Mobile
11/18/2013
09:06 AM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

BYOD: 'We Have Met the Enemy & He Is Us'

As smartphone adoption continues at an unrelenting pace, the issues surrounding BYOD will become an even more challenging mobile security management issue.

When it comes to BYOD, Pogo, the central character of a long-running American comic strip, said it best: "We have met the enemy and he is us." It was 1971 when Walt Kelly penned the cartoon with the celebrated quote; Pogo, who lived in a swamp, was talking about Earth Day. Today, the same sentiment could apply to the phenomenon of bring-your-own-device to work.

Last week, Ericsson predicted that by 2019 the total number of devices subscribed to mobile networks will reach 9.3 billion, smartphone subscriptions will triple and smartphone traffic on broadband networks will increase 10 times. This should not be an earthshaking revelation for anyone in IT who has been grappling with the explosion of mobile devices in the workplace.

But the rapid and unrelenting pace of the smartphone uptake adds a new urgency to the problem. "It took more than five years to reach the first billion smartphone subscriptions," Ericsson senior vice president and head of strategy Douglas Gilstrap noted in a press release. "But it will take less than two to hit the 2 billion mark."

We already know that the issues surrounding mobile security and BYOD are complex, solutions elusive, and in some cases, surprisingly non-existent. InformationWeek’s recently released 2013 Mobile Security Survey shows that although corporate mobile security practices are improving, many security fundamentals aren’t being implemented. For example, 78 percent of respondents identify lost/stolen devices as a primary security concern, but just 28 percent require either hardware or software encryption, and only 39 percent have mobile device management (MDM) systems that could remotely wipe corporate content from a device.

In terms of BYOD policy, the vast majority of respondents -- 88 percent -- say their companies allow or will soon allow employees to bring their own mobile devices into the workplace to access corporate systems and store sensitive data. Yet only 39 percent of organizations have widely deployed MDM or other technologies considered to be an essential element in effectively managing and securing those devices.

Beyond the practical decisions about MDM or the best authentication practices for smartphones and tablets are new challenges springing from social media. Where do you draw the line between the personal and professional when social business collaboration via LinkedIn, Twitter, Google+, and Facebook is becoming an increasingly accepted -- and even encouraged -- part of the job description? How do you know if employees are watching cat videos or a substantive interview with an industry thought leader on a YouTube business channel? How do you mitigate the security risk these services introduce?

These are all issues I hope to explore with you in InformationWeek’s new security community. Just like any other community -- sci-fi nerds, sports fans, or Girl Scouts -- what binds people together are the unique memes, experiences, private jokes, and lingo that they share. Some have described that bond as a kind of secret handshake. In the coming weeks I hope to be "shaking hands" with you all as we hash over a wide range of IT security issues, everything from applications to zero-day exploits.

To kick things off, take a look at our flash poll on BYOD. We want to know your views on the best policy to manage bring-your-own-device. Your choices:

  • Make BYOD mandatory
  • Laissez faire -- anyone can bring in any device
  • Allow a restricted set of devices
  • Offer employer subsidies for approved devices
  • Forbid all employee-owned devices

And, if you have another idea or point of view, be sure to share it in the comments so that others can weigh in.

At the end of the day, when it comes to BYOD and every other security concern, there are no easy answers. As Pogo said 40-some years ago, the enemy is "us." And it will be up to all of us -- technology experts and end-users -- to figure out what to do about it. I look forward to the conversation.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Alison Diana
50%
50%
Alison Diana,
User Rank: Apprentice
11/18/2013 | 9:31:35 AM
BYOD Backlash
I spoke to many CIOs last week -- and to a person, they all agreed that BYOD is a time-consuming nightmare. While employees and c-levels want this policy, CIOs themselves often continue to carry around two phones because they get the legal ramifications facing users who blur the lines between 'what's mine' and 'what's the company's' data. I foresee lots of work for attorneys as more employees face wiped and destroyed mobile devices.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/18/2013 | 10:04:23 AM
Re: BYOD Backlash
A nightmare might be an understatement, Alison! I think part of the difficulty is that it's not purely a technical issue or a problem that can be totally resolved by a technology solution, even one as simple as keeping separate smartphones for work and office use. As mobile technology continues to blur the lines between work and personal, it's going to be harder not easier to sort out.
mwagner919
50%
50%
mwagner919,
User Rank: Apprentice
11/18/2013 | 6:54:06 PM
Re: BYOD Backlash
The appeal of BYOD baffles me. Companies face management problems, and employees have to pay for their own devices out of their own pockets. How does ANYBODY win in this scenario?

That said: I have a personal iPhone and iPad and use both for work. So it goes. 
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
11/18/2013 | 5:59:04 PM
BYOD challenges
BYOD creates so many challenges on multiple fronts. On the technical side, security controls get complicated due to all the different mobile platforms. On the legal side, issues of personal vs. corporate data and corporate control over personal devices are just starting to play out, making it tough to devise corporate policies.
Adam2IT
50%
50%
Adam2IT,
User Rank: Apprentice
11/19/2013 | 3:24:53 PM
BYOD Challenges
I can understand the IT people that are against BYOD. However, I don't think they can do anything to stop it. It's already happening, whether officially sanctioned or not. So the question becomes - how to deal with it?

Does BYOD come with headaches? Of course it does. However, security issues and IT management headaches (how do I support all those devices?) can be addressed by using new HTML5 technologies that enable users to connect to applications and systems without requiring IT staff to install anything on user devices.
ramakol
50%
50%
ramakol,
User Rank: Apprentice
11/19/2013 | 11:16:24 PM
BYOD is here to stay
BYOD trend has already started and is happening. As the stats shown in this article, BYOD is here to stay. The appeal of BYOD is the increase in productivity and ease of use that end-users enjoy. I understand the risk and reservation from IT and that is exactly why an enterprise grade solution with same ease of use and productivity enhancement is important. 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.