Organizations need to take appropriate security measures when implementing a BYOD policy
Following the emergence of the Cambridge Analytica and Facebook scandal, data privacy has become even more critical for individuals and organizations alike. This concern has especially increased for many companies operating Bring Your Own Device (BYOD) policies. These policies allow employees to carry out work on their non-business owned devices. In 2015, 74% of organizations were using or were planning to introduce a BYOD policy in the workplace. The main reasons given were lower costs and convenience benefits.
There are, however, significant risks to this practice to consider. Enabling employees to use their own devices reduces the control of the company over its IT infrastructure. Unlike with company-owned desktop devices, organizations are often unaware of where mobile devices originated from. It can be difficult for the company to protect these devices from malware and other cyber threats. What’s more, it is almost impossible to monitor what data is being collected and distributed.
The presence of spyware and adware on mobile devices has been a significant concern to organizations for many years. They are not only a nuisance for users, but also pose serious security risks to both personal and company data. Spyware is usually installed onto a device without the user’s consent or knowledge and generally runs in the background. It collects information such as login details or monitoring activities on the device, such as web browsing patterns.
Adware is slightly different. Its primary purpose is to display advertising content on the device through pop-up windows and links to other websites. These ads are often legitimate and do not necessarily direct to malicious websites. However, they can seriously affect the functionality of devices and productivity of users. Adware can also monitor browsing history and device usage to deliver targeted marketing content. This can be a significant invasion of privacy if not done with explicit consent.
Spyware or adware can get bundled up with software downloaded from the internet. They can take advantage of the long, complicated licensing agreements that usually get ignored by device users. Malicious software can also use pop-up windows in internet browsers. These contain ‘urgent’ messages or ‘yes’ or ‘no’ options to entice the user to trigger a download.
Pre-installed tracking apps
A particularly insidious form of spyware is that which comes pre-installed on mobile devices. The Wall Street Journal recently reported that millions of people in developing countries are being sold inexpensive smartphones with pre-installed apps. The purpose of these apps is to collect personal data such as user location, usage behavior and unique device identifying numbers. This data then travels to advertising companies in China and Taiwan to improve targeted advertising. Device users in Brazil, Egypt, Myanmar, and Cambodia have reportedly been monitored by these ‘firmware’ apps. Users are unaware that apps are collecting and using their data for this purpose.
One advertising company that supplies the preloaded firmware, GMobi, maintains that these apps are not malware. They state that their company is not responsible for any malicious activity emanating from the apps. According to them, they are simply ‘following the law of the land’. However, in this case, the law of the land consists of weak privacy protection laws and a growing population of novice smartphone and internet users to exploit.
Malware like this is one reason for organizations to be cautious when allowing employees to use their own devices. Many apps collect user data for advertising and intelligence purposes with user consent. However, in cases where users have no control over the apps installed on their device and the information they collect, organizations could face serious security threats. According to 78% of organizations, the number one hesitation for implementing a BYOD policy in the workplace is potential security risks. Many spyware and adware threats like this exist and can often go undetected for long periods of time.
Activity recording software
Many mobile users fear the possibility that their device is listening to their users’ conversations. They believe that the device is then using this information to target them with advertising content. People have speculated about this concept for years. Many have claimed to have received ads online for very specific items after directly mentioning them. However, a recent comprehensive study at Northeastern University in Massachusetts found no clear evidence of smartphones behaving in this manner.
One strange practice that they did notice was apps sending screenshots and screen recordings of user activity to unrecognized destinations. Among the data collected were zip codes and user log in credentials. In many cases, users had no idea that apps were recording their behavior. The researchers determined that most recordings were bengign. They simply tracked user behavior and preferences to optimize the performance of the app.
Nonetheless, these findings highlight the ease with which a malicious body could potentially collect information from a mobile device. A seemingly innocent app could capture and distribute personal information, passwords or private messages without the knowledge of the user. This could have serious security implications for the company as a whole.
What to do?
So what can organizations do to avoid a spyware attack? Educating end users to be vigilant of possible attacks is one of the most effective methods of prevention. Device users should always be cautious of what apps they download and what links they click on. They should equally check the trustworthiness and reliability of the source.
However, if the user fails to follow these precautions, devices may need external protection. Corrata’s Mobile Internet Security Solution offers organizations comprehensive protection againstFwall all types of malware attacks. Corrata prevents the device from downloading malicious software or visiting suspicious sites. The solution also constantly monitors where information is travelling to. It then alerts IT administrators if any suspicious activity occurs. This can give organizations peace of mind when implementing a BYOD policy. Even if an employee uses a device that becomes infected or compromised by spyware or adware, Corrata can detect and disable threats before they cause any serious damage to the company.