Security teams need to rein in employees’ personal devices and apply stringent but low friction cyber measures

As hybrid- and remote-working arrangements continue to be enforced, many enterprises have adopted Bring Your Own Device (BYOD) policies that have led to a mixing of corporate and personal data on a single device.

Whenever personal data and corporate data are stored in the same mobile device, there is the possibility of security risks. Separating the two types of data can help businesses to apply special security measures for their confidential or business critical information.

According to Kaspersky, in India, a 2020 Android malware by Transparent Tribe was distributed as a porn-related app and a fake national COVID-19 tracking app. The embedded malware was able to download new applications to the phone; access SMS messages, the microphone call logs and device location; and enumerate and upload files to an external server. Similar mobile malware campaigns such as GravityRAT, Origami Elephant and SideCopy also attempted to steal information this way.

However, for Q2 2022, the firm’s user ecosystem has detected a slight decrease in mobile malware (excluding adware and riskware) being found on BYOD mobile devices. Mobile malware detected in Singapore decreased by 8.5%, while decreases were also noted in Indonesia, Malaysia, Vietnam, the Philippines and Thailand.

Beefing up BYOD security
Amid the brief respite, the firm’s General Manager (South-east Asia), Yeo Siang Tiong said: “Regardless of the types of device we use, cybercriminals can infect them, steal all data and money in them, and even access or wipe out our messages, emails, private photos and, more. The risks extend from an individual to a wider enterprise-level breach. Such can be avoided if we do the basic act of installing legitimate security solutions in our smartphones.”

Yeo said that enabling access to business systems and data from mobile devices means smartphones and tablets will effectively cross through the protective firewall. If those devices are infected with viruses or trojans, that will introduce security issues within the corporate network.

The main idea behind proper BYOD security is to treat personal devices in the same manner as company-owned devices. Likewise, laptops and smartphones being used outside of the company perimeter have to be protected just like those behind the firewalls and network protection solutions in the office.

With the average employee now using two or three different mobile devices to access the corporate network, BYOD brings IT and security departments the challenge of having to implement and manage mobile security across an almost limitless range of devices and operating systems. Traditional methods such as web control enforced centrally for the corporate network only, are not applicable anymore.