“As long as a smartphone is allowed into an organization, there is no way of controlling how an employee uses the technology.” – Dr. Matthew Warren
Smarter MSP recently looked at some of the security concerns inherent with BYOD (Bring Your Own Device). However, as schools and universities start their new year, you have legions of staff, administrators, and students flooding campuses with their own devices. Teaching hospitals are also fully staffed. All of this means thousands of devices are coming into workplaces and onto campuses, straining networks and bringing in a completely different element of risk for MSPs to maintain their vigilance.
Beyond the tech tools available, one of the most potent defenses against malware in a BYOD workforce is low-tech education. An MSP has to take an active role in educating staff about the dangers of mobile malware and best practices of brought-in devices in the workplace. Conversely, there are also benefits to having a workforce equipped with their own devices and the pros and cons have to be balanced with security concerns.
Smarter MSP caught up with Dr. Matthew Warren, deputy director of the Deakin University Centre for Cyber Security Research and Innovation in Victoria, Australia about dangers inherent in BYOD and what MSPs can do to combat some of them. Warren has studied the issue of BYOD and is a frequent speaker on cyber security issues throughout the Asia-Pacific region. Below is a transcript of our Q &A:
Smarter MSP: Are there benefits to having employees bringing in their own devices?
Dr. Warren: A key driver for organizations is actually to save costs. If staff bring their own devices, then the employer does not need to provide the devices.
Smarter MSP: How does an MSP avoid the inadvertent transfer of malware from a personal brought-in device into the more extensive work network?
Dr. Warren: The organization needs to have a formal BYOD policy which identifies the security controls that should be placed around malware protection to try and stop employees accidentally bringing in malware. Some organizations set up general corporate wireless networks for BYOD devices along with extra layers of security such as a VPN to access corporate systems. The use of mobile devices and tablets puts organizations at risk of mobile malware and the harvesting of corporate data via infected mobile devices.
Smarter MSP: Besides the issue of imported malware entering the system, are there other dangers to BYOD?
Dr. Warren: A big problem that organizations face is knowledge leakage, for instance, users can download corporate data onto their device and leave the organization with that corporate knowledge or even download data to their mobile device and switch to a 4G/3G connection and email the corporate data out of the organization with limited tracking.
Smarter MSP: Is there anything an MSP or an organization can do to combat such leakage?
Dr. Warren: As long as a smartphone is allowed into an organization, there is no way of controlling how an employee uses the technology. The problem is that organizations use smartphones etc as a critical part of having a mobile workforce. If an employer wants to deal with the issue, a common strategy is to physically ban or restrict the use of mobile devices to certain areas. These approaches are not popular with staff.
A story made the news recently in the USA about a student from Penn State bringing in his crypto mining hardware to take advantage of the university’s almost unlimited power supply. While these cases are rare, for the moment, they are ones MSPs and employers should keep an eye out for.
Smarter MSP: So, what about the issue of employees bringing in their own devices for cryptomining?
Dr. Warren: In Australia, we have had issues of employees using corporate networks for data mining, but the cases that have occurred are related to employees using organizations supercomputers to cryptomine. From my perspective that would be a more significant issue than people bringing in their own devices.
Still, if you hear reports that a client’s electric bill is spiking, you might want to take a closer look.
Photo: Oleksiy Mark / Shutterstock.