Category: Risk Management and Information Security Blog


Have you ever mistyped a website domain – maybe a few missed letters here, a forgotten hyphen there, or entering a wrong domain ending – and found yourself, not a 404 error message, but in an unfamiliar sinister website? 

This phenomenon is called typosquatting – a type of cybersquatting used by imposters that involve registering domains with intentionally misspelled names of popular web addresses to install malware on the user’s system. It is basically typo hijacking that operates on the carelessness of the user when it comes to correctly entering the URL.

Some extreme forms of typosquatting are similar to phishing where the wrong website mimics the real site, thus confusing the user with a false knowledge that he/she has visited the right website.

Typosquatting is also a form of social engineering scams which I discussed in my previous blog. Social engineering is an act of exploiting human vulnerabilities where a cyber criminal will trick people with sophisticated methods while hiding their real identity and intent. It operates through manipulation, and the internet has given these criminals numerous ways to do that.

If your organization is currently idle about security issues, it’s time to rethink your strategy and do not forget about the human factor side of your company.


So how do you protect your business from these kinds of threats? Well, training employees certainly is a good start. You can provide your staff with the following know-hows: 

  • Never disclose confidential information, such as passwords or bank details, over email exchange or telephone.
  • If you find yourself with a suspicious email, the motto is always better not to react than to fall for the scam, because if it is legitimately important, the sender will try to contact you through another route.
  • In the case of supposedly urgent emails, it is advisable to check the authenticity of the sender by telephone.
  • Always keep an eye on social media fake accounts and report them to avoid angler phishing and social web threats.
  • Lastly, live up to the desired cyber-security awareness yourself.

A robust domain defense strategy can ensure company success in the long run, but so as including your human resource in this strategy. If your organization is currently idle about security issues, it’s time to rethink your strategy and do not forget about the human factor side of your company. There are multiple IT solutions that can guide you in things like this, helping you build a better and secured system within your organization. Since social engineering is targeted at humans, your organization is at risk of being attacked anytime. So it is best to keep in mind that the protection of your clients and employees also means protection of your organization.

Social Engineering, a Cyber Crime Waiting to Happen

By Amine Mekkaoui,

Social engineering is just one of the many threats that we have today, especially with our current environment. With awareness and knowledge about cybercrime tactics, we can always be one step ahead in protecting our personal information and our companies.

More than ever, today, companies communicate with their employees, vendors, and clients through online apps. With this, it is common knowledge that not everyone is technologically sophisticated, and this is where cyber criminals can take advantage and do what they do best which is to find vulnerabilities and a weak link that will get them access to confidential and personal information.

One way to accomplish this is by using a method called “Social Engineering”.

WHAT IS SOCIAL ENGINEERING?

According to the University of Delaware, SOCIAL ENGINEERING is basically influencing another person or manipulating them into handing over personal data or information about a person or a company by pretending to be someone the individual or a company is related to usually through the use of the internet or any gadget, e-mails or even phone calls and texts.

Our social media logs and public records can be stitched together to highlight our profile, including where we live, our phone numbers, email addresses, friends we know, the names of our kids, our parents names, and places we previously lived.

Most users use simple and easy to remember passwords to access critical online applications they use daily.  Additionally, our personal information is readily available on the net.  Our social media logs and public records can be stitched together to highlight our profile, including where we live, our phone numbers, email addresses, friends we know, the names of our kids, our parents names, and places we previously lived.  These information can be used by hackers as a first step to approach their victims to extort access privilege to their bank accounts and/or business/employers applications.

HOW DOES THIS WORK?

With today’s work from home revolution where most transactions happen online, companies are at stake. Social Engineers are all at an advantage especially when companies are not prepared and well protected.

Social engineers are experts at trying to manipulate the person’s ability to trust. Commonly, banks or financial companies are their target since most of the time, money is what they are after. And in order to get it, they need to gather personal information about their clients. 

