BYOD – Get that iPad out of the board room (please!)

/ Security
January 19th, 2012

IT strategy - BYOD - get that iPad out of the boardroom

The BYOD drum seems to be beating in the IT/Business worlds. Here are some of my opinions at this current point-in-time. Please remember that I’m specifically talking about staff bringing in their own ‘personal’ devices into the workplace to access company systems.

Where did the Bring Your Own Device (BYOD) trend start?

The trend of BYOD really started with mobile phones, particularly smartphones and email. Yes, you had other devices but generally, smartphones started the rise of BYOD; the iPhone ramped it up faster than ever. You had business leaders forcing IT teams to allow them to pick up corporate email on devices which you could not secure effectively. Staff would bring in their own phones and want to pick up work and personal emails on the same device. They’d also want to connect these devices up to the wireless and to plug them into their work machines like USB disks.

The threat landscape was altered dramatically and we really started to see the ramp-up of Network Access Control (NAC), end-point control, particularly around USB ports. It was difficult to secure these devices, many of the difficulties do still remain. If you haven’t got centralised control – you have very little control.

How is the BYOD landscape evolving?

I don’t generally see a huge amount of change – yes we see the iPhone and iPads, but they are still generally used for picking up emails and web browsing. I do however see a lot of hype from the cloud, security and thin-client markets but a lot of that is just an attempt to build a movement.

Security and business leaders must balance security against business enablement. However, that’s a difficult one to reason as no business should be opening itself up to serious security risks. If a member of staff needs a mobile phone or a tablet then the business should be providing and controlling that device. If the business doesn’t own the device then it’s difficult to secure it without it being restrictive on the personal side.

Why can’t the CEO bring in their iPad?

Do not allow the CEO to bring whatever technology they wish into the corporate network. If they do then the IT security team should state clear reasons of why that technology puts the business at risk in writing, with a clear area for the CEO to sign acceptance of that risk. It would take a brave and foolish CEO to ignore a written statement of risk backed up by facts. If they sign off on the risk for their own personal benefit over the benefit of the company, then they should be looking for another job anyway.

You must set the example from the top-down. Once the CEO sits in a meeting with an iPad or something similar then that’s it – every Director then needs one, then every manager, and so on. It’s often too easy for IT teams to roll over and play the politics game if they do then they are negligent in their duties.

Won’t BYOD save me money?

I can’t see any real way a business will save money by choosing a BYOD strategy. BYOD will typically incur greater IT management, integration, administration and IT security costs – well it should do: you aren’t going to accept significant risk within your business.

It was only a few years ago that everyone was talking about increasing productivity within the workplace through IT. Can you really do that when everyone’s walking around with their own mobile devices hooked up to the internet with a 3G card?

I understand there are always exceptions, but generally, the money-saving case will not stack up under scrutiny.

How to keep secure if you do opt for BYOD

Obviously every environment and business is different, but here are some general common sense things to do to keep your environment secure.

  • VPN- If employees are going to connect to the corporate network, especially over Wi-Fi, then you need to be securing those connections via a VPN.
  • Encryption – You should encrypt any device that holds any corporate information, even if it’s just a password.
  • Endpoint Protection – You need to secure the device from web-based threats, viruses and other malware.
  • Firewall – A firewall is essential for any device that connects to the internet outside of the corporate network.
  • Have a clear policy – Make sure you clearly state in writing your policy on consumer-based devices in the corporate network and when accessing corporate systems remotely. Also, make sure that they dovetail into the employment contract.
  • Remote Wipe and Lock – You need to be able to lock and wipe lost or stolen devices remotely.
  • Geo-location tracking – Allows you to track a device anywhere in the world if it’s lost or stolen.
  • 2-factor authentication – Any device that connects to the corporate network, especially remotely, must have 2-factor authentication. It’s too easy to get past single authentication systems.
  • Education – Probably one of the most important things to do. Make sure you educate staff about general IT security and the risks it poses to the business. You’d be surprised how effective IT security training is in reducing risks within a business.
  • External review- Have your plans and environment reviewed by an external security professional.

My opinion in summary

Mobile devices generally make a positive impact on a business. However, the company should own, supply and control the devices. If you want to allow employees some freedom on these devices then so be – but don’t take risks. No, we haven’t had a major security breach on major platforms like Apple or Android – but we will. Don’t believe that any device is secure, typically they are not; you have to put the measures and systems in place to secure them. That’s much easier to do when the business owns the device.

Don’t make any decisions unless you can truly justify a clear business case.

Robert Rutherford, CEO of QuoStar