We are a society obsessed with gadgets—constantly on the lookout for the newest, shiniest gizmo that our money can buy. It is no surprise then, that the concept of BYOD (bring your own device) has gained so much traction within the business world. Employees are accustomed to the advanced technologies and tools that their personal devices offer, and are beginning to demand those same resources be made available from their work device. The BYOD trend took off when people threw up their hands and said, Why not combine the two—personal and work? With a mobile workforce largely utilizing options like telecommuting, it only makes sense. But if handled incorrectly, BYOD can bring on a world of security and privacy issues for both the employee and the employer. How times have changed since the simplicity of the landline telephone… or have they really changed that much?
In all honesty, BYOD is not a new issue for IT departments; the issue with BYOD is secure data storage, which is an issue that has been around for decades… but the device keeps changing. Not too long ago, there were concerns with employees carrying floppy disks (remember those?) to and from work—editing files at home on a personal computer and bringing the floppy disk back into the work place, often times infected with a virus. From the floppy disk, employees began using CDs, DVDs and USB mass storage devices, which changed the amount of storage space from hundreds of megabytes to hundreds of gigabytes. Not too long ago, there was no internet connection and no e-mail; the only risk of data loss was losing a storage device like a floppy disk or, on rare occasions, the threat of an insider selling data. Now that BYOD has progressed into mobile technologies, there are many new issues to address.
A smart phone capability that makes BYOD especially difficult to address from an IT security standpoint is mobile cloud storage. For example, the first and second generations of the T-Mobile Sidekick store all of the user’s data in a cloud environment--all of the user’s e-mail, contacts, photos and other information is replicated from the phone to the T-Mobile website. What happens if a malicious hacker finds its way into the T-Mobile site? The malicious hacker would have full access to everything that was on the individual’s mobile phone... which is precisely how Paris Hilton was hacked. What if that information was not purely personal? What if there were also work contacts and work e-mails, possibly with company confidential information?
Traditionally, IT departments have been against employee’s bringing their own devices into the work environment because it opens up a plethora of security issues if handled incorrectly—and with new mobile technologies there are many new issues that arise, like mobile cloud storage and a 24/7 internet connection, just to scratch the surface. So what does it mean to handle BYOD correctly? Whether discussing a floppy disk or a smart phone, handling BYOD correctly entails having a clear BYOD policy, including clearly stated security guidelines for employees. Technical policy enforcement is also a key element, whether secure encrypted container management or Mobile Device Management (MDM).
Many of the current issues surrounding BYOD are similar to the BYOD issues from ten, fifteen, or twenty years ago, because it isn’t the devices that need to be managed, but the data stored within the device. Strong policies, employee guidelines and good communication will help IT departments navigate the latest BYOD hype.
Dan Sherman is Director of Information Security at Telos Corporation