This article was originally published on January 8, 2015.
More than half of employees worldwide bring a personal mobile device to work. That’s the word from CIO, which notes that while adoption varies by region and country, there’s a common theme: users aren’t afraid to bring devices with or without management’s approval.
But BYOD is the wave of the future, right? That’s the hype, and many businesses have fully embraced this bring-your-own culture. Others are more reticent, and perhaps with good reason: here’s a quick look at the real risks of going BYOD.
You’re using what?
The most obvious risk of BYOD? Foreign devices in the workplace, each with its own operating system, network settings and user controls. While it’s nice to think that all users will opt for the latest technology and secure their devices by immediately downloading the latest patches for their apps and OS, that’s not always the case. Companies are often tasked with managing a host of devices both new and not-so-new, in addition to handling staff whose technical proficiency varies widely. The result is a kind of “Wild West” environment where users bring whatever they want and IT sheriffs may be left chasing tumbleweeds.
According to David Cripps, CSO of financial firm Investec, one of the biggest risks of BYOD adoption stems from cloud services. Consider this: While Cripps found that his company had signed up for 15 “official” cloud services that were vetted by IT staff and approved by management, the actual number in use was “a lot higher.”
Why? Because BYOD users were quick to leverage the applications and services they preferred to get their jobs done, rather than those given the green light by higher-ups. Unfortunately, many of these publicly-available services lack any kind of basic security controls; Cripps notes that “off the 3,000 or so cloud services out there, only five percent have ISO certification and only 10 percent allow some sort of two-factor authentication.” And since they’re being used on corporate networks, there’s a real risk of data compromise or loss.
So what’s driving this kind of reckless consumption? The democratization of technology gets most of the blame: users are now able to access high-powered cloud services and applications that require virtually no technical expertise or prior knowledge. While this is great for workplace productivity it also leads to a false sense of security — that services are safe because they’re “only” on a smartphone or come from a legitimate app store. Unfortunately, that’s not always the case.
Evolution of the device
And there’s more; as noted by First Post, the evolving Internet of Things (IoT) adds an entirely new category of devices to the mix, all with their own network addresses and access to critical corporate functions. Consider the recent Backoff POS malware by way of example — this malicious code wormed into company systems by using point-of-sale terminals peripherally attached to critical network systems. Right now, device security isn’t up to snuff for smartphones and tablets. IoT devices only compound the problem.
So how do you manage devices in the workplace? One option is to ban them altogether or assign a specific smartphone vendor for the entire organization, but this often causes more problems than it solves. Mobile Enterprise outlines several best practices for handling BYOD, including the development of a use policy that includes standards for users along with consequences for misuse. In addition, it’s important to provide ongoing support for all mobile devices regardless of type or age. Skip this step at your own peril — an unsupported device is a vulnerable device.
Two other steps are also critical: Embracing shadow and IT and protecting your network at large. Shadow IT — the network of end users who leverage any service or app they want — should be encouraged to come forward so their choices can be made more secure, rather than for punishment. This is the old “can’t beat ’em, join ’em” argument: better to know what’s going on than be kept the dark. And while you’re at it, consider leveraging our secure VPN service to keep network traffic obscured to wandering eyes. This helps control accidental exposure, since even if an employee is using an unapproved service or sending something they shouldn’t, no one outside your company needs to know and you get time to track down the problem.
Is BYOD risky? Absolutely. Is it inevitable? Probably. Best bet? Get up to speed on what’s at stake, then take steps to mitigate potential damage. Danger is calling, but at least you can make it call collect.