Social engineers take time to learn the so-called ‘Work Lingo’ in order to fool a client and maintain a legitimate image in giving a personal information which the social engineer then uses to have his personal data in the said agency or company, or in bank cases, his money.

Joan Goodchild, a journalist from California who writes about security and technology, further reiterated in her article entitled ‘ Social Engineering Tricks That Fool Unsuspecting Employees’, that social engineers tend to gain the trust of clients when they pretend as employees of a company. Social engineers take time to learn the so-called ‘Work Lingo’ in order to fool a client and maintain a legitimate image in giving a personal information which the social engineer then uses to have his personal data in the said agency or company, or in bank cases, his money.

Not just clients, but social engineers may also fool other employees pretending as one of them, hacking their way through the company’s domain, learning protocols and routines of the company to get themselves as an insider. They will pretend to ask for help from their ‘fellow employees’ for example as an auditor, or law officer who needs access to private information, and the said employee will unknowingly help them take care of the matter.

Statistically speaking, according to a study by The Radicati Group in 2019, there are about 3.9 billion active email users around the world. It is expected that the figures have already increased in the past months. This is supported by Clement, a known internet and e-commerce researcher, which says that the number of email usage over the past years from 2018-2023 were set to 2-3% increase which may imply the increase of email users to 4.48 billion in 2024. 

These are not mere numbers, in fact these are the number of email users which may be considered to be at risk. Most of them are professionals and employees.

HOW CAN I PREVENT THIS FROM HAPPENING?

If you are the part of a company handling business information:

a.)   Be aware and suspicious of a person calling, and emailing who is claiming to have a business contact with one of your company employees to garner information – this may be done through double checking your client/vendor list to verify the person identity and confirm it with the employee.  An example of this communication would be; “hi, I am John Doe, and I was hired by your CFO Jane Doe, who gave me your contact information to fix a database issue on your accounting application, can you please help me get access so I can take a look”

b.)   Do not provide information about the company you work for, either, unless instructed by your employer. This may commonly happen through calls in call center companies, or those who may pretend to need this through customer service. The company may also enforce strict security to protect and ensure the identity of its employees.

c.)   Be aware of suspicious emails from people who are pretending to have a business relationship as a vendor or a client with your employer using legitimate emails from known companies including banks and credit cards. If you don’t know who’s emailing you, don’t give out any information, unless you verify the sender with your manager.

If the information which may be at risk is yours:

a.)   In many cases, online applications have been offering double authentication features to access your app using information which will be provided by you and you alone.  This could be a code you’ll get via a text  or voice message to a registered phone in your account profile for that application, which you will need to authenticate and get access to your app.

b.)   Be careful of giving out your information, if you are pressured to give information, be suspicious and deny the request unless you can confirm their identity from someone you know and trust.

c.)   Sometimes, even mere phone calls may be used to track down your information, be alert and vigilant in taking these calls or answering text messages requesting your personal information.

Social engineering is just one of the many threats that we have today, especially with our current environment. With awareness and knowledge about cybercrime tactics, we can always be one step ahead in protecting our personal information and our companies.

Do you need more information about this? Let’s chat and talk about the struggles we have in the industry and how we can work together to move forward and survive these struggles.

In our next blog, I will be discussing a new trend among social engineers – typosquatting.  As for now, beware and never be a victim of any online fraud and cybercrime.

Protect Your Company Against Possible Ransomware Attacks

By Amine Mekkaoui,

Countless cyberattacks especially ransomware are now being experienced across the globe despite the global pandemic that is haunting every corners of our world. In fact, the gravity of the situation made the US and UK to release joint statements against ransomware.

‘Anytime there’s a global event, hackers like to weaponized it. So whether it’s the Olympics or an election, or a global pandemic, hackers are trying to leverage what the situation is against users’, Bloomberg News Cyber Security Reporter Kartikay Mehrota shared in a published online report.

But don’t get me wrong, this doesn’t mean that other institutions and companies are spared.

But what is even worse here is, most attacks in the recent months were against medical institutions, hospitals, government agencies and medical universities who are at the frontline in the fight against the deadly coronavirus.

