The security perimeter is dead

With the rise of BYOD, IoT and cloud computing, constant vigilance is the new watchword for businesses that want to protect themselves from malware and ransomware threats.

Business IT security used to be a reasonably simple affair. There was the corporate firewall, and everything, including productivity devices, servers and networking equipment, as well as applications, sat behind it. It was easy to defend, but that is no longer the case. With the rise of BYOD, IoT and cloud computing, the ‘corporate perimeter’ has ceased to exist, with significant implications for boards, management and IT staff alike.

According to a report from recruitment company Robert Half[1] 77 percent of surveyed CEOs allow employees to access corporate data on their personal devices. The report also found that a quarter of CEOs think their non-IT senior management do not possess enough understanding about the business risks associated with BYOD.

Despite this, there are good reasons for allowing BYOD. A report[2] from Frost & Sullivan, commissioned by device maker Samsung, found that staff who use their own devices can benefit from almost an hour of extra work time per day, with an estimated increase in productivity of around 34 percent.

The reality is that BYOD, cloud and IoT are here to stay, so what can be done to secure the organisation given that the perimeter no longer exists? After all, the risks are significant, particularly when it comes to BYOD, and there are a number of issues that management and IT need to consider when it allows employees to use their own devices.

These factors include the fact that the device could be lost or stolen, allowing a hacker or some other unscrupulous person access to sensitive corporate data. There’s also the consideration that when an employee brings in their own device, they could also be using unsanctioned apps or cloud services. These unauthorised pieces of software, run outside the purview of IT, and could allow a hacker into the network. Finally, employees often don’t have the IT knowledge to secure their own devices and may not have the motivation to do so.

Mobile devices in particular are vulnerable. In fact, Malwarebytes data has shown that more than 9,000 malware threats have been detected on Android mobile devices in 2019 so far. Additional research from Malwarebytes has also found that the perception of this endpoint risk is a long way from reality. It found that executives think that around 2 percent of endpoints (including personal devices) are at risk. The actual figure is much more than this, sitting around 60 percent of all endpoints.

Compounding this threat is the fact that most infections of personal devices come from an unknown source or vector, including malware and ransomware. These infections can leap from the personal device onto the network once they are installed, compromising security across the organisation.

Because of this, it is only a matter of time before we see a major organisation in the New Zealand, and wider APAC market put at risk due to compromised data or a breach through a mobile device. The C-Suite in particular, who are privy to the most sensitive and vital information an organisation possesses, are now increasingly managing their businesses from a mobile base. This is not surprising considering the travel requirements of most executives. On a daily basis, they are leveraging public Wi-Fi in airports or connecting from multiple offices from their mobile devices, making them a vulnerable target if not appropriately protected.

The most effective way to protect against these threats is to have comprehensive end-point protection for all devices, including Android and iOS units. Fixing the problem once an infection has occurred is one thing, but the real goal is to prevent and protect devices, including personal, cloud and IoT, before an infection exists.

The reality is that we need to continually manage security better and instead of looking for a finish line, where security will take care of itself, look to a model where prevention and protection are constantly evolving with the threats that arise as well as the platforms that are targeted.

When it comes to security in the age of BYOD, there is no longer a perimeter for the organisation to hide behind, and IT security needs to recognise this fact and act accordingly. Staff and senior management will increasingly bring their own devices into the workplace, and that trend has its benefits, including lower operating costs and greater user satisfaction. But it also has threats, and those threats need to be addressed on a constant basis.

Article written by Jim Cook (pictured), the regional director of Malwarebytes ANZ.