On 25 June 2018, Michigan Medicine announced that about 870 of its patients’ data had been leaked during a recent cyberattack. The University of Michigan’s academic medical centre in Ann Arbor insisted that the stolen data was for research purposes only, but confirmed that the records included patients’ names, birth dates, diagnoses and other confidential information. It was a disastrous security breach, and it happened in the most innocuous way.
Three weeks earlier, one of Michigan Medicine’s employees’ car was broken into. It was a standard smash-and-grab, and his bag – which contained his laptop – was stolen. The laptop was password protected but not encrypted, and it contained the data in question. Michigan Medicine was quick to point out that the employee had violated company policy by storing the information on his personal unencrypted laptop – but the damage was already done.
Incidents like that happen everywhere, every day. Countless people store confidential company spreadsheets and receive privileged company emails on their mobile devices. You probably do it yourself, and your company is probably more than happy for you to check your work emails after hours and over weekends. And that’s where the line begins to blur. After all, it may have been the employee’s laptop but it was Michigan Medicine’s – or, more to the point, its patients’ – data.
Enterprises across the world, and across Africa, have been trying to walk this awkward tightrope ever since mobile devices entered the mainstream. The cybersecurity risk attached to the bring-your-own-device (BYOD) phenomenon is one of the biggest puzzles that modern businesses have to solve.
Strict company policies may help a bit, but as cybersecurity giant Symantec points out on its website, ‘even when the most mobile-savvy employees conduct themselves according to the book, they may still inadvertently expose corporate information. For example, individuals downloading apps from third-party sites are nonetheless prey to attackers who have demonstrated their ability to infiltrate malicious apps that hide themselves’.
For example, Symantec researchers recently found hidden malicious apps had been downloaded more than 2.1 million times from the Google Play store. ‘We’re talking about a first-tier vendor,’ the company notes. ‘Imagine the potential risk when a user accesses a third-party site with questionable security.’
In its 2018 annual crime report, the South African Banking Risk Information Centre (SABRIC) states that incidents across banking apps, online banking and mobile banking increased by 75.3% year-on-year, while banking app incidents increased by 55.4%. ‘Your device is your key to your digital life, and this includes your financial accounts and services,’ says Susan Potgieter, SABRIC acting CEO. ‘Due care should be taken to protect your device and to keep it up to date. Protect it as you would keys to your safe and do not take unnecessary risks with your devices.’
From an employer’s perspective, Potgieter recommends treating the personal device as an extension of the company’s own infrastructure. ‘In our opinion, an employee mobile device should be viewed as an end-point device and must be managed accordingly,’ she says. ‘Where possible, the device should be managed by the employer’s corporate IT department, and it should meet certain standards before being allowed to connect to a corporate network. If the device cannot be trusted, it should be managed like any other untrusted device.’
Vincent Rabie, network operating centre manager at ICT-solutions provider Alteram Solutions, agrees. ‘In this BYO era, you’ve got to have a way to manage your business’ data, even when it’s not on your equipment,’ he notes in a company statement.
‘The whole “BYOD” phenomenon has spread to BYON and BYOA – bring your own network and bring your own application. This has to be effectively measured on an ongoing basis so as not to become problematic down the line.’
According to Jenny Jooste, professional indemnity and cyber underwriter, financial lines at Chubb: ‘BYOD extends the perimeter of a company’s network and allows for gateways to a company’s data. A BYOD device can store sensitive corporate data, and it’s important for an organisation to have visibility into the data on devices and control over how those devices are protected – passwords, encryption, and so on,’ she says.
‘BYOD is a big exposure if not managed, and if the risk is not managed properly this could result in a significant loss to a business. Employees are often exposed the most when it comes to cyber breaches that are a result of them either clicking on links, visiting websites or using free WiFi that is not secure.’
The problem is especially complex in sub-Saharan Africa where, according to mobile network trade body GSMA, there were 456 million unique mobile subscribers in 2018, representing a subscriber penetration rate of 44%; while around 239 million people (about 23% of the population) also use mobile internet on a regular basis.
The GSMA predicts that by 2025 the total subscriber base will grow to around 623 million – half the region’s population.
They’re coming into the workplace with their own devices. Even as far back as 2010, a Dell survey found that 61% of millennials and 50% of tech-savvy workers above the age of 30 believe the tech tools they use in their personal lives are more effective and productive than those used in their work lives. They don’t want to use their work computer, because they feel they could be more productive on their personal device.
Brian Egenrieder, chief revenue officer for mobile security at SyncDog, unpacks the issue in a guest blog post for Symantec. ‘The fact is that most users nowadays have greater expectations for what they should be able to do with their mobile devices,’ he writes. ‘They want greater simplicity in how they go about doing it and they accept security measures but expect them to be more seamless within the full user experience.
‘It also means that users are not going to abide by the seemingly arbitrary security rules laid down by IT when it comes to accessing corporate data. Many preferred to use their own private devices for work and increasingly insisted on that as a right, not a convenience. That soon presented security teams with a myriad of questions. Many organisations initially balked at the idea of allowing employees to utilise their own devices to pull data off the corporate cloud. Eventually, however, most got in line and dealt with it as a fact of life.’
The result was more than 78% of US organisations (by Egenrieder’s count) using BYOD in their operations, with companies instituting mobile device management (MDM) solutions and ‘hoping for the best’.
MDM solutions are, as things stand in the BYOD environment, the least-worst options. It’s intrusive – and creepy – to let your employer have access to your privately owned device (especially when they’re not even helping you pay for it) but companies will always prioritise their data security over their employees’ expectation of privacy. As a result, writes Egenrieder, ‘we’re seeing many instances where employees wind up carrying around two mobile devices with them, one for work and one for private use’.
But what happens when – as happened to that Michigan Medical employee – the device goes missing? ‘A personal device that contains confidential company information poses a huge security threat if it is lost or stolen,’ says Radhika Sarang, director of global consumer product marketing at security firm McAfee.
‘[It] begs the question: who is responsible for retrieving the device and/or data? What is the proper response to this sort of breach? It is your personal device, with both personal and company data, so should it be locked, tracked and retrieved, or completely wiped immediately? There is no clear or correct answer, which is why companies need a clear BYOD policy and culture of security that fits both parties’ needs.’
If the appropriate security measures are not in place and if, say, your child loads a dodgy app onto your phone (or if you forget to update your device’s software), that could provide a back door to your employer’s corporate servers.
‘BYOD can offer some really great perks,’ says Sarang. ‘Employers spend less on technology and providing devices to employees, thus saving the company money; and you get to use your own device(s) which you are already accustomed to.’
So it should be a win-win. Instead, as the lines between work and play become increasingly blurred, employees’ personal devices are becoming an increasing headache for employers’ digital security teams.