Data Breach Scenario: BYOD – Financial Services Firms
What would happen to your brand trust if a personally owned device containing both personal and corporate data was lost or stolen?
Brand trust is paramount to the success and longevity of your business. While the creation of a separate interface for personal device traffic may seem inconvenient, it could prove to be one of the best security practices you implement.
Companies around the globe have identified the convenience of employees bringing their own device (BYOD) to work. In fact, 82% of companies allow the use of personal devices for work, but out of those companies which support BYOD, 50% were breached through an employee’s personal device.
The Verizon RISK Team outlined a typical scenario of how an unregulated BYOD culture can become a grave concern. In its report, it identified an instance where a customer was locked out of his account and getting an error message. An investigation revealed no suspicious activity within the servers and anti-virus scans came back clean. Further, there were no signs of malware within the local area network (LAN).
The Risk of Bringing Your Device to Work
It wasn’t until investigators looked into the BYOD network that it found their culprit. A faculty member’s personal laptop was infected with a virus at home and the virus later spread to the company network when the device was connected at the office.
A further review revealed that the BYOD and guest networks shared the same network equipment and Network Address Translation (NAT) with the corporate traffic. This made the company network vulnerable to malware from infected personal devices that are able to make their way past the firewall.
Common BYOD Risks
Common mobile malware includes trojanized apps and malicious links, both of which try to trick users into downloading harmful code to their devices. Third-party app stores, in fact, often contain malware-laced applications that can infect devices and gain access to their sensitive data.
A recent article in Forbes states, “Cyber Attackers Rely on Human Error.”
“Hackers rely only partly on their security-penetration skills. The other thing they need? Regular people making mistakes. ‘An analysis of threats faced by organizations in the first quarter of 2017 reveals that cyber attackers still rely heavily on user interaction,’ says Bo Yuan, Ph.D., professor and chair of the department of computing security at Rochester Institute of Technology.
Without a stringent BYOD protocol, company networks become vulnerable the minute an infected device is hooked up at the workplace.”
BYOD Security
Public IP addresses should never be shared with unknown devices. Company networks need to be configured so that traffic from personal devices is sent out through a separate interface. BYOD security also comes down to best safety practices within the staff. All employees should be trained on how to handle their own personal devices, including:
- Avoiding accessing company data by connecting via over-the-air WiFi networks
- Avoiding jailbreaking devices; this practice leaves devices more vulnerable to malicious applications
- Keeping all operating systems up-to-date
- Encrypting personal devices and implementing strong passwords for both the device and SIM card
- Only installing apps from trusted stores, such as the Apple Store and Google Play
A recent article in FOSSBYTES articulates the risk of combining personal data and corporate data
“BYOD makes it difficult to distinguish between personal data and corporate data because they are both kept on the same device. So, if the device is lost, the corporate data will be accessed by any individual who gets the device.
If the lost device stores critical data, the individual who finds it can publicize the information or use the data to damage the reputation of the organization.”
Fairdinkum is your Financial Services Information Technology Service Provider and we will employ a number of measures to ensure that your data is safe with us. Each of our clients receives premium levels of service and support from our experienced and professional team of engineers.
You may want to read 5 Things Financial Firms Need To Know About Cyber Security.
Related Articles:
Data Breach Scenario: Weak Configuration
Data breach Scenario: Malicious Software
Criteria for Evaluating EMM/MDM Solutions