Just recently, University of California who is conducting medical researches about the COVID-19, has been extorted with more than a million dollar after their servers were hacked. This is just one among the bigtime ransomware attacks recorded at the height of this pandemic.

But don’t get me wrong, this doesn’t mean that other institutions and companies are spared. Let us not forget that anyone can be a victim by these attacks as I discussed in my previous blog ‘Ransomware is no longer just a threat’.

The question now here is, how can you protect your company against ransomware and other cyber-related attacks?

There’s much to be done to make sure that your data and company are protected. But here are the most significant tips which can be helpful to you:

1. Conduct a risk-assessment in your company – it is important that you know the vulnerability of your company to ransomware attacks. Conduct risk assessments to your entire infrastructure and cloud services. You can use an SaaS online tool like AuditRun to assess your risk and mitigate it.

2. Update all business devices – it is very crucial that all devices operating system in the company are updated especially anti-virus and anti-malware software. It is also recommended to use VPN and multi-factor authentication in your cloud services including email and teleconferences.

3. Educate your employees – implement employee training sessions that will help them identify and prevent ransomware attacks. It is crucial to remind your employees the followings to:

a. Be mindful of links and attachments being sent thru emails as these may consist of the malware or virus that could encrypt some or the entire company data. Employees must also be reminded to be wary about COVID-related emails – they must learn to verify the content of the email and/or the email sender. They must never take the bait.

b. Never provide personal information to txt messages, to callers, and email messages. Fraudsters aim at tricking users to give them key information that will enable them to gain access and control of company systems by using social engineering methods.

4. Implement the use of privilege accounts – one way to limit your network’s exposure to malware is to implement a system that would restrict the installation of software that is not on the approved list of applications that is published by the company’s IT and/or security team.

5. Prepare a data back-up and recovery plan – one way to be prepared for any possible ransomware attacks is to have a data back-up and recovery plan. This has proven to lessen the damage and impact of cyberattacks and ransomware schemes. The goal is to inform bad actors that they can no longer make money easily using ransomware or similar methods.

Today when everyone is hungry for information, and some are living in fear – we are vulnerable and a good malware target. Let’s not allow cybercriminals gain more power and make us victims. In this digital world, it is always important to be one step ahead.


At this rate, we may not be able to completely stop them, but we can solidify our defenses to fight such attacks and manage our risk.

Ransomware Is No Longer Just A Threat

By Amine Mekkaoui,

On April 2016, I have written an article on ransomware and how it can be a major threat to major organizations and government agencies. Now, some of the biggest companies, several of which are listed in the Fortune 500, recently faced several attacks from cybercriminals which encrypted their system and personal files demanding ransom to restore their access.

This happened at a time when these hospitals and healthcare providers are at its most desperate and struggling time.

Just last April 2020, these cybercriminals exploited the global pandemic caused by the coronavirus, to break into records of various hospitals and healthcare companies. One of which is the Hammersmith Medicines Research in London who is at the forefront in conducting clinical trials for a new vaccine against the Covid-19. As expected, hackers encrypted the company’s patient records using it as a bait to get what they want.

This happened at a time when these hospitals and healthcare providers are at its most desperate and struggling time.

This incident is just one among the long list of ransomware attacks in the world. In 2019, two city governments in Florida (Lodi and Lake City) suffered multiple threats in a separate incident involving ransomware.

In Lodi, hackers targeted phones and financial services that badly affected the city’s ability to access swaths of its data. While in Lake City, utility maps and geographic information system including important documents such as records for minutes and city resolutions were compromised. Both cities were left with no choice but to heed to the hackers’ demands and were forced to pay a total of $1,060,000.00 to retrieve access of their IT systems.

Given the series of ransomware attacks in the recent years, Federal Bureau of Investigation Cybersection Chief Herbert Stapleton said that he now considers ransomware as one of the most serious cybercriminal problems we face right now.

