Researchers’ Contributions on BYOD Security in IoT

Since the birth of computing in the I960S, it has undergone several notable transitions to the current modern computing. Even the types of computers have moved from mainframe computers to minicomputers and now they have evolved into the personal computers (PC) which are server-driven in nature. The information technology (IT) was ushered into the internet computing by the personal computers. Due to the proliferation of cloud-based mobile devices and applications, the internet computing has been superseded by mobile computing. BYOD roughly began around 2003 but it took some time for it to become common and its popularity rose significantly in 2013 (Leavitt, 2013). There is growing pressure from the populace in many countries for business to allow their staff to bring their personal gadgets such as smartphones and tablets to the workplace and this puts business with no option but to ensure they put the BYOD policy in space (Millard, 2013). BYOD is a policy in information technology sector and this policy allows employees to access sensitive corporate data at work using their personal computing devices (Li, Peng, Huang, & Zou, 2013). Mobile devices including tablets and smartphones conglomerate voice and data services and portability to open up an extensive range of possible mobile applications, “anytime and anywhere” (Disterer & Kleiner, 2013). The BYOD policy and program give the employee the choice to choose the device to use in performing their tasks with personal devices such as laptops, tablets and smartphones included (Citrix®, 2013). The policy does not only allow employees to use personal gadgets to attain data within the work environment but also even when they are not at work.

BYOD is not just an issue in our country but it is a global phenomenon according to a 2012 survey done by Cisco (Cisco, 2012). A survey research was done by Cisco across 8 countries in 3 different regions in the world namely Europe, Asia and Latin America. The survey involved enterprises which have an employee range of above 1000 and midsize companies with an employee range of 500-999. Earlier, a similar survey had been conducted in the United States of America and involved 18 industries and 600 IT leaders. Therefore this research was an extension of the United States research. According to Ovum’s survey (2012) that was done in seventeen nations among the developed economies and emerging economies in the world, 75% of employees in with emerging economies use their personal devices at work while in developed countries 44% of employees use their individual devices at work. The developed economies of nations in the survey included United States, United Kingdom, Japan, Italy and Sweden while those with emerging economies included Russia, India, Brazil, Singapore and Malaysia. It is predicted that by the end of 2018 most of the employees, roughly 70%, will be using personal smart computing devices to conduct their work (Gartner, 2014). Therefore according to these surveys and reports, we realize that the prevalence of BYOD is increasing rapidly in both emerging and developed countries.

Material and Methods

 Most of research and studies and research on BYOD began around 2011 although the BYOD started to emerge in 2013 (Björn, 2012). There several white papers published by now that describe the BYOD situation and the security concerns and some of them have gone further to suggest recommended non-technical solutions the risks presented by BYOD. These suggested non-technical solutions include the policy to regulate the prevalence BYOD. A white paper presented by EY (2013) identifies the BYOD risk landscapes and categorizes it into 3 groups namely addressing application risks, mobile devices, and management of the mobile environment. This white paper presented policy-based (non-technical) resolutions to the risks and resolved by offering 8 steps to protect and develop BYOD policy. A commentary based on evidence is provided in a research report by Deloitte (2013) on the state of BYOD policy in the United Kingdom. This survey tries to clarify the misunderstanding and provides matter-of-fact intelligence that incorporates perspectives from a wide range of fields such as talent, tax, and risk management and information technology. Johnson (2012) also carried out another research to address and understand the risks associated with BYOD and this research involved more 500 Information Technology experts. This non-scientific survey had the main intent to determine the level of policies and controls and the mobile device usage allowed in BYOD.  Edwards (2013), Leavitt (2013), Miller et al. (2012), Potts (2012), Thielens (2013), Morrow (2012), Thomson (2012), Mansfield-Devine (2012),and Tokuyoshi(2013) all presented their expert perspective on BYOD Security in Internet of Things. According to the literature available on this topic, we realize that BYOD Security in the Internet of Things is a very major concern among researchers in the information technology sector. 

This research is mainly going to rely on secondary information from published surveys, reports and work on BYOD by academic researchers. In this research, we collected information and data from peer-reviewed academic research publications, survey/white paper publications, and periodicals done by experts in information security. This involved using online databases to access a large pool of relevant information on BYOD security in the internet of things in the information and communication publications. The statistical data obtained in these reports and surveys were presented in different formats such as tables and graphs to facilitate efficient analysis of the data to extract valuable information from them. The research then emphasized on a comprehensive and thorough analysis of the results obtained in the surveys and reports to come up with solid and evidence-based conclusions. 

