BYOD: Filling The Holes In Your Security PolicyAllowing personal mobile devices at work can create new risks for your enterprise. Is your security policy ready?
Jesse Kornblum isn't your typical road warrior. As a computer forensics research guru (yes, that's his title) at Kyrus, a managed security services and consulting firm, he knows his stuff when it comes to information security.
But when traveling abroad, Kornblum is the first to admit that he's scared--or at least wary--that his security know-how won't be enough to protect him and his employer.
Take his upcoming business trip to Brazil. "Look, I'm a single guy, and Brazil is known for partying." It's likely that a new acquaintance or acquaintances will visit his room and have proximity to his phone or laptop, he says. Drive copying is a threat, as is outright theft of a device or information. A more sophisticated attacker might plant software on Kornblum's phone or laptop and monitor remotely.
Kornblum's concerns aren't the ravings of a computer forensics expert who has picked over the bloody remains of one too many network hacks. HD Moore, the CTO of security firm Rapid7, says that when he goes abroad, he brings a bare-bones netbook with data encryption installed and a BIOS and drive password enabled.
Moore also improvises anti-tamper features. He's been known to saw his netbook's case screws in half and pack the empty space in the screw holes with mashed Altoids to reveal if anyone had opened the device. Once when he left his netbook unattended in a Shanghai hotel room, he returned to find the powder gone from the screw hole and the BIOS password wiped, he says.
Like Kornblum and Moore, businesses everywhere are wrestling with security challenges posed by their increasingly mobile workforces. The reasons for this are clear: The workplace is undergoing its biggest transition since the desktop PC and client-server architecture displaced office mainframes more than two decades ago. This time around, it's PCs that are on the losing end to a ragged brigade of powerful, consumer-oriented mobile devices that include laptops, smartphones, and tablets in growing numbers.
The bring-your-own-device transition is transforming the workplace but also creating new risks for companies that plunge in without forethought and planning.
What's At Stake
A Forrester Research survey suggests that supporting employee-owned mobile devices isn't about letting people play Angry Birds at the office. More than three-quarters of employees who use smartphones at work and 63% who use tablets access their company intranet or portal sites using their mobile devices, according to a Forrester Research survey of 70 senior-level decision-makers at U.S., Canadian, U.K., and German companies. Fully 82% of those respondents say they use smartphones to read or view documents, presentations, and spreadsheets for work. Mobile enterprise users are going beyond Microsoft Outlook to tap into applications such as SharePoint, WebEx, and Documentum.
Businesses are throwing the doors open to mobile devices. Seventy-two percent of technology pros expect increased use of employee-owned devices accessing business resources, according to the InformationWeek 2013 Mobile Device Management and Security Survey of 307 business technology pros.
The transition to BYOD policies is happening across the board, with Apple iPads and iPhones and Android phones overwhelmingly leading the charge.
Unfortunately, the increase in employee-owned mobile devices hasn't been accompanied by security policies and tools to manage them. "Most companies still have no formalized policies," says Vanja Svajcer, a principal researcher at SophosLabs, the malicious code research group at antivirus software developer Sophos PLC. They might have existing policies for PCs, he says, and with BYOD, companies must either relax those policies or adjust them to accommodate mobile devices. That means having IT help employees connect their personal devices to network resources such as the office Wi-Fi network, the Microsoft Exchange email server, or a content management system.
Consulting firm PricewaterhouseCoopers found that 36% of the companies it polled in its 2012 Global State of Information Security Survey had a mobile device security strategy in place. Personal device use is the norm at Kyrus, but Kornblum admits that the company doesn't have hard and fast rules around employees' use of those devices. "We're a small company with fewer than 15 employees," he says. "We talk frequently about people not being stupid, and our business is examining how security goes wrong."
At less-security-savvy firms, the "give access now and secure later" approach can increase risk across the board, including everything from lost devices and stolen data to the use of vulnerable software and questionable apps.
1 of 4