BYOD – Get that iPad out of the board room (please).
19 January 2012
The BYOD drum seems to be beating in the IT/Business worlds. Here are some of my opinions at this current point-in-time. Please remember that I’m specifically talking about staff bringing in their own ‘personal’ devices into the workplace to access company systems.
Where did the Bring Your Own Device trend start?
The trend of BYOD (Bring Your Own Device) really started with mobile phones, particularly smartphones and email. Yes, you had other devices but generally smartphones started the rise of BYOD; the iPhone ramped it up faster than ever. You had business leaders forcing IT teams to allow them to pick up corporate email on devices that couldn’t really be secured effectively. You also had staff bringing in their own phones wanting to pick up work email and personal email on the same device. They’d also want to connect these devices up to the wireless and to plug them into their work machines like USB disks. The threat landscape was altered dramatically and we really started to see the ramp up of Network Access Control (NAC), end-point control, particularly around USB ports. It was difficult to secure these devices, many of the difficulties do still remain. If you haven’t got centralised control – you have very little control.
How has the BYOD (bring your own device) landscape evolved?
I don’t generally see a huge amount of change – yes we see the iPhone and iPads, but they are still generally used for picking up emails and web browsing. I do however see a lot of hype from the cloud, security and thin-client markets but a lot of that is just an attempt to build a movement.
Security and business leaders must balance security against business enablement. However, that’s a difficult one to reason as no business should be opening itself up to serious security risks. If a member of staff needs a mobile phone or a tablet then the business should be providing and controlling that device. If the business doesn’t own the device then it’s difficult to secure it without it being restrictive on the personal side.
Why can’t the CIO bring in their iPad?
The CEO should not be allowed to bring whatever technology they wish into the corporate network. If they do then the IT security team should state clear reasons of why that technology puts the business at risk in writing, with a clear area for the CEO to sign acceptance of that risk. It would take a brave and foolish CEO to ignore a written statement of risk backed up by facts. If they sign off on the risk for their own personal benefit over the benefit of the company, then they should be looking for another job anyway.
The example has to be set from the top-down. Once the CEO sits in a meeting with an iPad or something similar then that’s it – every Director then needs one, then every manager, and so on. It’s often too easy for IT teams to roll over and play the politics game, if they do then they are negligent in their duties.
Won’t BYOD save me money?
I can’t see any real way a business will save money by choosing a BYOD strategy. BYOD will typically incur greater IT management, integration, administration and IT security costs – well it should do: you aren’t going to accept significant risk within your business.
It was only a few years ago that everyone was talking about increasing productivity within the workplace through IT. Can you really do that when everyone’s walking around with their own mobile devices hooked up to the internet with a 3G card?
I understand there are always exceptions, but generally the money saving case will not stack up under scrutiny.
How to keep secure if you do opt for BYOD
Obviously every environment and business is different, but here are some generic common sense things to do to keep your environment secure.
- VPN - If employees are going to connect to the corporate network, especially over Wi-Fi, then you need to be securing those connections via a VPN.
- Encryption – Any device that holds any corporate information, even just a stored password, should be encrypted.
- Endpoint Protection – You need to secure the device from web based threats, viruses and other malware.
- Firewall – A firewall is essential for any device that connects to the internet outside of the corporate network.
- Have a clear policy – Make sure you clearly state in writing what your policy is on consumer based devices in the corporate network and when accessing corporate systems remotely. Also make sure that they dovetail into the employment contract.
- Remote Wipe and Lock – If a device is lost or stolen then you need to be able to lock it and wipe it remotely.
- Geo-location tracking - Allows you to track a device anywhere in the world if it’s lost or stolen.
- 2-factor authentication – Any device that connects onto the corporate network, especially remotely, must have 2-factor authentication. It’s too easy to get past single authentication systems.
- Education – Probably one of the most important things to do is educate staff about general IT security and the risks it poses to the business. You’d be surprised how effective IT security training is in reducing risks within a business.
- External review - Have your plans and environment reviewed by an external security professional.
My opinion in summary
Mobile devices generally make a positive impact within a business. However, the devices should be owned, supplied and controlled by the company. If you want to allow employees some freedom on these devices then so be – but don’t take risks. No, we haven’t had a major security breach on major platforms like Apple or Android – but we will. Don’t believe that any device is secure, typically they are not; you have to put the measures and systems in place to secure them. That’s much easier to do when the device is owned by the business.
Don’t make any decisions unless you can truly justify a clear business case.