In its peak days, BYOD (Bring Your Own Device) proved to be a dream come true strategy for organisations as it bore fruitful outcomes in terms of feasibility and cost but with time, its detrimental aspects started surfacing. It was only when the stories regarding data leakages, business entities losing grip on their own data architecture, and unauthorised access to sensitive information made up to the headlines that organisations started formulating strategies to deal with the vulnerabilities found in the devices, such as smartphones, tablets, personal computers, and flash drives.
Shedding light on how to tackle the risks involved in BYOD, Don Tan, Senior Director for the APAC region at Lookout, highlighted very crucial tactics that organisations must adopt to fight cybercriminals. Unmanaged or insecure devices will not only leave the sensitive data to the mercy of cybercriminals via malware but also risk the organisation’s visibility over its data structure, wreaking havoc on the organisation from multiple corners. The usage of uncertified apps (Shadow IT), on the other hand, installed on the devices may penetrate the corporate data without the permission of IT teams.
Tan highly emphasised the awareness initiatives within organisations on mobile security to ensure the safety of their sensitive data. Do employees understand the risks incorporated in BYOD? Do they know what qualifies as sensitive data and what strategies the cybercriminals could use to get their hands on confidential information? Are they aware that the price attached to such ignorance can often be unbearable? According to Tan, these are the fundamental aspects of data management and integrity on the employees’ part and can only be ensured through robust education and training programs to keep the employees updated regarding modern digital security challenges. However, awareness initiatives alone may not be enough, as Tan believes that employees are bound to make mistakes at one stage or another despite intense training. Hence, modernising data security practices by limiting access to personal devices and monitoring user behaviour is vital.
When asked about the measures organisations may adopt to avoid data breaches resulting from BYOD, the Lookout APAC Senior Director responded that establishing a robust on-premises data security mechanism and establishing a unified policy is critical. In other words, an integrated and scalable cloud-delivered security model will fortify the security of data from accessed devices, while a uniform mechanism will minimise internal and external complexities involved in data management. Furthermore, the zero-trust security model in the cloud will assure that only the validated and authorised individuals access the data architecture.
Moving further, about countering Shadow IT, Tan stated that neither Virtual Private Networks (VPN) nor end-to-end encryption guarantee data protection, as both carry certain and subtle vulnerabilities. He reiterated that the zero-trust mechanism can be an ideal strategy for preventing needless entries and making sure that only genuine users could leverage the data. Since there has been a considerable shift towards remote working, where usage of personal devices for work purposes is profoundly widespread, it is immensely difficult, if not impossible, for IT teams to have a check and balance approach to ensure data security and determine how the employees are using their personal devices. Although personal devices, especially mobile phones, possess some vulnerabilities, it is impossible to imagine the corporate sector without them as they are convenient, cost-effective, and employee-friendly. On a positive note, Tan encouraged using BYOD but only in the presence of robust and highly advanced security mechanisms and strategies in place.
As far as the security of smartphones is concerned, Tan pointed out that cybercriminals have devised various means to get their hands on confidential data. In addition to the emails, phishing links can now be sent through messages and social media platforms installed on mobile phones, making modern endpoint protection the immediate need of time.