Results

Figure 2.  BYOD challenges with security concerns at the top (Forrester, 2012)

We have seen that BYOD is a new trend in information technology that comes with both benefits and challenges to businesses and other organizations. Employees tend to be more productive and mobile when they are provided with the flexibility to choose their best devices to use in performing their designated duties. This flexibility does not only benefit the employee only but also the business organization. Cost savings, blurring the work-leisure divide and having the access to employees at any place and time are some of the benefits that a business can enjoy from BYOD policy. The cost benefits come in since the BYOD policy allows staffs to use their individual smart mobile computing gadgets at work, therefore, the business does not necessarily need to provide the devices from the budget of the organization (Mahesh & Hooter, 2013). Some of the valuable benefits of BYOD are identified by Deloitte (2013) and AirWatch (2012). The benefits identified by the two include simplified information technology infrastructure, maximized employee contentment, cost saving and management flexibility. The major benefit of BYOD to employees is that it provides a very high level of convenience to the employee. Several publications have given a lot of insight on benefits of BYOD and these publications include Morrow (2012), Hurlburt,  Voas, and Miller, (2012), Kerrayala (2012), Hayes (2012), EY (2013), Edwards (2013), Disterer and Kleiner (2013), Deloitte (2013) and Citrix® (2012, 2013). In order for the organization and employees to both enjoy the merits that come with BYOD, they must also consider the challenges coming along with BYOD policy.

Although companies are primarily fretful with upholding security, employees are concerned about the privacy they anticipate concerning the individual data on their mobile computing gadgets as well as maintaining the expediency they want to work from their personal devices (AirWatch, 2012). In BYOD policy corporate information is sent to gadgets which are not controlled and coordinated by Information Technology department and this is a very big challenge to businesses. This may raise concerns about security consequence for data theft, regulatory compliance and data leakage (Morrow, 2012). Security is the main challenge of BYOD policy and the real challenge comes in due to controlling the access to corporate data from these devices and not about the devices themselves. The security challenges that come along with BYOD are a very serious concern among security officers and captains of enterprises. Academic researchers have also shown interest in understanding the challenges of BYOD so as to come up with the most appropriate recommendations to alleviate the situation. The biggest risk associated with this policy according to Shawkat and Alharthy (2013) is theft or loss of mobile devices as this may expose very vital corporate data to unknown people. A scalable and secure BYOD strategy has to be put in place to help manage the risks that come due to loss of personal devices of the employees or if the employee terminates their contract with the company (Thielens, 2013).  A Forrester (2012) survey whose results are shown in the second figure in the results involved around 202 respondents with an understanding of the effect of the BYOD package on their organization or business exposed that security worries are amongst the topmost challenges to realizing BYOD programs.

Discussion

Mobile devices Management (MDM) are established in a way that some of the mobile devices related to challenges that are not necessarily associated with BYOD challenges. These mobile device challenges include inventory management, software distribution and policy management. Mobile Devices Management functionality is comparable to PC configuration life-cycle management (PCCLM) although MDM suites include other mobile-specific requirements. MTI Technology (2014) provides more insight on the operation mechanisms of MDN outlining how MDN works. However, the challenges associated with BYOD cannot be exclusively be addressed by mobile devices management. This is because MDM cannot stop a hacker from accessing the corporate data through the employee’s devices and also it cannot prevent theft or loss of the employee’s device thus exposing data to unauthorized individuals.  According to Gartner (2014) prediction, twenty percent of the original BYOD policy will go pear-shaped due to set out of extremely obstructive MDM measures.

Trustwave is a security vendor and it carried out a survey that discovered that 99% of susceptibilities mutual in desktop computers are found in mobile gadgets irrespective of the operating system (Leavitt, 2013).  The extremely challenging security threats to the BYOD policy include distributed denial of service (DDoS), malware, and data leakage (Morrow, 2012).

