SEMA News—May 2012
By Joe Dysart
While tech-giddy employees are prone to fawn over every new iThing smuggled into the workplace—devices that are often used in violation of company policy—IT security pros see something very different: a security breach waiting to happen. The hard fact is that many of those unauthorized devices can slash gaping holes in company security systems in a nanosecond, exposing company data and applications to hackers. Indeed, even some authorized devices keep security IT up at night, since their current software solution may not be designed to handle some of the brand-new phones and tablets.
“‘Bring your own device’ can be a double-edged sword for enterprise IT departments,” said Zeus Kerravala, principal at ZK Research. “On one hand, there are great productivity gains to be had by enabling workers to use their own devices on the business network. On the other, provisioning, securing and managing those devices is a nightmare for IT.”
The reason? Company security IT personnel are able to safeguard the company network only when they know ahead of time what kind of smartphones and tablets will be logging into the system. Add a new smartphone on the sly—with a foreign operating system and apps that may be riddled with viruses—and all of security’s carefully coded defenses can be shredded in an instant.
Even worse, the security tsunami created by unanticipated gadgets is expected to grow more ferocious in the coming year, tech experts said. About 48% of smartphones at the workplace these days are chosen by employees rather than IT departments, according to a December 2011 study released by market research firm Forrester. And rarely do employees even consult with IT to determine if the company’s computer pros can secure those phones.
“The consumerization of IT—sometimes called ‘Bring Your Own Device’ or BYOD—became one of the newer causes of data vulnerability” in 2011, echoed Mark Harris, a vice president at Sophos, which released details of the trend earlier this year in its Security Threat Report 2012.
Meanwhile, security pros such as those at Wisegate, an invitation-only social network for key players in IT security, also have special concerns about the widespread proliferation of unauthorized Android devices.
“Wisegate members are leery of the Android application marketplace because it is too uncontrolled,” Wisegate researchers wrote in their report, Effective ‘Bring Your Own Device’ Strategies, also released earlier this year. “Neither the developers, nor the applications, are screened and vetted. So it’s very possible that applications could present a security risk from viruses, malware and other vulnerabilities.”
In addition, the blurring barrier between business and personal technology is causing more than a little hand-wringing when a smartphone or other device suddenly goes missing and company legal and IT staffs are forced to inform a company employee that his or her entire device must be “wiped” or erased of all data—both business and personal. While companies generally ask employees to pre-approve such wiping in the case of device loss, Wisegate said that such agreements sometimes don’t hold up in court, even if the agreements are in writing. It cites a case in its report in which an employee sued—and won—against an employer who decided to wipe a lost device that was brimming with company data.
“Despite having signed a company policy agreement, the employee won the case because the court decided that too much time had passed between the affirmation of the policy and that data wiping,” Wisegate researchers wrote.
Thorsten Heins, CEO of RIM, the maker of the Blackberry, is promising software later this year that will secure all makes of mobile phones on a business network.
Fortunately, there is some solace in Shiny-Thing Syndrome. Apparently, employees are so enthralled with their own smartphones that 48% are currently more than happy to pay the entire cost to bring that phone to work, as long as they can choose the exact model they want, according to Forrester. And an additional 9% are willing to at least pay some of the phone’s cost for the same privilege.
The same holds true for employees picking up the tab on voice and data plans. Forrester said that 40% of I-want-my-own-phone users are willing to pay the entire monthly bill in exchange for personal choice. And another 14% are willing to contribute at least some of the cost.
“While there is no guarantee that every employee wants one phone for both work and personal use, it’s clear from the data that a majority of U.S. information workers today are willing to share the cost,” said Ted Schadler, author of the Forrester Report, Consumerization Drives Smartphone Proliferation, released in December 2011.
Bottom line: With the torrent of both authorized and unauthorized employee-owned phones in the workplace showing no signs of abating, security IT consultants said that it’s imperative for any company caught in the current to establish a crystal-clear Bring Your Own Device Policy. Key to that policy, according to Wisegate:
Invite Everyone to the Policy Bake: Companies will get easier buy-in if everyone to be impacted by the policy participates in its creation. For BYOD, that includes IT people, human resources, legal and staff department heads.
Shop Security Solutions Thoroughly: The good news is that security-solutions providers are well aware of the BYOD security threat and have been busy coming up with solutions. The next version of Blackberry Exchange Server, for example, which currently secures only Blackberry smartphones, is promising to add security protection for all smartphones.
Allow Only E-Mail That Resides on the Network: Be sure employees can access—but not physically download—company mail with their smartphones and similar devices when they sync with your company server. Under that scenario, if they lose the phone, their e-mail will still be safe and secure on your company mail server.
Define Sensitive Data: You’d think this would be a no-brainer. But then again, if you don’t define what’s meant by “sensitive company data,” the first line you’re likely to hear from a hapless employee is “I didn’t know.”
Force Password Strength on All Devices: As the scary folks with Anonymous have painfully shown us, a security system is only as strong as its weakest password. As a deterrent, security experts recommend passwords of more than 12 characters, which should include a nice mix of letters, numbers and symbols. They also advise companies to program automatic rejection for passwords that are less complex.
Get Explicit About Photos: With cameras on virtually every smartphone, companies need to clearly define what workers can and can’t snap. Essentially, you don’t want pretty images on Facebook of products that are in development, company whiteboards, trade-secret work areas and the like.
Decide Who Owns the Phone Number: A new conundrum for our technological age has become very touchy: deciding who gets the phone number after the break-up. A key salesperson who takes his/her phone number along to the next job—which may be at a competitor—could steal a good deal of business away from your firm in the process. Ditto for top executives who keep their phone numbers and move on down the road.
Be Careful Where You Wipe: Dealing with lost/misplaced smartphones and other devices may be easier if you buy software that allows you to wipe business data only while preserving personnel data. Of course, that approach could also create its own headache, since many people mix their personal and business data within the same application and sometimes even within the same folder or file.
Insist on Timely Notification of a Loss: You’d think that an employee would be smart enough to quickly report a lost smartphone or tablet. But then again, you’d expect that employee not to lose the device in the first place. Be sure to secure in writing the promise of timely notification of a loss.
Encourage Employees to Vote Early and Often: To protect against employees who sign and forget BYOD agreements, require employees to re-sign such agreements every six months. Such precautions could insulate your firm against I-forgot-I-signed-that laments and lawsuits.