Risks Associated with BYOD

A "bring your own device (BYOD)" policy is when an organization allows employees to use their own devices on the company network. While this can save the organization money and allow for more employee freedom, there are security risks associated with it. This article explains the principles of BYOD, some benefits of BYOD for an organization, and the many ways that BYOD can increase the risk to a company's data and information systems.

Literature review and findings

Bring Your Own Device information technology strategic and operational risks and concerns

 

These key risk areas can be subdivided further. Table 1 lists the risks and concerns related to BYOD, which have been identified during the extensive literature review, as well as the sources used to identify the risks. The risks were identified by performing a systematic literature review. The list of references is not exhaustive.

TABLE 1: Detailed Bring Your Own Device risks and concerns.

 

TABLE 1: Detailed Bring Your Own Device risks and concerns.

Number

Summarised risk/concern

Description of risk/concern

Source

1. Malware

1.1

Deployment of malware into an organisation's system.

There is a risk that employees may purposefully or negligently deploy malware into the organisation's computer system which may result in unauthorised access to sensitive information.

Ogie 2016; Ponemon

Institute LLC 2012

1.2

Malicious software targets smartphones and tablets

There is a risk that new malicious software will target smartphones and tablets.

Drew 2012; IBM 2011; Kaspersky 2012; Ponemon Institute LLC 2012

1.3

Hackers' ability to control computer systems.

There is a risk that hackers will use malware to steal passwords of mobile device users and take control of the organisation's computer systems (including smartphones and tablets).

Staut 2012

1.4

Data stolen or damaged

There is a risk that data on the user's mobile device may be stolen or damaged by malicious malware.

CISCO 2013

1.5

Device disabled

There is a risk that malware may disable the users' mobile devices, resulting in the inability to perform tasks.

CISCO 2013

1.6

Use of unapproved applications.

There is a risk that users of mobile devices may be using unapproved applications on their devices, which may expose the organisation to malware attacks.

CISCO 2012

2. Data leakage

2.1

Data leakage is a great problem.

There is a risk that data leakage problems may occur at the organisation.

Ogie 2016; Willis 2013

2.2

Employees sync mobile device with infected home computer.

There is a risk that employees will sync their mobile devices which they use to access the organisations network to their home computers, which may be infected with malware.

Kaspersky 2012

2.3

Unpatched vulnerabilities on home computer grant cybercriminals access to sensitive data.

There is a risk that unpatched vulnerabilities on the employees' home computer will grant cybercriminals the ability to gain access to the sensitive mobile data that have been backed up, stored or synced onto the employee's home computer.

Kaspersky 2012

2.4

Loss of control over data stored in the Cloud.

There is a risk that data shared and stored via a Cloud may result in the organisation having a shadow infrastructure where they have little to no control of the data.

Anderson 2014; IBM 2011

2.5

Unauthorised access to sensitive

There is a risk that data stored in the Cloud may be accessed by unauthorised individuals.

Anderson 2014; IBM 2011

2.6

Potential financial loss as a result of data breach.

There is a risk that a data breach could be financially costly for the organisation.

IBM 2012; Koczerginski 2015

3. Loss and theft

3.1

Lost mobile devices create a security threat.

There is a risk that mobile devices which have been lost may contain confidential corporate information and this will create a serious security threat to the organisation.

Kaspersky 2012

3.2

Criminals may gain access to confidential information.

There is a risk that criminals may access confidential information relating to the organisation from a stolen smartphone or tablet.

Staut 2012

3.3

Information may not be password protected.

There is a risk that information on an employee’s smartphone or tablet which has been lost or stolen may not be password protected and may result in unauthorised access to confidential information.

Ponemon Institute LLC 2012; Staut 2012

3.4

Data may not be encrypted.

There is a risk that the confidential corporate-related data transmitted to and from the employees’ mobile device may not be encrypted and may therefore be accessed by unauthorised individuals.

Staut 2012

3.5

Mobile devices are easily stolen as a result of size.

There is a risk that mobile devices may be easily stolen as a result of these devices generally being small in size.

Markelj and Bernik 2012;

Ogie 2016

3.6

Data on mobile device which has been lost or stolen may be compromised.

There is a risk that all of the data stored on a mobile device which has been lost or stolen may be accessed by unauthorised individuals if access to the mobile device or the data is not effectively controlled.

Evangelista 2014

3.7

Lost or stolen mobile devices may have personally identifying and confidential client information on

There is a risk that a lost or stolen mobile device may contain personally identifying or confidential client information on the device.

Drew 2012; Koczerginski

2015

3.8

Organisation cannot remotely wipe lost mobile device.

There is a risk that the organisation does not have the ability to remotely wipe a device if a smartphone is lost or stolen.

Rose 2012

3.9

Employees do not know what to do when their device is lost or stolen.

There is a risk that as a result of employees not knowing what to do if their device was lost or stolen that unauthorised individuals may gain access to sensitive corporate information.

Rose 2012

4. Connection

4.1

Bluetooth device may be discoverable.

There is a risk that the Bluetooth on the mobile device on which sensitive corporate data are stored is set on discoverable mode which may grant unauthorised individuals access to the

CISCO 2013

4.2

Unauthorised data downloads.

