How to manage common BYOD risks

Bring your own device (BYOD) policies have long been a mixed blessing for employers.

Although BYOD allows employees a new level of personal convenience and flexibility, the information security risks are not to be overlooked. A growing concern is the risks associated with third-party applications often installed on corporate-connected devices.

Shadow IT growing exponentially

According to Cloudlock’s Q2 2016 Cloud Cybersecurity Report, Shadow IT, which refers to “any application employees utilize without IT approval,” is expanding in ways that may be compromising security. Cloudlock’s report, based on a survey of 10 million end users, shows that from 2014 to 2016, the number of potential third-party apps has increased 30 times, from 5,500 to 156,796.

As the list of potential applications has grown, so has the rate of installations. The number of third-party application installations is now 11 times higher than it was in 2014. Currently, the average organization has 733 third-party apps and more than 7,500 total installs.

Over one-quarter of apps are risky

Shadow IT can expose organizations to risks through these applications. While they can be used by employees to improve productivity and are sometimes sanctioned by IT, these apps are often authorized using corporate credentials and may demand extensive permission sets, including the ability to view, delete, externalize, and store corporate data.

Cloudlock measures the risk factor of these applications using a “Cloud Application Risk Index.” This index evaluates risk across three dimensions: access scopes, community trust ratings, and application threat intelligence. Using these measurements, Cloudlock determined that “of all the apps granted access to corporate systems in 2016, 27% were classified as high risk.”

Best practices to reduce risk

In its report, Cloudlock offers six recommended best practices to manage the risks associated with third-party applications:

1. Understand what applications your users are authorizing, focusing on those that connect to your corporate environment.
   
2. Create a classification and decision hierarchy specific to your organization’s needs. Create protocol around which apps should be allowed, reviewed, or automatically revoked.
3. Focus on apps that have the most installs, or most users attached to them.
4. Keep a close eye on admin accounts. A super admin account should never be used to grant access to a third-party app due to possible implications throughout the entire enterprise.
5. Evaluate the types of apps users are enabling for productivity and consider rolling them out to a specific department or throughout the enterprise. Consolidate apps where needed and standardize them based on the highest level of adoption.
6. Continuously monitor your cloud environments at the application, platform, and infrastructure layer to highlight suspicious occurrences, indicating a possible breach.

Information security professionals are facing big challenges when it comes to the risks and rewards of third-party apps connected to the corporate environment. Understanding the threats and applying these recommendations can help keep systems and data secure.

Capella University’s information cybersecurity degree and certificate programs can help prepare you to build a career in information security.