Employers shifting their operations to mobile computing have opened the door to BYOD—telling employees it’s OK to Bring Your Own Device and use it for work tasks. Employees have extended that to BYOA–Bring Your Own Apps, says San Francisco security company Appthority in its latest mobile threat report. Workers, just like consumers, download apps without ploughing through the accompanying disclosures. Many apps are now designed to raid the personal data of employees—a goldmine for bad actors who use “spear phishing” tactics as the first step in major attacks on corporations. And many contain malware.
When it comes to information security, a company’s employees may sometimes be seen as risk vectors rather than assets to protect. Although few may intentionally become insider threats, helping hackers break into networks, employees can unwittingly puncture company defenses by actions as innocent as downloading an exercise app to an iPad.
Companies are now bristling with safeguards supplied by cybersecurity companies that monitor the digital activity of employees as they interact with company data and communication channels from their app-laden smartphones and tablets, as well as from business computers. But in addition to that wary surveillance, there are moves now to enlist company staffers as fellow guardians of workplace data security.
One example is a set of mobile apps for employees of Appthority’s business clients. Appthority scans the mobile devices of staffers, and its apps tell them which of their installed apps are dangerous, which are frowned on by their employer, and which are approved by the company IT department. Appthority then sends automated prompts to spur the employee to get rid of the problematic apps, and warnings that the device could be bumped off the company network if they don’t.
Appthority, which says it has evaluated the risks of three million apps, also serves as a sort of consultant on the fly for employees when they’re considering the use of a new app. Using Appthority’s mobile tool, workers can get a risk assessment on the new app without having to download it.
Domingo Guerra, co-founder and president of Appthority, says business clients have been asking for ways to educate employees about cyber risks and empower them to help defend against data breaches.
“We’re seeing that employee education is increasingly a differentiator” among cybersecurity companies, Guerra (pictured above) says. “That’s why we launched the app.”
Appthority rolled out its first employee app in April 2015 for iOS, the mobile operating system it found most heavily used by businesses. At the urging of employers, Guerra says, the company recently released a similar app for Android devices.
The mobile apps work together with the core business services offered by Appthority, which was founded in 2011 by Guerra, Kevin Watkins, and Anthony Bettini to help companies and government agencies manage the risks associated with mobile apps. Appthority’s customers can create customized lists of banned and approved apps—-and even tailor those lists for specific job titles, Guerra says.
Appthority is used in combination with the mobile security shields of companies such as Mountain View, CA-based MobileIron and AirWatch, an Atlanta, GA, unit of Palo Alto, CA-based cloud computing infrastructure company VMWare. MobileIron and AirWatch manage the risks associated with mobile devices themselves, by automating the registration of employee-used devices, setting up their access to company WiFi and VPN accounts, monitoring passwords, and keeping unauthorized devices from logging in, among other measures. Boston-based mobile app management company Apperian offers similar services, as well as app stores—customized for business clients—that staffers can browse.
Appthority aims to make security measures scaleable through automated risk-scoring of specific apps and employee devices, as well as alerts and corrective measures.
The company, which has 35 employees, has raised