In the modern era of lean business applications, the idea of employees bringing their own device into the workflow makes perfect sense. Allowing private devices to be used for business applications negates much of the initial hardware expense, allows for private ownership over security, and even promotes a genial feel to organizational hierarchy.
That being said, bring-your-own-device, or BYOD, is perhaps the greatest security threat to the modern corporation, and unfortunately, it’s almost never considered as such. The allure is strong, and in the rush to adopt what seems like a great idea, these security failures inherent to the concept are often ignored, resulting in dramatically increased threat and vector for a multitude of attacks.
Today, we’re going to look at the risk inherent in the BYOD system. We’ll discuss how to perform a Security Risk Assessment via a simple supplied rubric, and how to consider this within the greater scope of Data Management.
Inherent Risks in BYOD
To understand why BYOD has a set of inherent risks, we first need to look at what makes the concept so attractive. We can sum this up in the following bullet points:
- BYOD allows employees to use their own semi-private devices;
- BYOD allows for less strict device management, minimizing feelings of “company property” and replacing them with “communal property”; and
- BYOD allows employees to feel a sense of personal duty and ownership.
These are the three main selling points broken down into their simplest forms. Unfortunately, they are also the three main security threats inherent in the system. Fundamentally speaking, BYOD is a security risk because:
- Blurred Lines - semi-private devices blend personal use with professional use, resulting in higher access permissions between personal and professional resources. This has the effect of reducing your sum-total security to the lowest level of the employee themselves;
- Inefficient End-of-Life Tracking - less strict device management means that you might have difficulty tracking devices, and even if you effectively track them, you face dramatic overhead in doing so at the end-of-life cycle; and
- Lax Culture - personal duty and ownership might result in lax security, as the common feeling of “good enough for me, good enough for work” prevails.
Let’s take a look at each of these points generally speaking.
Security is only as good as the lowest level in a system. This has the unfortunate side effect in the BYOD environment of either enforcing a carte blanche security policy for everyone or in demanding additional security policies for specific systems, such as VPNs and document access.
This is a balancing act, of course - if you enforce a blanket security policy, you might as well not use BYOD at all, and the conversion of personal devices to professional ones might have serious implications. For instance, if you demand a personal device adhere to certain rules and stipulations when used by a contractor, you’re actually doing something that might make them considered an employee, and that has serious tax and legal implications down the line.
On the other hand, if you enforce policies only for specific applications, you’re dramatically increasing your own overhead for management. You not only have to check each device’s security settings, you have to audit to ensure compliance, and train your staff for each individual security change. You’re negating much of the BYOD benefit.
Inefficient End-of-Life Tracking
Data, by and large, is not generally exposed during its lifetime. While breaches do occur, the lion’s share of data breaches happens during the storage phase, and in terms of physical hardware, during the end-of-life phase due to improper data wiping or disposal.
Now imagine that problem, but compounded without direct access to the devices. Let’s say your employee uses an iPhone for personal and professional uses. Now let’s say they want to upgrade. When they take in their phone, the device is wiped, but you have no way to ensure total wiping in compliance with standards and regulations - you just have to trust that Apple Store employee did the right thing and hope for the best.
While this is negated by making policies which enforce certain behaviors, you can’t control every eventuality. Managing the end-of-life for these devices is a problem that can be negated, but many people don’t even bother to consider this as an issue.
This is a huge problem, but it’s one more of philosophy than anything else. Allowing personal devices to be used for business creates a situation where the culture of security may turn lax due to the “good enough” fallacy. Have you ever stopped to consider the security of your text messages? Do you know whether your calls are secure? Do you feel the need to encrypt your music library?
We tend not to think of those things because our phone is on our person, and even if it was lost, we could secure it - we tend not to store vitally important things on our device, and as such, they’re considered to be protected by “good enough” solutions.
The problem here is that those solutions may not be “good enough” for your specific applications. This culture generated by “good enough” can be incredibly harmful, and is something to be cognizant of.
Security Risk Assessment
How, then, should you determine whether your system is secure? The easiest way is to form a checklist. If you fail any of these points in your BYOD policy, you need to address it immediately, as it has serious implications for your Data Management processes:
- You need to have an individual management system. Each phone has a serial number, and these numbers should be tracked and attached to personally identifiable employee data.
- Devices should be secured by a blanket security solution, either through encryption or biometrics. If this is not possible, then devices should be secured remotely, and access should only be allowed via VPN or other tunneling solutions.
- Devices should be, by policy, remotely wipeable at any given moment, and should through practice be erased completely using a solution like ClaraWipe before being sold or recycled.
Data Management Considerations
This is primarily a concern of internal versus external data handling. Fundamentally speaking, data is either internal to the organization, such as internal documentation and files, or external, such as basic web systems and publically editable documents. BYOD presents a unique concern in that internal data can very quickly become external data without being given the precautions as such.
Think of it like this - outside, it’s raining. When you go outside, you need an umbrella, and you need to protect your cellphone, but inside, you don’t, because you have a roof. BYOD is a lot like allowing someone to bring your cell phone outside without you around - if it were you, of course you’d put it in a case or something, but instead, someone is just bringing it out, and whether or not they protect it is entirely left up to their understanding and experience.
Keep that analogy in mind - that’s basically what you’re doing in a BYOD situation. A lot of this can and should be mitigated - and in practice, it often is. Don’t rush to adopt a new, shiny standard or solution, and in doing so, destroy your security policy. Only by being aware of these issues and addressing them early on as systemic issues inherent in the concept can you truly secure your data over the long haul.