Recognizing risky BYOD behavior

Jul 10, 2014


BYOD, IT, security



There is no question that cloud computing has made Bring Your Own Device (BYOD) possible for many companies. The ability to access files via the cloud allows employees more flexibility and improved collaboration, while BYOD improves the bottom line of technology budgets. However, there are a lot of employees who use personal cloud formats to store enterprise files, and employees who aren’t using good security practices when using cloud computing.

“The worst behavior we see is the mentality of ‘I want access to everything from anything,’” says Geoff Webb, senior director, solution strategy at NetIQ. “This opens up the business to employees accessing highly sensitive or even regulated data from a device which may be shared with family members, which could be lost or stolen, and over which the business has little control or visibility. It’s a very dangerous mix.”

According to a survey conducted by Frost & Sullivan Stratecast on behalf of McAfee, 80 percent of employees are using unauthorized and unapproved Software-as-a-Service (SaaS) applications. “Almost a quarter (24 percent) of all users stated that this unapproved software meets their needs better than the IT-approved equivalent. The result is that more than one-third (35 percent) of the SaaS applications used in organizations are both unapproved and unsupervised,” David Bull writes in Virtualization Review.

Using personal devices for business use makes the use of shadow IT and other risky behaviors easy to hide. There are a couple of reasons for this. First, BYOD policies are still lacking in many companies, and even when strong policies are in place, they aren’t always strictly enforced. Secondly, many of the unapproved applications are free to download, which means employees aren’t asking for reimbursement, so there is no paper trail leading back to the application’s use. Finally, when using their personal device, they tend to use applications they are most comfortable with and that make their job duties more efficient. It may not dawn on them that they are creating a security risk when they are putting a couple of work files into their personal cloud. And perhaps that last reason is the riskiest of all.

“The problems with using a personal cloud to store company documents are two-fold,” says Webb. “There’s the exposure the company receives as a result of publishing documents to a third-party, such as compliance violations if the data is private, and the risk that sensitive information may get breached if the cloud provider is attacked or has a security failure. The second problem is actually even more pernicious: removing access once the employee leaves or no longer needs that document. Once a company allows employees to store copies of documents in personal cloud stores, they cede all control over access to that data. If the employee leaves, it’s pretty much impossible to track down where the documents are and who has them.”

The ideal situation is to create total separation between personal and enterprise devices. “The personal device will be able to connect with any cloud provider; however it will not store any corporate information. The enterprise device will store corporate data but will be able to access only approved sources such as the enterprise cloud,” says Israel Lifshitz, CEO of Nubo.

But that isn’t realistic in today’s workplace, where the lines between business and personal have blurred. Instead, understanding that not all information is of identical importance or sensitivity and that not all business has to be protected equally is the key to avoiding risky behavior on BYOD. Access controls can help keep sensitive data be retrieved only by authorized personnel and lessen the ability to move it to personal clouds and devices. Another way to reduce risky BYOD behavior is to open communication between employees and IT. As the McAfee study found, employees use unapproved applications to improve their work efficiency. Learning about these apps might actually benefit IT in the long run by helping IT staff identify better – and perhaps cheaper – SaaS solutions for the enterprise. This, in turn, will allow employees to use the applications that allow them to be more productive while allowing IT to ensure the security of company data.

For tips on creating a sensible BYOD policy, check out James Gardner’s post on BYOD.

Post by Sue Poremba

Sue Poremba is a security and technology writer based in central Pennsylvania.