Mobile apps heighten security perils of BYOD

 A survey by Check Point released in January shows that the number of personal mobile devices connecting to corporate networks has doubled over the past two years. Close to 50% of the 750 IT and security professionals surveyed said that users in their organizations routinely stored corporate data on personally owned devices. In most cases, employees stored emails and business contact information on their mobile devices. However, other sensitive information -- including customer data, network credentials and information from business applications -- was also stored on personal hardware.

Not surprisingly, according to Check Point, a majority of the businesses in the survey said their biggest concern was the lack of security awareness on the part of those using such devices at work. That's one of the issues IT shops are grappling with on a daily basis, and it's one of the issues being discussed at the CITE conference now under way in San Francisco.

The growing number of mobile apps is likely to accelerate concerns about corporate data. A few days ago, I played around with Skyvi and Iris, two nifty little applications for Android-powered smartphones. I like Apple's Siri and both these apps offer a somewhat decent alternative for Android users like me. Just like Siri, both apps allow you to use your voice to make calls, send messages, find places, open applications, check the weather, and elicit snarky remarks.

In order to deliver all these functions, the applications can change your phone's audio settings, access the Global Positioning System on the device, read and edit SMS and MMS messages and read all the contact data stored on your device. The applications can access your phone number and the device serial number; know whether a call is active; know which number was dialed; make or accept connections with paired Bluetooth devices; modify stored data; and change configurations.

Eva Virtual, a paid application that does many of these same things and more, has access to even more services on your phone, including access that allows it to add and remove accounts, delete passwords, read and modify calendar events, read system log data and collect images the camera might be seeing.

None of this is to say anything nefarious is going on. The apps I'm assuming need this access to perform their tasks. And no doubt there are hundreds of applications like this across all smartphone platforms. I only mention them here because these were the ones I looked at.

The point is there are millions of users who use smartphones running such applications to access corporate networks and to store and share corporate data. Just today, Apple announced the 25 billionth (that's billion with a b) app download from its IOS App Store. In most cases, the applications running on personally owned devices are not vetted by IT.

Companies that do not have controls to properly manage devices running such applications are exposing themselves to security threats in ways they probably cannot imagine, according to vendors and analysts at last week's RSA security conference.

The problem is only going to get worse. As Symantec's CEO Enrique Salem noted in a keynote speech at RSA, the first digital natives will start entering the workforce pretty soon. These are the people who do not know of an era before the Internet, social media networks and smart mobile devices. Salem describes them as the "always networked, always sharing, always multitasking," generation for whom security is not always the first priority. Most of them expect to use and access data in much the same way they have grown up using and accessing it.

"This generation will absolutely impact how we do business," Salem said. "They are already hitting the security industry like a sledgehammer."

Managing the onslaught will take a lot more than perimeter-based security defenses and anti-virus tools, he said. Companies need to implement controls that are capable of securely authenticating, authorizing and auditing user access, regardless of whether the user is accessing the data from a mobile device, a social network or other channel. That's among the many IT concerns about the gather bring-your-own-device trends reshaping the industry.

"BYOD is big, simply because you cede control to the end user," says Pete Lindstrom, an analyst with Spire Security in Malvern, Penn. "This will be standard fare for the next generation of workers so we need to work out new architectures now."

Copyright © 2012 IDG Communications, Inc.

8 highly useful Slack bots for teams
  
Shop Tech Products at Amazon