BYOD Puts Employees, Employers At Risk of ID Theft

Wednesday, April 17, 2013
Employees using personal smartphones or iPads for office work might seem like a win-win all around. Workers don't have to keep track of multiple devices or transfer data between devices, and they have easy access to work information whenever they need it. Employers save money not having to purchase or maintain the devices for employees, and get the assurance workers can access their office email quickly.

But the practice of BYOD - "Bring Your Own Device" - poses new security risks for both employees and their employers, including business ID theft, security experts say.

In the past year, 96 percent of American workers used their personal smartphones for work, according to a study by a network of Cisco partners. Yet less than half (46 percent) said they thought their employers could handle any problems that arose from BYOD, and 39 percent didn't bother to protect their personal devices with a password.

Always quick to identify new opportunities, cyber crooks are now focusing their efforts on taking advantage of the BYOD trend. Cyber criminals use a variety of tools and tactics to target personal devices being used for business - from data theft via malware to physical theft of devices containing sensitive information.

Both employers and employees are responsible for risky behaviors related to use of personal devices for business purposes, studies show.

In the Cicsco study, 52 percent of employees admitted to accessing unsecured Wi-Fi networks with their personal devices. A survey by information security trainers SANS found that 61 percent of employers allowed employees to use personal devices to connect to protected network resources, but only 9 percent were "fully aware" of what devices employees were using, or what they were accessing. Half didn't have policies governing BYOD, or trusted employees to follow corporate policies for securing personal devices, SANS found.

Risky employee behaviors include:

• Use of unsecured Wi-Fi networks
• Leaving mobile devices unattended and exposed to theft
• Losing mobile devices
• Downloading apps from questionable sources, or not checking privacy policies before downloading
• Visiting unverified websites
• Disregarding an employer's security protocols

Among employers, risk-engendering behaviors include:

• Failure to implement and enforce security standards for work use of personal devices
• Failure to have in place a response plan for data breaches when they occur
• Failure to educate employees on how cyber crime occurs and what they can do to help prevent it.

Cyber attacks against employees' personal devices can have far-reaching consequences for businesses. Data breach costs create huge losses for businesses, including direct theft of money from financial accounts, money lost on remediation, loss of business reputation, abandonment by customers and even fines and penalties for failing to report a breach in a timely manner.

Ensuring security while workers use personal devices for business takes a concerted effort from both sides of the equation.

"The threat against mobile devices has already been proven," write Kevin Johnson and Tony DeLaGrange, authors of "SANS Survey on Mobility/BYOD Security Policies and Practices." "Without security policies, allowing employee-owned devices to access company resources makes our protected IT networks sitting ducks."

© CyberScout, LLC. All Rights Reserved.
If you need identity theft assistance, call your provider organization to be put in touch with the CyberScout Resolution Center. More information for individual consumers.