There is a risk that an unauthorised individual may connect to the mobile device and download the private data from it.

CISCO 2013

4.3

Non-authenticated devices connecting to network.

There is a risk that non-authenticated devices may gain access to the organisation's network by connecting through an authenticated device.

Anderson 2014

4.4

Bluetooth and Wi-Fi technology are easily infected.

There is a risk that Bluetooth and Wi-Fi technology can be easily infected with malware which may result in the organisations' network also being infected.

IBM 2011

4.5

Data transmitted may be compromised.

There is a risk that the data transmitted via Bluetooth or Wi-Fi technology are compromised.

IBM 2011

5. Web-based applications

 

 

5.1

Applications downloaded may steal or damage data.

There is a risk that applications downloaded may contain malware which may steal or damage company data stored on the mobile device.

IBM 2011, 2012

5.2

Unapproved applications may be stored on mobile devices.

There is a risk that unapproved applications on employee mobile devices may contain malware.

CISCO 2012

5.3

Unapproved applications may not be easily detectable

There is a risk that the unapproved applications may not be easily detectable and thus may result in malware entering the organisation's system undetected.

CISCO 2012

5.4

Employees unaware of risky applications.

There is a risk that employees are unaware of which popular applications are security risks, which may result in the employee downloading a malicious application that may infect the organisation's system.

Rose 2012

6.1

Organisation may not be complying with laws and regulations.

There is a risk that corporate data stored on the employees' mobile devices may be compromised, which could result in the organisation not complying with the laws and regulations affecting the industry in which the organisation operates.

McQuire 2012; Ogie 2016

6.2

Organisation may be unaware of specific geographical laws and regulations.

Certain geographical regions have unique laws and regulations such as the data protection laws in Europe which states that data must reside in Europe. The risk is that an employee may download sensitive corporate data onto their mobile device and leave Europe with the sensitive data on the device, resulting in the organisation not complying with the relevant laws and regulations.

McQuire 2012

6.3

Communication laws may be violated.

There is a risk that organisations may not comply with communication laws. This would arise where employees are not permitted to transfer corporate data to their personal devices.

Vodafone 2012

6.4

Organisations may not be able to ensure compliance on employee- owned devices.

There is a risk that the organisation may not be able to ensure regulatory compliance in instances where the organisation does not own the mobile device.

Vodafone 2012

6.5

Personal use software may be used for business purposes.

There is a risk that an employee may be using software on a mobile device designated under a personal use license for business purposes, resulting in the organisation contravening the terms of use of the software.

O'Brien 2013

6.6

Potential additional costs to be incurred by organisation.

There is a risk that the organisation may be liable for the additional costs where employees have breached software license agreements.

O'Brien 2013.

7. IT support

7.1

IT may not be able to manage all mobile devices.

There is a risk that IT may not be able to manage the wide range of mobile devices which the employees of the organisation use to access sensitive corporate data.

Rose 2012

7.2

IT may not be able to secure all mobile devices.

There is a risk that IT may not be able to secure all of the mobile devices which the employees of the organisation use to access sensitive corporate data.

Klossner 2012; Rose 2012

7.3

IT may not be able to successfully implement mobile security.

There is a risk that IT and security departments may not be able to successfully implement mobile security as a result of the almost limitless range of devices and operating systems being used in the organisation.

Kaspersky 2012; Staut 2012

7.4

Employees may select a device without considering IT support.

Employees at the organisation may choose a mobile device without regard for IT support. The risk is that the IT department may not be able to assist employees when their devices are down and this will affect the employees' productivity and ability to complete their work- related tasks.

Rose 2012

7.5

Employees' mobile devices may not be configured or locked down.

There is a risk that employees' mobile devices that are not configured and locked down by the

IT department will result in an infiltration of malware and an exfiltration of sensitive corporate

Mansfield-Devine 2012

7.6

IT may not pre-approve all mobile devices.

There is a risk that employees may use devices to access sensitive corporate data which has been determined by the IT department as devices which expose the organisation to security risks.

Anderson 2014

7.7

IT may not be able to provide same level of support to all mobile devices.

There is a risk that IT may not be able to provide the same level of support for each and every device that employees bring to the workplace. This may result in the employee not being able to perform their work-related tasks in an effective and efficient manner.

Anderson 2014

7.8

The organisation may leave certain network ports open for ease of connection for employee-owned devices.

There is a risk that the organisation has open ports for employee-owned mobile devices. This may create an opportunity for anyone on the Internet to access a corporation's information system unauthorised.

Markelj and Bernik 2012

8. Obsolescence

8.1

Mobile device life cycle may shorten.

The mobile device life cycle may shorten. The risk is that the organisation may not be able to keep abreast with all the new devices being used by their employees and this may result in the risks associated with these devices not being adequately and timely addressed.

Entner 2011; Ogie 2016

8.2

Mobile devices may have planned obsolescence built into them.

Manufacturers of mobile devices have planned obsolescence built into their devices. The risk is that the organisation may not be able to keep abreast with all the new devices being used by their employees and this may result in the risks associated with these devices not being adequately and timely addressed.

Keeble 2013; Maycroft 2009



The risks identified in Table 1 need to be reduced to an acceptable level. This is best done by using an appropriate control framework to identify key controls which can be deployed.