For all the sophistication and power of the modern cell phone or tablet, people think of them more or less like pens: You can use the generic ballpoints they have at the office, or you can bring the one you like from home. That's a consequence of high technology becoming pervasive. People use technology widely, and they might prefer what they use on their own time.
"I have no trouble with people bringing their own machines to work if, and only if, they are competent to run them."
Dan Geer, CISO, In-Q-Tel
Pens, of course, can't access corporate networks (yet). But cell phones and tablets represent powerful computing devices; people might even be able to get more done using their personal devices for work. That's given rise to the BYOD (bring your own device) phenomenon. Just five [almost] years ago, in January 2008, only 10 percent of U.S. companies responding to an Aberdeen survey said they allowed workers to use their home devices. In July 2012, that jumped to more than 80 percent of U.S. respondents. The same trend exists outside the U.S., though fewer companies elsewhere allow BYOD, with companies in the Asia-Pacific region most resistant.
Companies mostly allow BYOD for mobile phones and tablets, aiming to get the productivity benefits of mobile technology without having to shell out a lot of money for corporate cell phones. Notebook computers still tend to be provisioned by corporations.
One looming problem with BYOD: Just because workers have smart phones does not mean they'll be smart about security.
"I have no trouble with people bringing their own machines to work if, and only if, they are competent to run them," Dan Geer, a security researcher and chief information security officer at In-Q-Tel, the CIA's venture capital arm, said in an email. "If they are mere subscribers with a penchant for shiny things, then keep them out of the network."
The trouble is, when the worker who likes shiny things is the CEO, and wants to use his or her new iPad to run business intelligence dashboards, it creates real pressure on a CISO to respond. Common sense would say, "of course, the CISO will do the right thing and preserve the security of the network." Common sense would be sadly disappointed.
"When I started here a year ago, we had execs with an iPhones or iPads and they'd bring it in and hook it up and walk around with it," says Ben Haines, CIO at Pabst Brewing Co. in Los Angeles. Haines said that when he pointed out the risks inherent in walking around with insecure connections, the executives immediately understood the issues. Haines set up a mobile device management policy and found a provider to handle it (MaaS 360 from Fiberlink), and in two weeks it was up and running.
More on BYOD and mobile security
- Should security be responsible for BYOD policy?
- Gadget evolution, from the Sharp Dial Master to the iPhone
- The mobile security survival guide
Pabst is far from alone in its approach to BYOD. In fact, Aberdeen found more than half of the U.S. companies that allow employees to BYOD set no restrictions on devices. "Look, scream it from the rooftop, we know that mobility gives a real competitive advantage," says Andrew Borg, an analyst at Aberdeen. "But it appears that 'we've gotta go mobile now, we'll figure it out later' appears to be what many organizations are doing."
Borg says there's no reason for companies to take such risks. Aberdeen says that a single compliance lapse could cost a company between $10,600 and $461,699, depending on the number of compliance violations on the device.
Borg and another analysts interviewed for this story acknowledge that we have not seen a major incident with BYOD devices publicized yet. But why be the headline, Borg asks.
The challenge for CISOs is palpable. For one thing, it's hard to keep up with best practices, says Adam T. Shapiro, Chief Technology Officer of Breakthrough Technology Group, a managed service provider based in Morganville, N.J.
Shapiro was previously in charge of Citigroup's Client Infrastructure Engineering, where the company's efforts to allow remote work showed a huge thirst for BYOD. The company used Citrix Receiver, a virtualization client, to allow for remote access. Once in place, "you saw every single person that was a Mac user start to use their personal Mac," Shapiro says.
He also says technology is moving too fast for policies to keep up. "There were people coming in with early releases of Windows Tablets" and other new devices, he says. Then they would complain that they couldn't get access. "Best practices are no longer even best practices. It's an evolving game," he says.
