A new Flexera Software/IDC Survey Report - The BYOD Trojan Horse: Dangerous Mobile App Behaviors & Back-Door Security Risks – indicates that enterprises are not doing nearly enough to understand which mobile app behaviors hitting their networks and data are risky, nor are they testing apps for those risky behaviors to ensure proper enforcement of their BYOD policies.
An announcement on the report cited an example of these types of risks. The Kim Kardashian Hollywood game app, which an Environmental Protection Agency (EPA) employee was playing on her mobile work phone, tweeted out to the EPA’s 52,000 Twitter followers without her knowledge, “I’m now a C-List celebrity in Kim Kardashian: Hollywood. Come join me…”
As shown in this example, the report underscores that BYOD risk doesn’t just arise from malicious hackers and rogue nations. Threats to data and security are hidden, as in a Trojan horse, in the most innocuous-seeming apps that employees can unwittingly unleash on the enterprise, like a flashlight app that illegally transmits user data to advertisers, or common banking apps capable of capturing device logs, accessing contacts lists, reading SMS messages or even installing packages on the phone.
Among the report’s findings:
- Enterprises Are Broadly Adopting BYOD Policies: 48 percent of enterprises have already or are in the process of implementing BYOD policies, and another 23 percent plan on doing so within two years.
- Data Security Is a Pervasive Challenge: 71 percent of enterprises said data security counts among their biggest challenges when implementing BYOD policies.
- Blocking Risky Apps Is a Priority: 47 percent of respondents say they’re instituting policies that block risky app behaviors to mitigate mobile app security risks. Another 22 percent plan on doing so within two years.
- Enterprises Are Failing to Identify Risky App Behaviors: Despite concerns about security and blocking risky apps, most organizations – 61 percent – have not even identified which app behaviors they deem risky (i.e. Ability to access social media apps like Twitter, apps that report back user data to app producer, etc.).
- Enterprises Are Also Failing to Identify Apps They Deem Risky: A majority of organizations – 55 percent – have not identified specific mobile apps that exhibit risky behaviors that would violate their BYOD policies.
- BYOD Policies Are Not Reducing Enterprises’ Security Risks: Only 16 percent of respondents report that their BYOD policies are resulting in lower enterprise application risk.
The reports outlines how BYOD policies are critical to organizations seeking to maximize the value and minimize the risks they encounter by integrating mobile devices and apps within their infrastructures, because these policies define the behaviors that are and are not acceptable. But BYOD policies are inadequate if appropriate enforcement mechanisms are not put into place and followed.
Companies will need to move beyond simply having strong processes to test and remediate traditional desktop, virtualized and cloud based applications to make sure they’re safe and reliable. As the report indicates, enterprises have not extended these application readiness best practices to mobile apps. These same processes should be extended to mobile apps to ensure that risky app behaviors and apps are identified and appropriate measures are taken to contain those risks.