You're going to love your new iPhone X. And the best part? Totally free. (Maybe.)
Remember BYOD (bring your own device)? When the BYOD craze started, company officials had no clue about network security, much less the best practices that would be necessary to reduce the risks introduced by employees using their personal computers, smartphones and tablets for company business.
Today, you don't hear people say BYOD as much. But that's not because the practice has been abolished--but rather that it has become ubiquitous.
Employees now use mobile devices the way they hit the free snacks in the kitchen (i.e., without giving it a moment's thought). The practice represents a huge security risk, one that's rapidly escalating. Increasingly, organizations address this by issuing company smartphones provisioned with locked-down security, on both the Android and Apple platforms; others require employees to install usage monitoring and malware detection apps on personal devices used for work.
They do this because BYOD often becomes BYOB (bring your own bomb) when it comes to cybersecurity.
Here are a few things to think about when considering cybersecurity and BYOD in the workplace:
Primary work tool. Concerns about BYOD first became a matter for public discussion in 2010 when workers began bringing their personal smartphones to work, and used them to become more efficient at their jobs. Mobile devices have since become the primary computing device for workers at businesses of all sizes. There are far more smartphones sold than Windows and Mac devices. And U.S. consumers now spend over 5 hours per day on Apple iOS and Android-based smartphones, tapping into emails, contacts, calendars, documents, photos and credentials.
Rising attacks. Cyber criminals go where the action is. Vulnerability discoveries--and actual attacks--on both Apple iOS and Google's Android operating systems are through the roof. Since 2016, Mitre, the organization that tallies common vulnerabilities and exposures, or CVEs, has identified more than 600 security flaws for Android and around 300 for iOS. And through the first half of 2017, there were more CVEs registered for Android and iOS than were logged for the entirety of 2016.
Hackers are continually crafting new types of attacks, or exploits, for these flaws, and these exploits are widely available, often for free on the dark web. "There are many, many known vulnerabilities being exploited and there are plenty of Androids out there, and some iOS devices that are vulnerable to these attacks," says John Michelesen, chief technology officer at mobile security company Zimperium.
Blackberry déjà vu
Companies initially responded by implementing Mobile Device Management systems; MDM enabled administrators to oversee mobile devices much like desktop PCs. More recently, companies have returned to provisioning company-owned devices. "Essentially, they'll buy a device and give it to the employee," says Gregg Smith, CEO of mobile security systems vendor Silent Circle. "That ensures that any enterprise applications that the employee uses are locked down to a certain extent."
We're talking about something akin to the locked-down Blackberries that federal authorities used to issue key officials, including President Obama. The difference this time around is that companies typically allow employees to pick between a company-issued Android phone or iPhone, within certain parameters.
Google vs. Apple
One common practice is for a company to make only certain models available. Samsung's Galaxy models, using Knox security technology, are a popular choice, for instance. "Knox does a decent job of creating security on the Samsung devices," Smith says, adding that the Korean electronics giant has done a "decent job" emulating the iPhone's approach to security.
Android's popularity and open platform approach has made it a natural target for cyber criminals. "There are so many flavors of Android out there with so many device manufacturers that it creates a much larger threat surface than what you see with the iPhone," Smith said. He was quick to add the iPhone isn't immune to hacking, and has in fact been compromised numerous times.
Android and iOs possess as many vulnerabilities as Windows and Mac operating systems, making regular security updates imperative. The two platforms are not alike when it comes to providing patches to known issues, although both suffer from the universal issue of users not downloading and installing those patches.
There are cybersecurity advocates who insist Google and Apple, or the handset manufacturers and ISPs should be responsible for making sure devices have the most recent patches. Even if this could be forced via automatic updates, staying current re security patches on older phones is not a simple thing. And if you're not clear on this, you need to know that unpatched devices are ripe targets.
It is, without a doubt, an uphill slog for an enterprise to make sure everyone is up to date, which is why companies are increasingly more willing to absorb the expense of issuing company-controlled devices to workers.
Heading into 2018, companies can be expected to accelerate the adoption of new mobile technologies, to monitor usage and mitigate attacks. We will see more employee-owned and company-provisioned Androids and iPhones. Tech vendors like Silent Circle, Zimperium and several others are adding machine learning to mobile security systems and figuring out smarter ways to integrate such systems into network security platforms.
As for employees, get ready to modify your behavior, if you haven't already done so. The smartphone you use for work will increasingly will be a little harder to unlock; and you won't be able to load new apps at will. This is a good thing - a necessary progression to make our mobile devices as safe as they need to be.