices for preventing the breaches. If this type of rights are not allowed in the BYOD security policy, many legal issues and delays will be faced by the organizations while examining the data on the employee’s personal devices. Some exceptions for providing notifications are offered since the new legislation trend is designed to tackle with the data breach if some of the data protection condition is met by the organization
By maintaining an active portfolio of device catalogs, safety controls, and data stored on the devices, the organization can be prepared for this type of legislations (Ballagas, Rohs, Sheridan, Borchers, 2013).
Data Tenure and Recuperation
The safety policy settings are mainly supervised by the term “Ownership”. This results in the implementation of different sets of security policies and procedures for the personal and organizational devices. If the device is lost or damaged, the data can be recovered easily since the official laptop is shifted to personal devices.
A clear security policy asserting the data owner, the person (Corporate or private) holding the task of administering the data backups is defined for mitigating the unstructured liability for data backup in BYOD environment.
Managing the Regulatory Risk
The regulatory risks can be handled in several ways as given below:
- For understanding the data security and privacy laws in different geographical regions, an interaction should be made with the respective professionals such as Human Resource (HR) manager of the organization where the BYOD devices are to be deployed.
- The common BYOD policy can be tiered according to their geographical region.
- The companies must make sure that the security policy solves the riskier portions.
- The firms should also ensure that the IT manager has the set of correct procedures in order to support the security policy.
- The security policies and agreements must be reviewed constantly by the organization.
- The personal data and business related data must be segregated properly from the employee’s personal devices.
- The policy framework must be crafted in such a way that its approval process is quicker and responsive.
Below are the steps suggested for increasing the confidence level among employees and to proffer assurance to the company stake proprietors that the data security cannot be damaged by the utilization of employee gadgets in their workplace.
- The BYOD approach must be created according to the mobile device use case and business goal.
- The stake proprietors can be invoked earlier by the mobility unit formation.
- An operation and assistance prototype can be created.
- The risks can be analyzed in proper manner.
- A flexible and reliable BYOD policy can be created.
- Various devices and applications should be secured.
- The safety level of the BYOD deployment must be checked and verified regularly.
- The main factors for enhancing the organization productivity in BYOD environment should be learned.
By incorporating the scalable and adaptable BYOD strategies and security policies and by influencing the organization risk-averse processes, the organizations will be able to tackle all the risks and challenges associated with their security framework due to the employment of BYOD environment.
The preamble of suitable security policies and constant threat detection assists the enterprises to become more efficient and to transform their employees conscious of the risks confronted due to the utilization of employee’s personal devices.
AirWatch. (2012). Enabling bring your own devices (BYOD) in the enterprise. Retrieved from https://www.ciosummits.com/media/solution_spotlight/byod-whitepaper.pdf
Ballagas, R., Rohs, M., Sheridan J. G., & Borchers J. (2013). BYOD: Bring your auditing device. Retrieved from https://www.vs.inf.ethz.ch/publ/papers/rohs-byod-2004.pdf
Brad, S., Trinkle, R., Crossler, E., & Warkentin, M. (2014). I’m Game, are You? Reducing Real-World Security Threats by Managing Employee Activity in Online Social Networks. Journal of Information Systems, 28(2), 307-327.
Cisco. (2012). BYOD: A global perspective (Survey report). Retrieved from https://www.cisco.com/web/about/ac79/docs/re/BYOD_Horizons-Global.pdf
Cook, T. (2013). Mobile innovation applications for the BYOD enterprise user. IBM Journal of Research and Development, 5(6), 10-18.
Drew, J. (2012).Managing cybersecurity risks. Journal of Accountancy, 30-50.
Edwards, C. (2013). Identity: The new security perimeter. Computer Fraud & Security, 18-19.
Forrester, E. (2012). Key strategies to capture and measure the value of consumerization of IT. Retrieved from https://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_forrester_measure-value-of-consumerization.pdf
Gajar, P. K., Ghosh, A., Rai, S. (2013). Bring your own device (BYOD): Security risks and mitigating strategies. Journal of Global Research in Computer Science, 4(2), 62-70.
Gessner, D., Girao, J., Karame, G., & Li, W. (2013). Towards a user-friendly security-enhancing BYOD solution. NEC Technical Journal, 7(3), 113-116.
Grover, J. (2013). Android forensics: Automated data collection and reporting from a mobile device. Retrieved from https://scholarworks.rit.edu/cgi/viewcontent.cgi?article=5389&context=theses
Johnson, K. (2012, March). BYOD security survey (A SANS white paper). Retrieved from https://www.sans.org/reading-room/analysts-program/mobility-sec-survey
Krahel, P., Miklos, A., & Vasarhelyi, S. (2014). AIS as a Facilitator of Accounting Change: Technology, Practice, and Education. Journal of Information Systems, 28(5), 1-15.
Leavitt, N. (2013). Today’s mobile security requires a new approach. IEEE Computer Society, 46(4), 16-19.
Li, F., Peng, W., Huang, C., & Zou, X. (2013). Smartphone strategic sampling in defending enterprise network security. IEEE International Conference on Communications, 20(3), 57-84.
Polla, M. L., Martinelli, F., & Sgandurra, A. (2013). A survey on security for mobile devices. IEEE Communications Surveys & Tutorials, 15, 446-470.
Ripley, C. (2013). Take advantage of BYOD without sacrificing security. Retrieved from https://www.pcworld.com/article/203 8163/take-Advantage-ofbyod-without-sacrificing-security.html.
Robert, E., Crossler, J., Long, H., Tina, M., Loraas, B., & Trinkle, S. (2017). The Impact of Moral Intensity and Ethical Tone Consistency on Policy Compliance. Journal of Information Systems, 31(2), 49-64.
Singh, N. (2012). BYOD genie is out of the bottle—“Devil or angel. Journal of Business Management & Social Sciences Research, 1, 1-12.