According to some research, more than 70% of organizations permit use of personally owned
devices for business purposes. For most companies, BYOD policies came about
when early adopters started bringing iPhones, iPads and Android devices to work
and seeking access to the corporate network.
Gartner estimated that, by 2017, half of employers will require employees to use their own devices for work. So it seems enterprises have a lot of work to do in the next few years when it
comes to practicing safe BYOD. Making every personal device secure can be a daunting task, but, as mobile trends keep gaining momentum, it will become imperative for companies to adapt to changing trends.
One area of BYOD security that’s often lacking is the area of awareness, education and training for end users. Fewer than 1 in 10 mobile device users know that there are malware
apps that don’t attack the infected device, but lie in wait to attack other computers or networks the device subsequently connects to. Even fewer, about 1 in 10,000, realize that many mobile apps are designed with risky behaviors as a core part of the app.
According to Network World, at least 80% of mobile apps have built-in security and privacy holes designed into the app. For instance, there’s often a mismatch between the permissions the app requests vs. the permissions the app actually uses, leaving a built-in security hole that
hackers can exploit to steal unencrypted data.
Risky behaviors inherent in mobile apps include:
- Accessing the user contacts on a smartphone (including the contact information that may come from corporate email that syncs to the phone)
- Accessing the user's calendar information
- Collecting or determining the user's location and tracking his movements
- Passing along any or all of this information to ad networks or analytics companies
According to Network World, 96% of iOS apps and 84% of Android apps can access at least
one of these data risk categories.
The Hidden Risk: Shortcuts to Get a Job Done
But it isn’t just the risky behaviors built into mobile apps that put data at risk. As with any other form of IT security, it’s ordinary human behavior that is the most significant risk. Ask any employee found violating a company security policy why he or she ignored the rules, and there’s a high likelihood that the answer will be, “I was just trying to do my job.”
Security experts have long known that if employees can’t access the data they need, or perform the task they need to perform, quickly and easily within approved channels, they’ll do whatever it takes – in their mind, at that moment – to get the data and perform the task that they perceive as being important. Mobile printing is a good example of a task that is extremely important in performing a range of jobs that often falls through the cracks of BYOD and mobile security policies.
Jared Hansen, CEO and co-founder of secure mobile print solutions provider Breezy, says that there are three reasons that mobile print security has been the hidden risk factor for many companies. First, the complexity around integrating a smartphone or tablet to a legacy system like printers has made this space hard to navigate for IT people.
Second, and perhaps more importantly, “Silicon Valley pundits have been predicting the
paperless office for almost two decades, yet the cost of printing business documents remains the second highest administrative expense (after wages) for many companies,” Hansen points out.
He says that it was clear very early in the tablet and smartphone revolution that end users wanted to be able to print from their mobile devices, so some manufacturers now ship the devices with a print button built in, allowing the device to send a print job wirelessly to a nearby printer.
“What’s been forgotten,” Hansen says, “Is that the security focus needs to shift from the device to the apps that access data – managing it, transmitting it, and sometimes repackaging it before sharing it.
“Software companies make money by selling a license to use the software, plus annual renewals or upgrades, and perhaps some services or a support contract. They invest heavily in quality control of their products. If they didn’t, they’d be out of business,” Hansen says.
It’s different in the world of mobile apps, he points out. “In the world of mobile apps, there are hundreds of thousands of developers. They put together code quickly to rush the app to market, and they deliver their product free or at very low cost. So there’s a strong incentive for mobile app developers to reuse and repurpose code, and to collect as much data as possible that can be shared with ad networks and third parties. And that’s a problem for enterprises that
need to protect sensitive data.
”Small development shops or start-ups in search of revenue don't necessarily wait for permission to collect data. Even when I deny an app permission to access my location information, the app can figure it out using geo-IP tracking, cell phone triangulation or Wi-Fi network recognition. Sometimes the user agreement that users accept (and hardly ever read) when downloading an app grants permission to collect and share data beyond that particular app. People don’t realize that the app may have code from ad networks or analytic frameworks built in – and that permission given to one app may be grandfathered to those third parties we
“If I sync my work email with my smartphone, my work contact list can be sent outside the company without anyone knowing,” Hansen adds. Another risky behavior associated with mobile devices is the so-called background permission. A lot of mobile apps say they are going to work in the background.
“What that really means is that they are on all the time, and therefore collect data all the time – even when the user isn’t using the app,” Hansen says. “This is why on-device encryption is an increasingly important part of any secure mobile print solution,” he adds. Every document printed with Breezy is encrypted on the mobile device using public key encryption before it is
submitted for printing, regardless of what app is being used to access the data.