While tech-giddy employees are prone to fawn over every new iThing smuggled into the workplace — devices often used in violation of company policy — IT security pros see something very different: A security breach waiting to happen.
Many of these unauthorized devices can slash gaping holes in company security systems in a nanosecond, exposing company data and applications to hackers. Matt Christensen, IT manager at Codale Electric Supply, Salt Lake City, Utah, takes no chances. “Just like a computer, we will only allow mobile devices to connect to our network resources that are still ultimately managed by our IT systems,” he says.
Kevin Hamm, IT manager, Stanion Wholesale Electric, Pratt, Kan., is also on alert. He says Stanion has multiple layers of software security in place that permits access by employee-owned smartphones. Allowing employees to bring their own mobile devices into the workplace can be a double-edged sword for enterprise IT departments today, says Zeus Kerravala, principal, ZK Research, Ashburnham, Mass. On one hand, he says there are great productivity gains to be had by enabling workers to use their own devices on the business network. On the other, provisioning, securing and managing those devices is a nightmare for IT.
The reason? Company IT personnel are only able to safeguard the company network when they know ahead of time what kind of smartphones and tablets will be logging into to the system. Add a new smartphone on-the-sly — with a foreign operation system and apps that may be riddled with viruses — and all of security's carefully coded defenses can be shredded in an instant. With the rise of cloud enterprise apps, any smartphone is capable of accessing and potentially breaching data security policies.
Even worse, the security tsunami created by unanticipated gadgets is expected to grow more ferocious in the coming year, tech experts say. An estimated 48% of smartphones at the workplace are now chosen by employees rather than IT departments, according to a Dec. 2011 study released by market research firm Forrester. And employees seldom consult with IT to determine if the company's computer pros can secure those phones.
“The consumerization of IT, sometimes called ‘Bring Your Own Device’ or BYOD, became one of the newer causes of data vulnerability,” in 2011, says Mark Harris, a V.P. at SophosLabs, Boston, which released details of the trend in its “Security Threat Report 2012” (www.sophos.com/medialibrary/PDFs/other/SophosSecurityThreatReport2012.pdf), released earlier this year.
Meanwhile, security pros like those at Wisegate, an invitation-only social network for key players in IT security, also have special concerns about the widespread proliferation of unauthorized Android devices. “Wisegate members are leery of the Android application marketplace because it's too uncontrolled,” Wisegate researchers wrote in their report, “Effective Bring Your Own Device Strategies” (www.wisegateit.com/resources/downloads-byod), released earlier this year. “Neither the developers nor the applications are screened and vetted. So it's very possible that applications could present a security risk from viruses, malware and other vulnerabilities.”
In addition, the blurring barrier between business and personal technology is causing more than a little hand-wringing when a smartphone or other device suddenly goes missing and a company's legal and IT departments are forced to inform a company employee that their entire device must be “wiped” or erased of all data — both business and personal. While companies generally ask employees to pre-approve such wiping in the case of device loss, Wisegate says such agreements sometimes don't hold up in court, even if the agreements are in writing. It cites a case in its report in which an employee sued — and won — against an employer who decided to wipe a lost device that was brimming with company data.
“Despite having signed a company policy agreement, the employee won the case because the court decided that too much time had passed between the affirmation of the policy and that data wiping,” Wisegate researchers write. Fortunately, there's at least one ray of hope in employees' infatuation with their own smartphones. Employees are apparently so enthralled with their own smartphones that 48% of them are more than happy to pay the entire cost to bring that phone to work as long as they can choose the exact model they want, according to Forrester. And Forrester says an additional nine percent are willing to at least pay some of the phone's cost for the same privilege.
Moreover, the same holds true for employees picking up the tab on voice and data plans. Forrester says 40% of “I-want-my-own-phone” users are willing to pay the entire monthly bill in exchange for personal choice, and another 14% are willing to contribute to at least some of the cost.
“While there is no guarantee that every employee wants one phone for both work and personal use, it's clear from the data that a majority of U.S. information workers today are willing to share the cost,” says Ted Schadler, author of the Forrester report, “Consumerization Drives Smartphone Proliferation” (www.forrester.com/rb/Research/consumerization_drives_smartphone_proliferation/q/id/61088/t/2), released in Dec. 2011.
