Skip Links

Avoiding basic BYOD blunders

Most companies have figured out how to sidestep BYOD security errors - have you?

By Michael Fitzgerald, CSO
February 14, 2013 03:15 PM ET

CSO - For all the sophistication and power of the modern cell phone or tablet, people think of them more or less like pens: You can use the generic ballpoints they have at the office, or you can bring the one you like from home. That's a consequence of high technology becoming pervasive. People use technology widely, and they might prefer what they use on their own time.

Pens, of course, can't access corporate networks (yet). But cell phones and tablets represent powerful computing devices; people might even be able to get more done using their personal devices for work. That's given rise to the BYOD (bring your own device) phenomenon. Just five [almost] years ago, in January 2008, only 10 percent of U.S. companies responding to an Aberdeen survey said they allowed workers to use their home devices. In July 2012, that jumped to more than 80 percent of U.S. respondents. The same trend exists outside the U.S., though fewer companies elsewhere allow BYOD, with companies in the Asia-Pacific region most resistant.

[ SECURITY: Sex sites out, IT sites in for cybercrooks planting malware ]

Companies mostly allow BYOD for mobile phones and tablets, aiming to get the productivity benefits of mobile technology without having to shell out a lot of money for corporate cell phones. Notebook computers still tend to be provisioned by corporations.

[Also read BYOD keeps expanding and IT just has to deal with it]

One looming problem with BYOD: Just because workers have smart phones does not mean they'll be smart about security.

"I have no trouble with people bringing their own machines to work if, and only if, they are competent to run them," Dan Geer, a security researcher and chief information security officer at In-Q-Tel, the CIA's venture capital arm, said in an email. "If they are mere subscribers with a penchant for shiny things, then keep them out of the network."

The trouble is, when the worker who likes shiny things is the CEO, and wants to use his or her new iPad to run business intelligence dashboards, it creates real pressure on a CISO to respond. Common sense would say, "of course, the CISO will do the right thing and preserve the security of the network." Common sense would be sadly disappointed.

"When I started here a year ago, we had execs with an iPhones or iPads and they'd bring it in and hook it up and walk around with it," says Ben Haines, CIO at Pabst Brewing Co. in Los Angeles. Haines said that when he pointed out the risks inherent in walking around with insecure connections, the executives immediately understood the issues. Haines set up a mobile device management policy and found a provider to handle it (MaaS 360 from Fiberlink), and in two weeks it was up and running.

More on BYOD and mobile security

Should security be responsible for BYOD policy?

Gadget evolution, from the Sharp Dial Master to the iPhone

The mobile security survival guide

Pabst is far from alone in its approach to BYOD. In fact, Aberdeen found more than half of the U.S. companies that allow employees to BYOD set no restrictions on devices. "Look, scream it from the rooftop, we know that mobility gives a real competitive advantage," says Andrew Borg, an analyst at Aberdeen. "But it appears that 'we've gotta go mobile now, we'll figure it out later' appears to be what many organizations are doing."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News