Citigroup had not done things willy-nilly — it had a process of meetings and discussion to develop a BYOD model that went through a wide variety of use cases, and had built custom wireless networks to help. Even so, the organization was surprised by how 'creatively' some people decide to use technology. "There were some use cases where you would say, 'Really, people do that?'" Shapiro says.
Citigroup's example illustrates that each company will have its own complexities, with technology and policy decisions to iron out. At any rate, don't be the headline. Emulate smart companies and avoid BYOD's most basic blunders.
Blunder Number 1: Just jump in - the water's fine!
In fact, the water is murky. Companies that just open their networks to BYOD without a plan might hit riptides, stingrays, sharks even. Do you have a lifeguard? Do you even know who should be on the beach?
"Step back and think about your company and what the mobile worker population of the company might look like," says Stacy Crook, an analyst at International Data Corp.
Blunder Number 2: Take on all comers
It's a great concept for a UFC special, but why do you want your network exposed to every device known to humankind?
"Companies shouldn't recommend what type of phone employees get, but some Android phones are better than others," says Dan Shey, an analyst at ABI Research Inc.
Blunder Number 3: Give employees access to everything
Do all your employees really need access to all applications? Really? It's one thing to open up access to email, another to give access to ERP, says Shey, an analyst at ABI Research. Email "tends to be a closed system—you can connect to it and not connect to corporate systems and databases," he says. As Crook notes, once consumer devices enter the enterprise, consumer applications and corporate applications can commingle. What if employees want to dump things into Dropbox?
Using geo-sensing policies, where devices only have access to applications and data when in a certain zip code or GPS coordinate, can be helpful in some circumstances.
Blunder Number 4: Fail to train employees
"That's a big no-no," says Crook. Employees need to have some guidance on what they should and shouldn't do with their devices on the corporate network. That's obviously true for companies that have compliance requirements, like healthcare and financial firms. But any company can have employees overstep their bounds. Give them education and training, and then ask them to sign a document about complying with your company's policies. Without those things, "you're setting yourself up for lawsuits." Especially if you commit sin number five&.
Blunder Number 5: Assume people won't lose a device when it's their own.
They do, and they will. What kind of attachments might be on email? What if there's a password file on the device? Or authentication for the network?
Blunder Number 6: Expect you can just wipe your hands of things.
There are lots of tools that let you wipe systems remotely, ranging from features in Microsoft Exchange to mobile device management software.
Remote wiping is a powerful tool, but when you zap all their personal data, even employees who leave on good terms could end up suing you.
Mobile device management software is useful, but should you really just wipe the box? Or can you revoke access to specific applications?
Blunder Number 7: Assume the worst and just ban BYOD.
BYOD is manageable. CISOs can mitigate risks. They just need to have a plan and a process that meets the needs of their company.
Finally, learn from those who've gone before you. One of the first companies to allow BYOD is IBM. It started back in 2000 with the Blackberry, and after trials made BYOD a corporate initiative in 2004. It has more than 130,000 employees using their own devices, primarily smart phones and tablets.
IBM has a set of corporate security guidelines its workers must follow. Managers approve BYOD requests. The company then assigns workers an eight-digit alphanumeric password, and it has full remote wipe capabilities if someone loses their device, or has it stolen, though it has 'containerized' its applications so that it does not have to wipe an entire device to protect its data. IBM also limits the applications people can access, usually to things like email and IBM's collaboration suite.
"We don't deliver the keys to the kingdom," says Bill Bodin, IBM's chief technology officer for mobility, who is responsible for the company's BYOD initiative.
By the end of 2012, all workers who want to use their own devices will have to become 'certified.' IBM has developed about 45 minutes of video modules on the principles of secure mobile computing, and workers have to pass a test on the videos to be eligible to use their own devices. It's also developing a "persona" app for its internal app store, so that employees can download IBM-specific apps that match their roles.
Bodin's advice for BYODers?
"I would start small. Qualify a particular device. Ask, 'what are my core capabilities I need to mobilize?' And don't put the company's data at risk."