Available data supports Stapleton as cybersecurity firm Emisoft reported an unprecedented ransomware attacks to more than 200,000 organizations in year 2019 alone. Topping the biggest ransomware attack in 2019 was Danish hearing aid manufacturer Deman which suffered a recovery and mitigation costs amounting $80 million to $95 million.

On the other hand, the single largest-known payout for a ransomware attack has been recorded in June 2017 after hackers infected more than 150 Linux servers hosted by South Korean web provider Nayan that shut down 3,400 websites. The company paid a whopping $1,000,000 to restore their access.

This is a software code usually embedded in an email and believable links that has the ability to immediately hacks into the computer system and starts locking data one-by-one from photos, videos to documents and applications.

But what exactly is ransomware? This is a software code usually embedded in an email and believable links that has the ability to immediately hacks into the computer system and starts locking data one-by-one from photos, videos to documents and applications. The only way to regain access to these data is to pay a specific amount of money to hackers in exchange for the decryption of files. The hackers taking control of the data have the key which will only be accessible if the demanded ransom is paid.

But more than the cost lost in these cyberattacks are the millions of private files essential in the operation of various government agencies, academic institutions, banks and hospitals among others which are at risked of being exposed. This has been confirmed after Emisoft reported that prolific ransom operators create their own websites to publish the stolen data of nonpaying victims.

This is the very reason why we need to be educated on these kinds of cyberattacks which are undeniably rampant today. A lack of understanding on these kinds of cybercrimes leads to a bigger problem of being exposed. Fact here is, ransomware is no longer just a threat. It is happening and is just waiting to attack its new victim. If this can prey big companies, clearly no one is spared.

Note: Coming out soon, Five Ways to Prevent from being Exposed to Ransomware

Is Your Reputation At Risk?

By Amine Mekkaoui,

You’ve done everything to build and brand a great product and company, everything to keep your clients’ data safe…but sometimes things can go wrong and you will be the first one blamed.

According to the World Economic Forum Global Risks 2012 report, on average, more than 25 percent of a company’s market value is directly attributable to its reputation, and that number continues to climb.

Reputational risks are caused by many intended, and unintended events, for example: a cyberattack on a retailer’s credit card data, manipulating markets or making trades based on insider data, employing under-aged workers overseas for a “US-based” company, or accidently serving contaminated or expired food at a restaurant.

Whether the event is intended or unintended, the responsibility ultimately belongs to the company’s CEO and their management team. Why, because it directly impacts revenue and the company’s brand.

One of the major reputational risks today is systems interruptions and Cybersecurity. Any interruption to services – whether it be from a cyber attack, system-wide outage, human error, or security breach, is a business disruption that goes all the way up to the C-suite executives down to their clients, and can cost extremely valuable time and money to repair…not to mention the damage to your reputation.

Some things are out of your control and customers will understand that; for example, a storm knocking out power and shutting down your systems. They won’t, however, be as understanding if you weren’t proactive in safeguarding your company. So how to do you stay ahead of the problems?

  • If a third-party is hosting your data or is the hub of your operation you still need to remain in control. When their systems go down or are breached, your clients are coming to you with their complaints – because ultimately you are responsible. One way to be proactive with a third-party vendor is to have them comply with your own internal requirements.
  • Make sure you have a tested disaster/incident recovery plan in place. Disaster/incident recovery planning is a huge undertaking and touches every part of your organization, but having a plan and testing it will help you face any challenges down the road.
  • When something goes wrong you will need the entire company on board, not just the IT team who’s going to work around the clock to remedy the situation. Your top management teams, PR professionals, customer support, and even your marketing staff need to be involved, and know what the company response is, and how it’s being communicated.
  • Be proactive. Invest in data analytics that will enable you to analyze real- time data, such as pattern detection and recognition. Keep on top of social media using text analysis that will pinpoint conversations about your company. Social media combined with big data analysis will help you get ahead of the crisis and lessen the impact. This combination could be the most important and impactful decision you make, better than business liability insurance!
  • Learn from mistakes. Hopefully you are not the target of a company-wide disruption, be it human error or cyber attack, but chances are some company, somewhere around the world is being hit right now. Most won’t make the front page news of the Wall Street Journal, but you need to be ready to respond to incidents whether they are the result by cyber security attacks, third-party partner action or employees’ mistakes. Loss of reputation is beyond repair if not properly and systematically addressed.
  • Make sure that you know what your business risks are and that you are up to date with managing them all the time. Managing your business risks are not a one-time event. Each component that contributes to the risks must be monitored in real time. There are multiple tools and technologies that will facilitate managing and monitoring both your business and operational risks.