Malware is a phrase used to denote malevolent applications that can upset corporate applications and mobile devices. Mobile applications with embedded code within them that compromise the security of the related data or the mobile device are an example of malware. An attacker can impersonate the identities of a corporate or private corporate information can be lost when a company is faced with a malware attack. Malware can attack both the personal devices of the employee as well as the corporate applications and this makes both of them non-functional. Malicious applications always resemble the regular corporate applications but they have been embedded with the malicious code. When a user visits a compromised site in the internet of things they can easily encounter the malicious application the can attack the device and the corporate applications. MTI Technology (2014) explains in details the effects of malware on BYOD.

A DDoS outbreak is an organized violence on the obtainability of services of a certain targeted network or system which is launched indirectly via several cooperated computing systems. A DDoS attack can prevent consistent workers from operating equipment from their personal devices or computer networks. The negative impact of a DDoS attack is mostly felt on the business servers and this will prevent regular users from accessing the systems of the organization.

Benefits and Challenges of BYOD

BYOD allows employees to access corporate data regardless of the time and their geographic location and this result in data leakage. Since the corporate records are stored and retrieved by employee’s personal gadgets, the business organization has minimum or zero control over corporate information. In the event that an employee loses their personal device then the corporate data will be accessible to any individual who may possess the device. This can be very risky to the organization since the device may expose confidential corporate data to unauthorized individuals who may use the data for malicious aims.

Table 1.  Common Threats of BYOD with Their Causes and Implications for Enterprises

Attack on BYOD	Causes of Attack	Implications for organization
Malware	.Trojan apps: Malicious code can be inserted into the application by an attacker with the intention of attacking devices or enterprise applications .Social media, email, and SMS links: Links are embedded in SMS, social media posts, and emails with the intention of redirecting users to a website that hosts malicious files  .Third-party app stores: Some third-party app stores may host malware that can potentially harm devices, systems, and networks	Theft of enterprise information Enterprise applications malfunctioning Both corporate infrastructure and personal mobile devices of the employee are affected by malware
	the malicious intention by an attacker .Exploitable vulnerabilities in an enterprise network	Negative impact on the server Deny the availability of the system for legitimate Users
Data leakage	The malicious user of a mobile device Remote access to the mobile device by an attacker Application vulnerabilities Loss of mobile device Malicious application Social engineering	Expose corporate confidential information in the public

It will be absurd to deny that BYOD is here to stay due to its rapid increase in prevalence in both nations with developed and emerging economies. Some experts predict that by 2020 half of the enterprises will not provide the employees with devices and will expect them to use their own smart gadgets to perform their mandated tasks own (Leavitt, 2013). Although both the organization and the employee will be benefiting from BYOD policy, the security challenges associated with this program is a major concern. It recurs both information security experts and academic researchers to have a better understanding of these challenges so as they come up with innovative ideas that will remedy the situation (Potts, 2012). There is a large pool of theoretical information on this topic from the journals and publications on this topic that gives an insight into the nature of these security challenges and the risks associated with them.

BYOD security threats, BYOD challenges, BYOD threats, Bring Your Own Devices and BYOD are the several key phrases and words that helped us in gaining more published information from the internet databases. There several peer-reviewed publications that are discussing this topic and in this research I happened to come across more than 50 publications with very significant and relevant information on BYOD security in the internet of things. The results above can after a thorough analysis and comparison of the large pool of data and extracting useful information from it. IEEE Xplore digital library, Whitepaper surveys, ACM digital library, Springer and other Google Scholar journals were the source of secondary data used in this research.

Conclusion

The research provides very important information on BYOD security in the internet of things. ). BYOD is an IT policy that allows workers to access sensitive corporate data at work using their personal computing devices. Personal mobile gadgets such as tablets and smartphones join voice and data services and portability to open up an extensive range of possible mobile applications, “anytime and anywhere” The BYOD policy and program give the employee the choice to choose the device to use in performing their tasks with personal devices such as laptops, tablets and smartphones included. The research involved a comprehensive analysis of the large pool of published information on the topic and we extracted very important information from these sources. The BYOD program comes with so many advantages to both the employees and the employers although it comes with demerits as well.

