BYOD is a Bunch of FUD

Monday, July 16, 2012

Marc Quibell


BYOD - Bringing your own device. To work, home, on vacation, to the can... whereever it's convenient. 

Lately there have been some misleading hype and confusion concerning the use of these gadgets when it comes to the workplace.

First, let's step back for a minute and take a moment to reflect upon exactly what these things are - remember the days before the TouchPad, the Smartphone or the iPad products? What did we do when we needed to work on documents away from work?

We did things like... take the paper documents home or with us in our briefcases. Think of the briefcase as the TouchPad of today. Now, ask yourself this: How is that different from BYOD?

What about more recent times when we emailed our documents to ourselves and then worked on them from our home computers?

Times have changed however, and I'm not talking about the technologies involved. I'm talking about the rules and regulations we have to follow, and the best practices we as employees must abide by - as opposed to the days of the old briefcase - when it comes to protecting the data with which we are entrusted.

The concept of BYOD is nothing new: it allows us to work out of the office on certain, mundane work projects, just like we did when we worked out of our briefcases.

The point: Let's not get convenience confused with security practices and concepts concerning the vigilance of data protection.

For example:

  • You should not be emailing yourself work documents, as a general practice. This is why companies are now employing DLP products that prevent the employees from doing these sorts of things
  • You should only be working on company documents if you are using the company's secure remote access solution. This assures the document(s) remain confidential, available and maintains its' integrity
  • You also should not hand-carry paper documents, using portable electronic storage devices or using any other means to physically transport company data from out of the company's network, unless it is an authorized, approved solution sanctioned by the organization. Again, this assures the document(s) remain confidential, available and maintains integrity
  • Finally, using cloud services or services such as Google Docs to store company data is another no-no, unless of course previously approved, or an approved solution

The days of freely man-handling company data are gone. Employees have additional responsibilities today to ensure the security of the information they are charged with and BYOD does not change any of this.

In fact, times are moving now where the organization can no longer afford to rely on "employee best judgments" or even an employee's intentions, concerning the handling of information.

Unfortunately, organizations can no longer afford to trust employees to do the right thing, when they are clear about what is right versus what is wrong. No amount of training or awareness can cure malicious intents or care-free attitudes.

Hence the advent of DLP implementations, anti-virus/malware programs, hard drive encryption, SIEM and other logging practices... even cameras at the work place.

I have seen reports that pit "users vs. IT". This is absolutely not an "us vs them" scenario, it is the duty of all of us to protect the data we are entrusted with, first and foremost.

The only reason it turns into an "us vs. them", or really, a "employee vs employer" scenario is because the users have failed to realize (or fail to abide by) the philosophy that we all share the common responsibility of keeping our information safe, and just as importantly, keeping our customers' information safe

BYOD is not a new concept. Ever hear of a laptop? Do you bring your laptop to work expecting full and unfettered access? I don't care about the number of employees who BYOD to work and play Angry Birds.

It's just a new technology, but it's another technology that must follow the same data access and handling rules that apply to all other handling methods, whether it be a briefcase or a home computer. If the company provides secure remote access methods, use them.

The alternative is definitely not to expose our data for your convenience. 

Now can we move on?

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Data Loss Prevention Employees Mobility FUD Policies and Procedures Data Protection BYOD Mobile Device Management
Post Rating I Like this!
David Dennis This is really where security people--actually technology people as a whole--should start. To be part of the business solution, you need to start with the business. Unfortunately, the consumerization of technology has inundated everyone with the "newness" of technology and short circuited everyone's priorities.

The first question should be: How do we do it now? Briefcase, email, flash drive? We may actually find occasionally that the answer is "we don't" or "we can't". But I suspect that it won't come up as much as we suspect.

Question Two: What's wrong with the current way? This is where we'll flush out the cost, slowness, inefficiency, in security of how things are currently done. People across the board will volunteer items for this list, but you need to keep the list so you can make sure current weaknesses aren't perpetuated in any new solution.

Question Three: What problems are introduced with a new solution? Since the new solution should solve one or more of the current state's weaknesses, that "question" has already been answered. Answering the question about the future solution's weaknesses gives you a better risk analysis--and may give business leaders a wake up call.

Question Four is actually the main business question: What priorities do you assign to the risks and opportunities of current state and future solutions? Business leaders are supposed to do this all the time, so framing the tech decisions in this light gives them the best information for good decision making. It gives them the best chance of avoiding the consumer attitude of "I just want that".

It may also be a wake up call for what the business's real priorities are. For example, the school district where my kids go is trying out a BYOD policy so they can start using ebooks instead of paper textbooks. But they haven't made the transition from "cell phones will be confiscated for inappropriate use" to "everyone bring in your own device to use for all kinids of class-related work." If a current state problem is inappropriate use (one campus ends up with almost 75 confiscated phones a year), how will multiplying the number of uses (and Internet access) and devices improve things? That must be weighed against the benefits of schools getting out of the technology hardware and textbook stocking business.
Terry Perkins I believe it being FUD is a little misleading. Yes, the briefcase could be stolen but you would have to have physical access to it. Not the case anymore.

No FUD here.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.