The BYOD (Bring Your Own Device) trend is pressuring CIOs and IT managers into bad decisions. Many organizations aren’t happy with their mobile security options, so they’re trying to wait for the BYOD storm to pass.
“If you just say, ‘No,’ creative people will find workarounds to make their lives easier,” said Chris Herndon, Managing Director and Chief Technologist in MorganFranklin’s National Security Solutions business unit. “It’s what creative, tech-savvy people do, and it’s part of why they’re so valuable to your organization.”
Organizations can’t come down too hard on these employees, because these are the people who consistently find new ways to add to the bottom line. But you can’t let them become security risks just because you don’t want to tamp down their innovative ideas.
On the other hand, companies that go looking for a silver-bullet BYOD security solution will be disappointed to find that the promised all-in-one solutions are often anything but.
Before you worry about any particular technological solution, you have to get your mobile policies straightened out first. “Policy is so critical,” Herndon said. “It’s painful for me to say, but so many large data breaches have been the direct result of the poor implementation of a technology that promised to solve the problem. Without a policy to guide how you deploy and manage the security solution, you will only incrementally – if at all – lower risks.”
If a big data breach hits just after you’ve just convinced your CIO or CEO to invest in, say, an expensive MDM (Mobile Device Management) solution, whose job do you think will be on the line?
Bring Your Own Device – it’s a phrase that is simple to wrap your head around, yet it carries the notion that employees are now in charge.
And as any security pro knows, employees are the weakest links in the security chain. So why would you trust them with so many security responsibilities?
“I really wish the term BYOD would go away,” Philippe Winthrop, Managing Director of the Enterprise Mobility Foundation. “It’s poorly conceived. It’s often mismanaged, and it leads to dumb decisions.”
Winthrop prefers the concept of COPE, or Corporate Owned, Personally Enabled. “The security mindset has to change,” he said. “We need to move away from protecting perimeters and towards a risk-management mindset.”
In other words, there will always be risks. In a mobile age, we can’t lock down everything, but we can take reasonable steps to reduce risks. Then, if a breach happens and your boss comes for your head, you’ll at least have a much easier time pinpointing what went wrong and why.
Being able to point out that you followed mobile security policies and deployed the appropriate technologies to enforce them may – you hope – be enough to keep you from getting fired.
With a risk-management mindset, certain types of data will be classified as ones that employees will want to access from mobile devices. That information should, then, be stored and served up differently than data typically accessed from an in-house PC. Simply classifying data as “mobile” may mean that employees can only view it on a secure web page, but not download or modify it. Other data may be manipulated on the end device, but only if secure partitioning is in place.
The concept of COPE sets the bar higher, but there’s also a key concept within this phrase, too, and it too is easy to overlook: “Corporate Owned.” Mobile risks are so high that smartphones and tablets that enter the enterprise should probably be purchased by the organization. Anything else introduces too much risk, at least at this early stage in the BYOD adoption cycle.
If nothing else, maintaining device ownership means that if IT completely wipes a device, and in the process, accidentally wipes personal data, such as photos, this is perfectly within the organization’s rights. It’s the organization’s device, after all.
If it is the employee’s device you are wiping clean, however, don’t be surprised if you get serious pushback, even a lawsuit, if important personal information is erased along with sensitive corporate data.
From a risk management perspective, isn’t it smarter to just sidestep this snakes’ nest?
And if you accidentally wipe a senior executive’s personal data from that person’s personal device, do you think the excuse of “I was following the policy” will work to save your skin?
One of the problems with pairing BYOD with solutions like MDM is that those solutions only do so much, yet are often advertised as all-in-one complete solutions. MDM is essential, but it’s only part of the puzzle. For instance, mobile antivirus and firewall features are too often left to the discretion of end users.
So, how does IT know if end users have AV turned on? Whether it is up to date? Whether or not critical patches in place?