In the end it’s your company name, your reputation, and your responsibility to ensure the integrity of your brand.

Protecting Your Computer From Ransomware

By Amine Mekkaoui,

Ransomware cyber attacks are growing and it can happen to anyone, anywhere. The attacks can be on a personal computer or even take down an entire network at a hospital. Organizations posing as law enforcement, government agencies, banks, and credit card companies are using deceptive links and websites to install malware – which essentially holds all of your files ransom, encrypts and demands payment to restore them.

But this doesn’t have to happen to you. There are several very simple steps which can help safeguard you from attacks.

Anti-virus software – Every personal computer should have it. There are a lot commercial anti-virus software programs to choose from, and they are worth the investment. Once you have the software, make sure that it’s installed correctly with the most up-to-date version, that it’s always on, and that you have it set to alert you when there are updates to install.

If your computer does become infected and you don’t have an anti-virus program set up, you can install one to “clean” your computer, but you may need additional assistance to help restore your hard drive.

Anti-virus programs are equally, if not more important, for businesses – but because most businesses have software on their computers which prohibit users from downloading software it’s up to the company’s IT department to keep their users protected. Most business updates need to be done via a server to all their user’s computers and devices; this includes not only anti-virus software, but operating systems and third-party applications. Businesses should conduct security training for their users, as to what is and isn’t acceptable on company devices, including mobile ones. In addition, there should be computer usage, security, and security awareness policies in place.

Corporate IT departments need to routinely conduct risk assessments, as well as alert users of any new viruses or bogus and fraudulent emails that may be circulating.

Back up Everything, Frequently – It is essential that you are backing up your files on a regular basis. If you are hit with ransomware or any other type of virus and your computer and its files can’t be saved, you will have your backups to do a system restore or rebuild.

Consider The Cloud – Rather than keeping all of your files on a hard drive or server, consider moving bigger more important files to the cloud. Cloud storage will allow you to access your files remotely without the risk of them being infected by ransomware if your computer or server is hit.

Keep Everything Up-To-Date – It’s not just your anti-virus software that you need to keep updated. You should also keep your operating system and all of your programs updated with the latest versions. By keeping them updated you’ll be on top of any issues that may arise, as well as alerted to security warnings from the software manufacturers.

Avoid Suspicious Sites and Emails – If you are unsure of the sender, or an email comes with an attachment you aren’t expecting, delete it. Opening a suspicious email or clicking on a suspicious site could launch ransomware onto your computer.

It’s important that you make sure that all of your family, co-workers and employees know the risks of ransomware and how to protect themselves and that they should never pay the ransom. Not only is it feeding into criminal activity, but there is no guarantee you’ll get the encryption code promised to get full functionality back to your computer.

Spain Breaks Global Money Laundering Ring

By Amine Mekkaoui,

Spanish authorities have arrested twenty people suspected of having facilitated an international money laundering operation through the sale of drugs. The investigation was initially launched in May 2008, when Police became suspicious over several substantial transfers of money to Colombia. Police reports suggest that the group was responsible for transferring in excess of 3 million euros during 2007 and 2008, which was sent from Spain to bank accounts in China, Panama, Venezuela and the United States and were eventually collated at a fake dentistry foundation in Colombia. The Police statement went on to say that the suspected ringleader of the Colombian network was detained by US police in Miami, whilst the remaining suspects were detained by Spanish police in raids carried out across Spain. At the same time, the Police confiscated 5 vehicles; 32 mobile telephones; a quantity of cocaine; 6 fake passports and other documentation.

