My former work in British government security department ensured my first response to people bringing their own computing power into the office was defensive. How could the presence of uncontrolled, powerful computing devices not compromise security?
For everyone else, the concept of BYOD has been a sleeper. There have even been some recent attempts to see a ‘glass half full’ by selling the idea that we can use this as a business opportunity to pass the responsibility for computing resources back to employees and contractors. That might work with small organizations, though even these should be aware of the risks of BYOD include the need to demonstrate legal compliance as well as confidentiality. Any breakages in those compacts will naturally lead to expensive litigation – as well as a very large slice of credibility.
Back to my introduction to BYOD in a state-run environment. In much the same way that desktop networking had at first seemed unmanageable, and likewise then connection to the Internet, BYOD came with a raft of apparently insoluble problems. Primarily, these were around new staff expectations of being able to deploy technology they were used to using privately and the risks of letting go of certain security controls in order to meet those expectations. Some early – and rather desperate – proposals for solutions included physically disabling cellphone cameras by putting a hot wire through the lens, the covering over with special tape of IR ports and an array of expensive shielding devices using the ‘Faraday cage’ concept. Of course these were half-measures which only permitted the presence of mobile devices but disabled their functionality, a highly conservative response that failed to recognize changes in societal computing. Once this line had been breached, more complex solutions were drafted including permitting only privileged staff to bring their devices into work and the ‘zoning’ of work areas, i.e. so that the most sensitive parts of the office would – in theory – be off-limits to mobile devices. Problems included putting controls on personally owned devices as well as the difficulties of enforcing rules to restrict their movement. New challenges included how to reconcile the loosening of security controls with the policies of more conservative-minded requirements of some data sharing partners.
Fortunately most organizations should be able to deploy a risk managed approach to BYOD. But the emphasis here is on management – not fire-and-forget policy making that will eventually be subverted by users while becoming outdated as technology ramps up and threats change.
As a minimum:
- There should be a technology-minded person with a reporting chain to the CEO who knows about the vulnerabilities of BYOD and stays up to date with technology
- Security policies should be written into employment agreements. BYOD is not a right, and involves responsibilities
- A security awareness programs that present clear and up to date examples of why local restrictions on BYOD are necessary (i.e. to comply with State and Federal laws and with contracts) as well as who to contact when advice is needed – or when things go wrong
- The prompt recording and reporting of BYOD security incidents to the technology-minded person identified above, to ensure that any changes to risks tolerance are addressed quickly
Finally, an expectation and clear understanding from CEOs that the more use is made of BYOD the higher the risks of a security-type incident occurring. This should form the basis of a documented acceptance of risk that has been arrived at after the application of practical countermeasures.
Not all organizations will have a high tolerance of BYOD, in particular those associated with government and with larger volumes of personal and contracted information. But a carefully balanced and consistently monitored approach should make the security risks tolerable. Where you can, enjoy the flexibility and benefits that BYOD can offer!