In an era of enterprise mobility, employee flexibility and convenience in terms of working from remote locations and device usage has become a new norm. Although this definitely adds to their productivity and efficiency, at the same time, companies cannot ignore the threats and risks they pose to corporate information security. The influx of mobile devices and the plethora of platforms in the workplace is making things more complex for companies. Conditions get trickier when employees are allowed to use their own devices at work, whether in office premises or a remote location.
This blog will discuss why a company needs to make an informed decision about implementing a specific device ownership model. Let’s dive into a comparative analysis between corporate-owned devices and employee-owned devices from the viewpoint of information security.
What is Information security?
Information, which can exist in any form – physical, tangible, electronic, or non-tangible, is a valuable asset to a company. As the term suggests, Information Security is a set of defined and organized tools and processes that are designed to protect sensitive corporate information from getting disrupted, stolen, modified, compromised, disclosed, corrupted, or destructed.
A part of information risk management and popularly known as InfoSec, it secures crucial information from unauthorized access, use, sharing, disclosure, or deletion. In case any unfortunate security incident takes place, InfoSec professionals are responsible to mitigate the impact of the threat or the risk involved. The three famous pillars of InfoSec are Confidentiality, Integrity, and Availability. Apart from these 3 aspects, there are 3 more pillars that offer further strength to the InfoSec program, these are Accountability, Authenticity, and Non-Repudiation.
The simple fundamental that underlines the InfoSec program is that sensitive corporate information must be kept intact – it cannot be accessed, transferred, or modified without authorized permission. The major types of infosec are Application Security, Cloud Security, Cryptography, Infrastructure Security, Incident Response, and Vulnerability Management.
Corporate Information Security: Why companies should care?
Information can be worth a trillion dollars to a company and losing it can cause irreparable damage to enterprises. Unmanaged and unorganized information lying in silos can be vulnerable to different kinds of threats like computer/server malfunction, natural disasters, or physical theft. InfoSec is a crucial consideration for IT security specialists who monitor and prevent risks to application security, data security, network security, physical security, and computer security.
As a matter of fact, modern companies mostly rely on corporate e-information stored within computers, information and software systems, mobile devices, smartphones, tablets, and other handheld devices used by employees, stakeholders, and business leaders. As companies shifted their interest from physical assets to the digital landscape, threats to information took a shape of cyber threats. The increasing cyber-security attacks can cause major damage to sensitive and critical information assets.
On top of that, the growing risks of data breaches have brought the importance of having a sophisticated data protection plan to the forefront.
Stated below are a few of the reasons why companies should start caring about Information Security:
As per Juniper Research1, cybercrimes have led companies to lose an amount of $2 trillion in 2019.
The same report states that cybercriminals will steal 33 billion records in 2023 alone, resulting in a cumulative loss of around 146 billion records.
As mentioned by Cybercrime Magazine2 and Gartner’s forecast, organizations are going to increase their spend on InfoSec awareness computer-based training by 13%.
As per the same reports3, the global expenditure on cybersecurity will touch a staggering $10 billion by 2027.
As per Symantec report4, there is a 25% growth in the number of attack groups using destructive malware.
The same report states that the average number of organizations targeted by each attack group is 55.
There is a 1000% increase in malicious powershell scripts and a 78% increase in supply chain attacks, according to this Symantec report.
How the device ownership model influences information security?
As maximum corporate information, which is sensitive and critical in nature, lies within the smartphones, tablets, and other handheld devices used for enterprise purposes, it is crucial to understand who owns and uses these devices, how they use these devices, and who owns the information. It also invites the question about how much control should the company have over the information stored in these devices, which are intended to be used from office premises as well as from remote locations.
Also, what kind of security and usage policies are introduced to protect company information from unauthorized access and data abuse, and how are they implemented. Let’s look at the risks posed by employee-owned devices and how having a corporate-owned device policy with a robust MDM solution in place can be a better idea for organizations.
Information Security Risks with Employee-Owned Devices
With the growing need for flexibility, convenience, and agility, employees are demanding to use their own devices at work. Although employee-owned devices are doing the rounds, companies must not ignore the costs it might pay for allowing the employees to use their own devices to carry on their daily works. The security risks are doubled when employees use their own mobile devices from remote locations or while telecommuting.
Check out the following risks that employee-owned devices can pose to information security:
Data loss or abuse due to the lost or stolen device: When an employee uses his/her own device at work without any backend control from the company IT team, it simply means that the devices are on their own, and so are the company data lying within them. Now imagine a scenario where an employee misplaces his/her device and it falls into the wrong hands. It wouldn’t only jeopardize the entire work process but can also expose sensitive and critical company data to be compromised by hackers, who have gained expertise in decoding encrypted data and device-locking passwords.
Data misuse during sudden/immediate employee departure: When an employee leaves the company, it is mandatory to follow certain regulations to ensure a healthy and organized departure. However, in the case where an employee just decides to abruptly walk out of the company without any prior notice, he/she invites a scope of data misuse. Companies rarely exercise any control on employee-owned devices, and this makes it difficult to wipe off or erase corporate data stored in those devices, which might attract unauthorized and unsafe access to corporate data and software in the future.
Data can be corrupted due to unprotected browsing: Without any company IT control, employee-owned devices do not come with any restrictions or limitations to browse unprotected websites and download malicious apps. However, this unhindered freedom might invite the risks posed by cyber-threats and attacks via unsafe websites and virus-laden apps. This undoubtedly brings in bigger risk factors wherein corporate data stand chances of corruption, deletion, or destruction, resulting in a tremendous financial and strategic loss for the company. Malware, spyware, and ransomware attacks through infected emails, apps, and weblinks can cause irreparable damage to the organization’s brand image.
Indifference towards security updates: People often do not pay heed to those OS security updates and notifications, which causes the phones to stay outdated and hence devoid of security upgrades. Now, this tendency of indifference towards security updates can come bearing doom for information security. When the employee-owned mobile phones are not enforced to update themselves with the latest security firewall and anti-virus systems, they become vulnerable to a myriad of cyber-attacks, which leave the corporate data lying vulnerable within these devices.
Access to unprotected Wi-Fi: Employee-owned devices are often used from multiple remote locations wherein the user/employee sometimes needs to access the open Wi-Fi networks in case of data exhaustion or unavailability. Open Wi-Fi networks provided in the coffee shops, airports, retail stores, hospitals, restaurants, and hotels often act like an open and unsecured portal for hackers to access company information stored in the devices. Accessing these unprotected Wi-Fi networks has become a norm with employees using personal devices but it can lead to dangerous InfoSec threats for organizations.
Corporate-owned devices are a better option to drive information security
It is true that several of these loopholes can be covered by implementing a well-planned BYOD policy, but companies are definitely treading that path at a slower-than-expected pace owing to the security complications and management ordeal. On top of that, as companies cannot own and regulate the usage of these employee-owned devices, the possibilities of malware and virus attacks are always present on the devices. The infection can be passed along to the company IT system when they access the devices.
Wherein employee-owned devices invariably drive productivity and flexibility, it cannot be achieved at the cost of important company information being jeopardized. Having a corporate-owned device ownership model pays off in multiple terms while fostering productivity, security, flexibility, efficiency, and precision – all at once! A corporate-owned device policy powered with a perfect MDM solution can be the ultimate answer to maintaining a flawless information security system across the organization at all levels.
Sonali has an extensive experience in content writing, marketing, and strategy and she has worked with companies where she was involved in the 360-degree content production and editing. An avid reader and animal lover, she loves to cook, take care of her plants and travel.