Employees tend to be more productive and mobile when they are provided with the flexibility to choose their best devices to use in performing their designated duties. Cost savings, blurring the work-leisure divide and having the access to employees at any place and time are some of the benefits that a business can enjoy from BYOD policy. However, information security challenge is a major concern that puts organizations at risks and this slows down the adoption of the BYOD policy. Information security experts and academic researchers have been so concerned with understanding the nature of the security threats and suggested several technical and non-technical approaches to handle this situation. The BYOD is a hastily developing trend in IT that require further similar research to be done continuously so as to improve this technological advancement that has the potential of offering so many benefits to employees and organizations. 

References

AirWatch. (2012). Enabling bring your own devices (BYOD) in the enterprise. Retrieved from https://www.ciosummits.com/ media/solution_spotlight/byod-whitepaper.pdf

AlHarthy, K., & Shawkat, W. (2013, November-December). Implement network security control solution in BYOD envi-ronment. IEEE International Conference on Control System, Computing and Engineering, Penang, Malaysia.

Armando, A., Costa, G., & Merlo, A. (2013, March). Bring your own device, securely. Proceedings of the 28th annual ACM Symposium on Applied Computing, Coimbra, Portugal.

Ballagas, R., Rohs, M., Sheridan, J. G., & Borchers, J. (2013). BYOD: Bring your own device. Retrieved from https://www. vs.inf.ethz.ch/publ/papers/rohs-byod-2004.pdf

Björn, N., Sebastian, K., Kevin, O., & Stefan, K. (2012). Towards an IT consumerization theory: A theory and practice review. Working papers, ERCIS – European research center for infor-mation systems, no 13. Retrieved Febuary 10, 2014 from https:// hdl.handle.net/10419/60246

Chung, S., Chung, S., Escrig, T., Bai, Y., & Endicott-Popovsky, B. (2012, December). 2TAC: Distributed access control architecture for “bring your own device” security. ASE/IEEE International Conference on Biomedical Computing, Washington, DC.

Cisco. (2012). BYOD: A global perspective (Survey report). Retrieved from https://www.cisco.com/web/about/ac79/docs/ re/BYOD_Horizons-Global.pdf

Citrix®. (2013, April). Best practices to make BYOD simple and secure (White paper). Retrieved from https://www.citrix.com/ content/dam/citrix/en_us/documents/oth/byod-best-practices.pdf Citrix®. (2012, March). Bring your own devices (Solution brief). Retrieved from https://www.prosysis.com/wp-content/uploads/

Deloitte. (2013). Understanding the bring-your-own-device land-scape (A Deloitte research report). Retrieved from https:// www2.deloitte.com/content/dam/Deloitte/uk/Documents/ about-deloitte/deloitte-uk-understanding-the-bring-your-own-device%20landscape.pdf

Denman, S. (2012). Why multi-layered security is still the best defence. Network Security, 2012, 5-7. doi:10.1016/S1353-4858(12)70043-0

Disterer, G., & Kleiner, C. (2013). BYOD bring your own device. Procedia Technology, 9, 43-53. doi:10.1016/j.protcy. 2013.12.005

Edwards, C. (2013). Identity: The new security perimeter. Computer Fraud & Security, 2013, 18-19. doi:10.1016/S1361-3723(13)70082-4

1. (2013). Bring your own device: Security and risk consider-ations for your mobile device program (Insights on governance, risk and compliance). Retrieved from https://www.ey.com/ Publication/vwLUAssets/EY_-_Bring_your_own_device:_ mobile_security_and_risk/$FILE/Bring_your_own_device.pdf

Forrester. (2012). Key strategies to capture and measure the value of consumerization of IT. Cambridge, MA: Forrester Consulting. Retrieved from https://www.trendmicro.com/cloud-content/us/ pdfs/business/white-papers/wp_forrester_measure-value-of-consumerization.pdf

Gajar, P. K., Ghosh, A., & Rai, S. (2013). Bring your own device (BYOD): Security risks and mitigating strategies. Journal of Global Research in Computer Science, 4, 62-70.

Gartner. (2014, January). Gartner says less than 0.01 percent of consumer mobile apps will be considered a financial success by their developers through 2018. Gartner Newsroom. Retrieved from https://www.gartner.com/newsroom/id/2648515

/mobility-sec-survey

Kerravala, Z. (2012). Bring-your-own-device requires new network strategies (ZK Research). Retrieved from https://www.xirrus. com/cdn/pdf/zeusk_byod_requires_new_network_strategies

Kim, D. H., Gong, J. H., Park, W. H., & Park, N. (2013, June). Vulnerability of information disclosure in data transfer section for safe smartwork infrastructure. International Conference on Information Science and Applications (ICISA), Suwon, South Korea.