Holding Your Files Hostage

By Amine Mekkaoui,

With just one click your files, credit cards, medical records and other personal information could be hacked with ransomware malware. Earlier this month, a cyberattack on Hollywood Presbyterian Medical Center took the hospital’s medical records hostage, demanding ransom in the form of Bitcoins.

Bitcoin is a virtual currency. Transactions are made anonymously without bank involvement. Since Bitcoins aren’t tied to any country or subject to any regulations, international payments are easy and cheap. Every user has a Wallet ID, but the names of the buyers and sellers are never revealed. This level of anonymity provides the perfect breeding ground for transactions such as ransomware.

It would be nice if there was a list of things to look for to help prevent these attacks, but ransomware is evolving. Hackers are finding new ways to completely lock your computer systems and block access to all of your files and encrypt them. Emails that look like they are coming from utility companies, credit card companies, and even banks contain files that once they are clicked will overtake your system.

While Hollywood Presbyterian Medical Center chose to pay the ransom via Bitcoin citing the need to get back patient medial records and the hospital back up and running as soon as possible, paying ransom isn’t the way to go.

First, even if you pay whatever is being asked there is no guarantee you’ll get the encryption code to access your files, and since nearly all of these ransom requests are made through anonymous payment methods – like Bitcoin – there’s no tracing where the money went, therefore no way to go after the attacker.

Second, if you pay the ransom the hackers may see you as an easy target and come back for more.

Third, by paying ransom you are feeding into the criminality of the entire operation. Providing money to these hackers will allow them to up their game with new malware and build out the ransomware malware network.

If anything looks suspicious in your email don’t click it, and if you think you’ve been infected by malware shut down your computer and disconnect it from any server in order to minimize the risk of infecting the entire network.

There are five fundamental thinks you should always remember to do when working on your computer while connected the Internet:

  • Count to ten and think before you click: Do not click on any URL embedded in an email, even from someone you know, unless you confirm that email came from the sender.
  • Update everything: Keep your operating system updated otherwise you might be dismissing an important security update.
  • Backup your files: If you fail to do anything else, this is the most important task you must do on a daily basis. There are many external trusted sites you can use to backup your computer
  • Secure you wireless network: Make sure you use a strong password when setting up your Wi-Fi router
  • Use strong password: Avoid using your cat and dog names. Instead include at least one number, a capital letter, symbols such as # or $, and make your password is at least six characters.

Get Your Head In The Cloud

By Amine Mekkaoui,

Cloud-based solutions are no longer the wave of the future they are a necessary driver for most Enterprise businesses. The “cloud” which is really just a very large, remotely-connected server to store and access data isn’t a new phenomenon, but there are still the same old concerns about how secure data really is out there in Cyber Space.

The truth is you can control the safety of your data. Your overall cloud strategy and your use of the technology play a large part in the security process. It can range from choosing what you put on the cloud; to different models of service delivery like IaaS, PaaS, or SaaS; to what cloud-based server you use.

There are some very big, well-known companies with pretty good track records, like Rackspace, Microsoft, Amazon, and Google that have teams of people working around the clock on security and monitoring and can immediately identify, assess and remedy potential risks or threats. That’s something that most locally housed IT infrastructures can’t match. By storing data in the cloud businesses free up local IT infrastructure and are able to cut costs, but with any investment you must weigh the risk versus the reward.

So what are some of the things you need to consider before putting certain information in the cloud?

Data Breach: One of the major concerns when using the cloud is a data breach. The cloud presents greater challenges since you’re dealing with hypervisors and other external shared networked infrastructure. Data breaches can release personal information such as a person’s social security number or access to their credit or debit cards. Over the past couple of years, companies such as TargetExperian and Anthem BlueCross Blue Shield have been hit with major data breaches exposing personal information of millions of customers.

