Bring Your Own Device (BYOD) seems to spreading in the industry as a debating point in the industry like a virulent virus. Is it fast becoming the 21st century version of the “Pandora’s Box” for the workplace?
I’ve long been an advocate of information security professionals adopting a more flexible approach when giving end-users the functionality and flexibility they want: a happier user is a more productive user. Indeed, a recent study published by O2 last month , the largest ever flexible working pilot of its kind in the UK, found that workers were more productive, happier and richer if they did not go into the office.
Users want to experience the functionality, applications and interfaces that they use and are familiar with in their private lives. They want devices that allow them to work remotely from outside the office and on the move. All things can be taken too far, however; and this is exactly what is happening with BYOD. It seems that some organisations appear intent in throwing out the corporate security (baby) out with their data (treating it as bathwater).
BYOD should be treated with the same three basic principles as with any other information security issue: confidentiality, integrity and availability. Vast sums were spent on secure laptop rollouts in the noughties in order to give workers the ability to work from home and on the road securely. Did we ask/ allow users to bring their own home laptops (along with their malware!) and just plug them into the corporate network and hope for the best? Of course we didn’t!
Some good reasons why BYOD may not be such a great idea:
- What happens if the device is lost or stolen from the end user? Along with the device goes (unencrypted) corporate data and contacts and an inability to remote wipe/ kill it
- Removable media is easily targeted by would-be remote hackers as an easy way of bypassing network firewalls: it the assumed route for example for the Stuxnet virus for example.
- Smartphones usually nowadays have both voice recording and high definition camera capabilities: easily allowing for industrial espionage. There’s good reason most high-security organisations don’t allow them on their premises.
- There are legal ramifications in most geographies in monitoring employee’s personal web behaviour.
- Laws on employee monitoring of personal data/ behaviour varies from geography to geography: this is a potential headache for corporate risk departments.
- How will you monitor the mobile devices for malware, and prevent its introduction into the corporate network?
- How will you identify which device is ‘rogue’ and which is ‘approved’ in a true BYOD environment?
- How do you monitor for acceptable use on an employee-owned device? (assuming there are no legal blockers)
- How will you prevent the employee walking out the door with your customer and supplier contact lists?
- How do prevent illicit/unlicensed content from entering the corporate network?
- Which devices are deemed to be supported and unsupported?
- Does your IT department have the right skills to support cross-platform mobile applications in a secure fashion?
The more enlightened organisations are of course doing a sensible compromise: rolling out well-known tablets to their workforce in a controlled manner, whilst not allowing private devices to access the corporate network. According to Apple, 9 months after they launched the iPad, 80% of Fortune 100 companies had either deployed or were piloting the device. . When deploying mobile devices you should consider all the areas you would have done for a laptop device and more:
- How will the data on the device be encrypted?
- How will you transmit data encrypted to your internal network and external service providers?
- How will you ‘remote kill’ the device should it be lost or stolen?
- How will you prevent malware and inappropriate content entering the network.?
- How will the user authenticate securely onto both the device itself and also the corporate network?
- How will you identify vulnerabilities on the mobile Operating System?
It is perhaps my last question which causes me the most concern, since some in the industry appear to think that certain mobile platforms are not open to the vulnerabilities and exploits in the same way as their desktop and server counterparts. A recent mystery shopper exercise has confirmed my opinion: most do not take the threat posed by mobile devices as seriously as they should. The SANS Institute think otherwise: a whitepaper published them by in 2011  stated that whilst Apple has done a great job by allowing only digitally signed software to be installed on a non jail-broken iPhone; there were still vulnerabilities that could be exploited, particularly in the web-browser (Safari). Recently this year Reuters reported on a flaw on the operating system of the Android operating systems which allowed hackers to eavesdrop on phone calls or monitor the location of the device. 
In order to reduce the risk posed by BYOD, organisations should develop an acceptable usage policy for tablets which clearly identifies the steps end-users should take to complement the security that has been built-in to the device by the IT department. This should include sensible advice on the dangers of allow shoulder-surfing when logging on in a public area; ensuring the device is not left in a public place; regular network connectivity to the corporate network to allow regular updates.
The sensible compromise of rolling out familiar, but secured, tablets in the workplace combined with an acceptable usage policy, will prevent your employees seeing the management as “tone deaf” and may well realise significant increases to both end-user productivity and creativity in the workplace; whilst maintaining a sensible approach to safeguarding against the unguarded use of mobile devices in the workplace.
 Working From Home More Productive, Telegraph 3rd April 2012:
 Morgan Stanley: Tablet Demand & Disruption:
 SANS Institute: Security Implications of iOS:
 Android Bug Opens Devices to Outside Control, Reuters, 24th February 2012