Codale's Christensen says that on balance, the trend has been kind to the company. Employee-owned phones have been a “net gain for sure,” he says. “We do not require our employees to use the traditional company-supplied Blackberry, we let them use their device of choice. When they get to use the device they want to use, then they want to use it more and more for work purposes.”
Other IT managers, like Stanion's Hamm, feel there's an overwhelming inevitability to it all. “We believe that the proliferation of smart-devices in the workplace — whether employee owned or company owned — to be a force that would be very difficult to stop.”
Bottom line: With the torrent of employee-owned phones in the workplace - both authorized and unauthorized — showing no signs of abating, security IT consultants say it's imperative for any company caught in the current to establish a crystal-clear, Bring Your Own Device Policy.
Safe Solutions for Allowing Employees to Use Their Mobile Devices at Work
Here are some ideas on how your company can stem the tide of the mobile revolution from Wisegate (www.wisegateit.com), a private invitation-only community of senior information technology professionals.
Invite everyone to the policy bake
Companies will get easier buy-in if everyone to be impacted by the policy participates in its creation. For Bring Your Own Device (BYOD), that includes IT people, human resources, legal and staff department heads.
Shop security solutions thoroughly
The good news is that security solutions providers are well aware of the BYOD security threat and have been busy coming up with solutions. The next version of Blackberry Exchange Server, for example, which currently secures only Blackberry smartphones, is promising to add security protection for all smartphones.
“We use a mobile device manager application from Zenprise to push device profiles ranging from email settings, wireless, VPN, apps and additional security settings to make sure devices stay consistent across the organization,” says Codale Electric's Matt Christensen.
Research existing solutions
Here are some places to start: Good Technology (www.good.com/); MobileIron (www.mobileiron.com/); Excitor DME (www.excitor.com/); Fiberlink's Maas360 (www.maas360.com); Microsoft Active Sync (www.microsoft.com/download/en/details.aspx?id=15); IBM Traveler (www.ibm.com); McAfee EMM (www.mcafee.com/us/products/enterprise-mobility-management.aspx); and Soti Mobicontrol (www.soti.net/mobicontrol/).
Only allow email that resides on the network
Be sure employees can only access — but not physically download — company mail with their smartphones and similar devices when they sync with your company server. Under that scenario, if they lose the phone, their email will still be safe and secure on your company mail server.
Define sensitive data
You'd think this would be a no-brainer. But then again, if you don't define what's meant by sensitive company data, the first line you're likely to hear from a hapless employee is, “I didn't know.”
Force password strength on all devices
As the scary folks with Anonymous, a group of malicious computer hackers, have painfully shown us, a security system is only as strong as its weakest password. As a deterrent, security experts recommend passwords of more than 12 characters, which should include a nice mix of letters, numbers and symbols. They also advise companies to program automatic rejection for passwords that are less complex.
Get explicit about photos
With cameras on virtually every smartphone, companies need to clearly define what workers can and can't snap. Essentially, you don't want pretty images on Facebook of products that are in development, company whiteboards, trade-secret work areas and the like.
Decide who owns the phone number
A new conundrum for our technological age, deciding who gets the phone number after an employee leaves or is terminated, has become very touchy. A key salesperson who takes his/her phone number along to the next job — which may be at a competitor — could steal a good deal of business away from your firm in the process. Ditto for top executives who keep their phone numbers and move on down the road.
Be careful where you wipe
Dealing with lost/misplaced smartphones and other devices may be easier if you buy software that allows you to wipe business data only, while preserving personal data. Of course, that approach could also create its own headache, since many people mix their personal and business data within the same application, and sometimes even within the same folder or file.
Insist on timely notification of a loss
You would think an employee would be smart enough to quickly report a lost smartphone or tablet. But then again, you'd expect that employee not to lose the device in the first place. Be sure to secure the promise of timely notification of a loss in writing.
Encourage employees to vote early and often
To protect against employees who sign-and-forget BYOD agreements, require employees to re-sign such agreements every six months. Such precautions could insulate your firm against “I-forgot-I-signed-that” laments and lawsuits.