BYOD: Bring Your Own Danger?

Graham Cluley, April 29, 2014

Computer security veteran Graham Cluley is speaking this week at the InfoSec show in London on the VASCO Data Security booth. Below he talks about the BYOD (Bring Your Own Device) security challenges posed by workers using their personally-owned devices for business purposes.

In the old days, it was easy.

The IT team at your company had complete control over what software and hardware was being used on its network, and were able to count the points of entry into its network. There was email, there were floppy disks and CD ROMs, there was web-browsing.

Companies were like a fortified medieval castle or city from ancient times - they could guard the drawbridge, drawing it entirely up if they felt threatened, and there was little chance of an attack sneaking in from an unexpected direction. They just had to be careful not to be duped by a large wooden horse being left outside the front door!

Workers didn't bring their own devices into the office back then because, well... they either simply weren't easily portable or couldn't match the ability of their work desktop PC. So you were unlikely to encounter users connecting their own devices into the company network.

Little did IT teams realise just how much of a headache was around the corner.

Because now it's very different.

Smartphones and tablets proliferate amongst consumers, and are able to provide the same functionality as desktop and laptop computers. Reliable and fast internet connectivity means that individuals can access the net from just about anywhere, and users are choosing to stay connected with their work at the office, at home, and everywhere in between.

Indeed, many people feel like they've lost a limb if they don't know where their smartphone is. The modern worker, rightly or wrongly, is always connected.

Phones are, frankly, no longer phones. They are sophisticated computing devices which can access corporate email and data, and choose to install millions of different apps.

This isn't necessarily an entirely bad thing of course.

For instance, the fact can't be ignored that if staff are using their own smartphones, tablets and cloud accounts for work purposes, that reduces the company's capital expenditure and IT expenses. That's going to be attractive to many firms in the current economy.

But more importantly, you want your staff to be happy and loyal. If they have a device or piece of software which they genuinely believe makes them more effective workers then that will put a smile on their face, and should be a boon to productivity. Indeed, a flexible attitude to BYOD in your enterprise might even make recruitment easier.

And don't forget, a strict ban on all devices doesn't actually stop your staff from bringing them into the office. It just means that some of your employees will sneak their smartphones, tablets and unauthorised apps in despite whatever policy you have put in place.

We shouldn't be naive, however. Many IT departments do have genuine and reasonable concerns about BYOD.

For instance, how well will personally-owned devices be secured by staff, when so many people have easy-to-guess passwords or reuse the same password in multiple places? Malware and phishing attacks designed to steal usernames and passwords are common, but your staff may be at greater risk at their home or on the road than in the safety of your office.

How can stretched IT departments expect to support a wide variety of devices? Their jobs are hard enough without having to try to support multiple versions of multiple operating systems on multiple different types of hardware from different vendors.

How can users - logging into company systems and accessing corporate systems remotely from their own uncontrolled devices and applications - be authenticated, and prove they are who they say they are?

And, it must be remembered, the threat isn't just posed by your staff. You may also have partners and contractors entering your office, or working with your systems, who have their own corporate standards and ideas about what devices and services to use, and how they should be secured.

What's unfortunate is that the issue of BYOD often ends up in a battle: company versus employee.

Companies are concerned about security, controlling what is happening on their network and how its data is being accessed, and worried about productivity. Employees, meanwhile, are looking for functionality, more flexibility in how they complete their work, and - yes, albeit lagging a little further behind in their priorities - security as well.

If we're going to make the world a more secure place, we're going to have to bring these two sides closer together - as BYOD isn't going to go away. There may not be a magic bullet that guarantees 100% security and can convincingly promise to stop a determined hacker dead in his tracks, but technology can help manage the risk to acceptable levels.

And that's what modern IT security is all about these days. It's not about building an impregnable castle, and eliminating all risk. It's about managing risk and doing what you can to make your staff part of the security solution, rather than people working against it.

Graham Cluley is an award-winning security blogger, researcher and public speaker.  He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's.  He has given talks about computer security for some of the