Data Loss and Recovery: While the data breach is considered a malicious of intrusive action, a data loss maybe a result of sever or storage malfunction. If your provider goes off-line and your data is lost, can it be recovered? Data sent to the cloud is encrypted as one of the many steps to ensure privacy. The downside is that encrypted data is harder to recover, especially if the encryption key is lost too.

Data Access: What information are you putting out there and who is going to have access to it? Sensitive, classified, or confidential information may not warrant storage on the cloud. You want to be able to monitor who has access to your data and their activities. Are these people authorized to access the data, and if not they need to be shut out of the network. You may also want to limit access to certain levels of individuals to mitigate any potential misuse of your data.

Data Availability: Storing data externally means you don’t have complete control of it anymore. Your cloud storage could go offline and someone else is now responsible for getting it back up. You want to make sure that whatever provider you chose has a proven record of highly available data and a quick turnaround for getting the system back on-line should it go down. All this needs to be spelled out in a Service Level Agreement (SLA).

Cloud-based solutions offer benefits for companies large and small, local and worldwide. What works best for a large company may not for a smaller one, but there are many options available that can make storing, sharing and accessing data more efficient and cost-effective no matter what business you are in.

Mobility is the trend of the new generation. Increased access to tablets, smartphones, robust data networks and even Wi-Fi everywhere has extended the capabilities of the professional in the field. When the BlackBerry first emerged on the market, the enterprise acquired, provisioned and controlled the mobile device for the workforce, enabling access to key applications and information, while also monitoring activity.

The demand for increased mobility has spurred a new phenomenon – BYOD. Employees are opting for the Bring Your Own Device to work strategy, balancing personal and professional conversations and information on the same device. The BlackBerry is no longer the smartphone of choice as the iPhone and Android dominate the market. BYOD has proven to be an effective strategy with the right policy in place, but how can it truly support the initiatives of the enterprise?

There are a few realities that accompany the adoption of BYOD:

Employees select the brand and type of device – while employees enjoy the freedom of selecting their own preferred brand and operating system, enterprise IT recognize the different challenges working in varied environments. It may be more effective for the corporate policy to allow BYOD to only include selected, approved brands, models and operating systems.

Employees control the level of personal information contained on the device – this is an important point if there is no separation between personal and corporate information. For example, if baby pictures are mixed with corporate or customers proprietary information, that’s a problem. Employees should be allowed to load their own information on their own device, but it’s up to IT to provide the technology and information to keep personal and professional information separated on the device with the application of mobile applications.

Employees access websites, applications and file sharing services not normally permitted by the enterprise – this is a critical threat for any network. Users may be accessing a vulnerable hotspot, uploading information to a file share site lacking the appropriate protections or downloading applications with malicious software. The enterprise BYOD policy should include guidelines to acceptable practices and mobile device management applications can be installed that prevent risky activities. The key to the successful application is to inform employees as to these rules and the consequences if those rules were to be broken.

Employees may allow other people to use their device – this reality is difficult to address from the corporate side. Employees may be educated on the risks involved with allowing other users to access their device, but complete control in this area is difficult. Monitoring and management applications can help control what the individual may do while using the device, however, which is an important step towards protection.

Employees may not demonstrate diligence in keeping track of their device – regardless of how much the employee uses his or her mobile device, it can still be lost or stolen. If that happens, the finder will have access to a wide range of network applications, proprietary information, authentication information and so much more. This is where keeping personal and private information separate is crucial as IT management can remotely wipe the device clean of any information that puts the enterprise at risk. Likewise, the employee can opt to wipe everything if personal information lost will also put them at risk.

While this list just scratches the surface in terms of the realities that can affect BYOD and the enterprise, they are important points to ensure success in this new environment. Any corporation can resist the trend and instead purchase mobile devices for all employees, but that may not always be the optimal choice. By understanding the realities that exist in a BYOD environment, the enterprise is more likely to benefit.