Phone Theft and why using a BYOD policy maybe a Bad Idea

The question was asked during creating ISO policies in a cloud stack meeting about encryption and do you need a VPN on the phone. The thinking was intercepting communication traffic. That is a fair question, but not the pressing issue.

Phone theft has become a thing and for reasons of accessing the apps on the phone that deal with money. All those banking and other financial apps are a juicy target. Where we often think about the communication traffic in terms of security, it is what someone can access once they have your phone and your pin number. There are treasured to be had once they have the phone and the pin. Once those things are in had even two-factor-auth will not help. The phone with the pin is the goal.

That begs the question how much a company should have a BYOD policy in regards to phones. Sure it is an attractive options when companies see how much they will save not having to buy and hand out $1000+ phones and not have to pay for cell and data plans. Tough to pass up. But, as is common, most companies want to use a BYOD policy. But again, the target is the phone with the pin. Once someone has stolen the CFO’s phone, their options to do harm greatly increases.

From a security point of view, BYOD is not a good idea. It is better to hand out a less fun phone with much fewer apps and options on it. Maybe a device that can make calls, texts, a push app, a multi-factor one, and few else. Note the howls with a heavy metal soundtrack is starting, I am sure. But, it is a question do we want business functions on a phone to match general life where people do everything one a phone?

Security will say no. Users in general will say yes. But the other point is the phone and passcode are the target now.

Side note that once someone has a phone engineering changes is a lot easier. If someone has the CFO’s phone and passcode they can spoof the service desk and have a password reset. Then they can VPN in and have the multi-factor app on the app to help them. And since most everything online works by having the phone in hand, how much easier is for someone to target the C-Suite?