Why Should I Worry About BYOD?

June 16, 2014

Submit your questions to: [email protected]

This week Seth Jones from Milwaukee asks: 

Why should I worry about BYOD? It is great not to have to buy my employees cell phones.” 

Shame on you, Mr. Jones – not to get all Biblical on you, but have you never heard the ancient proverb “It is better to give than receive?”  By providing your employees with smart phones, tablets, etc., not only do you get the satisfaction of giving but you also get to maintain the high level of security you had on those corporate Windows PCs and laptops you so lovingly provided employees with over the years.

What’s that, Mr. Jones? You had constant virus problems on those corporate issued PCs – even with the endpoint “protection” platform software you installed? Oh, and a lot of help desk calls when users couldn’t get their job done because they needed to use told them they had an old version of Internet Explorer installed because of what IT called “app compat” issues? Frequent reimaging? Constant patching?  Candy Crush wouldn’t work right??

OK, since I’m in the mood for old proverbs today, let’s get down to brass tacks:  it turns out we’ve really been allowing BYOD ever since Outlook Web Access first shipped with Exchange Server 5.0 in 1997.

Realistically, since about 2000 or so employees at many companies have using OWA and equivalent to read, store and send sensitive business email and attachments from their home PCs – and the world never ended!! Users were silly enough to read email 24 hours per day – and we did not see viruses or data leakage skyrocket!

The odd reality is that many home users these days are using much more secure technology than what their employer would provide. They use a heterogeneous mix of devices that make it harder (not impossible, but harder) for attackers to build attack code, and they happily accept white lists (called fun names like App Store! and Play!)

The Chrome and Firefox browsers and the iPhone/iPad operating system patch themselves, used advanced security techniques like sandboxing and the applications they are using are actually pushing them to move to two factor authentication via text messaging – while at work IT and IT security try to force them into a monoculture that can only be patched occasionally, and is run by people who are absolutely sure users would never accept white lists, two factor authentication or anything else remote smelling like higher levels of security.

Sounds rosy, doesn’t it? But there are some things you do have to worry about, Mr. Jones. First off, are your employees really buying “cell phones”?? I don’t think they’ve been called that since the Seinfeld show went off the air. They are now smart phones or mobile platforms, thank you.

Probably more importantly, you do have to worry about corporate data getting on those devices and ending up on eBay or Craig’s List when the device is lost, stolen, sold, or “repaired” – since repaired generally means thrown in a box and sold on eBay. You need to take some of that savings and apply it towards Mobile Device Management functions to deal with that data exposure problem.

However, most importantly: BYOD is just a small part of the “Choose Your Own IT” movement where employees who have been CIOs of their own house for years demand to use whatever devices and services they feel is best – much the way they choose their own clothes each morning rather than wear corporate uniforms. Many of the IT management and IT security processes you are dependent on are based on IT controlling those things – and those days have gone the way of those collapsing whip antennas on “cell phones” that you used to see in Seinfeld episodes.

 “Casual Friday” devolved to “Wear Whatever You Want Unless You are Meeting With a Customer” and BYOD will lead to CYOIT.  The former didn’t mean everyone could come to work naked, the latter doesn’t mean there are no rules, policies or security controls when the CIO doesn’t control all the IT in use.

It does mean that new and very different policies and procedures are needed – just as they were when we went from the mainframe to the PC.

But, Mr. Jones, don’t forget about the spirit of giving – what about setting up a nice “enterprise app store” for your employees where they can download safe apps for their personally owned “cell phones”? 

comments powered by Disqus

The Human Factor: Gain new insight into the ways attackers exploit end-users' psychology​​

About Security Current | Privacy Policy | Subscribe to our newsletter