Cybersecurity Alert: Employee Mobile Devices (BYOD) Make Your Company Vulnerable to Attacks
By Susan Hoffman
Special Contributor for In Homeland Security
An alarming cybersecurity threat keeps CEOs, chief information officers and HR managers up at night. And it’s originating from the inside of companies.
As more employees bring personal cellphones and tablets to work, otherwise known as “Bring Your Own Device” (BYOD), they bring with them the greater potential of exposing their employer’s data nerve centers to debilitating attacks. These attacks come from cybercriminals, competitors stealing proprietary data, disgruntled employees focused on revenge, and international hackers targeting federal agencies.
While cybersecurity leaders maintain rigid firewalls, anti-virus or anti-malware software, and strict policy controls over company- or agency-issued systems, many organizations struggle to reconcile data security with human resource management policies. American Military University (AMU) professor and cybersecurity expert, Dr. Karen Paullet, raised this security concern as a guest speaker at the Federal Information Systems Security Educators’ Association (FISSEA) 29th Annual Conference. This conference was held March 15 to 16 at the National Institute of Standards & Technology in Gaithersburg, Maryland.
Expanding BYOD Usage Increases Risks for Data Theft
In her presentation, “Mobile Devices and the Internet of Things,” Dr. Paullet cited the massive and exponentially growing use of Web-connected devices today, including smartphones, tablets and wearables. “There are 7.22 billion mobile devices in the world. There will be 21 billion connected devices by 2020,” she noted.
But the greater concern is what are employees doing with these mobile devices, which is most likely to be the same, whether the device is being operated at home or in the office. From sharing latitude- and longitude-embedded personal photos with colleagues and friends, auto-connecting to public Wi-Fi while grabbing coffee at Starbucks on the way to work, and downloading free apps that build digital dossiers on users for companies and potential hackers to mine—the line between official office and personal mobile devices among employees is blurring.
“If these devices aren’t adequately protected and smarter organizational policies aren’t put into place, then data theft of both the individual user and their employers will increase. More enterprise systems will be jeopardized,” Dr. Paullet warned.
Organizations Need Cybersecurity Overhauls Now
Organizations should re-examine their security policies, especially in BYOD environments, says Dr. Paullet. “Desktop computers, tablets and laptops are interconnected with our smartphones, but we don’t protect our smartphones. What confidential information is on those devices?”
That confidential information is the owner’s personal identification numbers (PINs), email accounts, contact lists and personal calendars. A mobile device used at work may contain corporate email addresses, proprietary enterprise information or customer records, which are valuable to data thieves.
Dr. Paullet commented that federal agencies and companies have sizeable security gaps in their mobile device management and policies. They must be more proactive in enforcing their security policies.
“95% of organizations are not there yet. They should know their weak points before data breaches occur. Companies need to invest more money in training security personnel and end users to avoid back-door breaches.”
The most common mobile vulnerabilities involve lost or stolen devices, malware, unsecured networks and gaps in mobile management and policies. Dr. Paullet’s recommendations for improved security include:
- Turning off Bluetooth and Wi-Fi after use
- Recording the mobile device’s International Mobile Equipment Identifier (IMEI) number (a service provider can block the IMEI number and prevent network access after a thief steals a mobile device)
- Avoiding hotspots that are not password-protected
- Turning on a mobile device’s security features
- Keeping a mobile device with you at all times
In a 2014 podcast with Panhandle Talk Radio in Martinsburg, West Virginia, Dr. Paullet noted that more and more data thieves take advantage of mobile technology. They don’t need to walk into banks to get money, but use stolen mobile devices to access databases and direct funds to accounts they control.
Growing Need for More Cybersecurity Professionals
Dr. Paullet says there will be a deficit of qualified cybersecurity professionals by 2028. “The threats become greater as we work to catch up. Cybersecurity professionals are in high demand. But they also need extra training to cope with the newest cybersecurity threats, which only their employer can give them.”
The government and media sources agree with Dr. Paullet. The U.S. Department of Labor projects a 37% growth in information security analyst jobs by 2022, much faster than the average rate of job growth. Steve Morgan, a cybersecurity writer from Forbes, says that demand for cybersecurity professionals is expected to rise to 6 million jobs by 2019.
About Dr. Karen Paullet
As a faculty member in the university’s Security, Technology, Engineering, and Math (STEM) school, Dr. Paullet teaches multiple cyber-related courses. These courses include cyberlaw, information assurance, cybercrime and cybersecurity.