Kodeswaran, P., Chakraborty, D., Sharma, P., Mukherjea, S., & Joshi, A. (2013, September). Combining smart phone and infra-structure sensors to improve security in enterprise settings. 1st International Workshop on Pervasive Urban Crowdsensing Architecture and Applications, Zurich, Switzerland.

Leavitt, N. (2013). Today’s mobile security requires a new approach. IEEE Computer Society, 46, 16-19.

Lee, J., Lee, Y., & Kim, S. (2013). A white-list based security archi-tecture (WLSA) for the safe mobile office in the BYOD era. In James J. (Jong Hyuk) Park, Hamid R. Arabnia, Cheonshik Kim, Weisong Shi, & Joon-Min Gil (eds) Grid and pervasive com-puting (Vol. 7861, pp. 860-865). Berlin, Germany: Springer.

Li, F., Peng, W., Huang, C., & Zou, X. (2013, June). Smartphone strategic sampling in defending enterprise network security. IEEE International Conference on Communications, Budapest, Hungary.

Mahesh, S., & Hooter, A. (2013). Managing and securing busi-ness networks in the smartphone era (Management Faculty Publications, Paper 5). Retrieved from https://scholarworks. uno.edu/mgmt_facpubs/5

Mansfield-Devine, S. (2012). Interview: BYOD and the enter-prise network. Computer Fraud & Security, 2012, 14-17. doi:10.1016/S1361-3723(12)70031-3

Millard, A. (2013). Ensuring mobility is not at the expense of secu-rity. Computer Fraud & Security, 2013, 11-13. doi:10.1016/ S1361-3723(13)70080-0

Miller, K. W., Voas, J., & Hurlburt, G. F. (2012). BYOD: Security and privacy considerations. IT Professional, 14, 53-55. doi:10.1109/MITP.2012.93

Morrow, B. (2012). BYOD security challenges: Control and pro-tect your most sensitive data. Network Security, 2012, 5-8. doi:10.1016/S1353-4858(12)70111-3

MTI Technology. (2014). Bring your own device: The future of cor-porate computing (MTI white paper). Retrieved from https:// mti.com/Portals/0/Documents/White%20Paper/MTI_BYOD_ WP_UK.pdf

Niehaves, B., Koffer, S., Ortbatch, K., & Katschewitz, S. (2012, July). Towards an IT consumerization theory: A theory and practice review (Working papers, European Research Center for Information Systems, No. 13). Retrieved from https://hdl. handle.net/10419/60246

Ovum. (2012). An emerging market trend in more ways than one (Consumer impact technology). Retrieved from https://www. us.logicalis.com/global/united%20states/whitepapers/logi-calisbyodwhitepaperovum.pdf

Polla, M. L., Martinelli, F., & Sgandurra (2013). A survey on secu-rity for mobile devices. IEEE Communications Surveys & Tutorials, 15, 446-470.

Potts, M. (2012). The state of information security. Network Security, 2012, 9-11. doi:10.1016/S1353-4858(12)70064-8

Singh, N. (2012). BYOD genie is out of the bottle—“Devil or angel.” Journal of Business Management & Social Sciences Research, 1, 1-12.

Thielens, J. (2013). Why API are central to a BYOD security strategy. Network Security, 2013, 5-6. doi:10.1016/S1353-4858(13)70091-6

Thomson, G. (2012). BYOD: Enabling the chaos. Network Security, 2012, 5-8. doi:10.1016/S1353-4858(12)70013-2

Tokuyoshi, B. (2013). The security implications of BYOD. Network Security, 2013, 12-13. doi:10.1016/S1353-4858(13)70050-3 Werthmann, T., Hund, R., & Davi, L. (2013). PSiOS: Bring yourown privacy & security to iOS devices. Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, Hangzhou, China.

Zhao, Z., & Osorio, F. C. (2012, October). TrustDroid™: Preventing the use of smartphones for information leaking in corporate networks through the use of static analysis taint tracking. In Proceeding of the 7th International Conference on Malicious and Unwanted Software (MALWARE) 2012(Fajardo, Puerto Rico), IEEE Explore, 135 – 143. Available online at https:// ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber