Moths don’t ask why they are attracted to flames. They simply see them as a source of light; as something irresistible. They are totally unaware of the dangers that lie beneath that attractive surface. In the end, their ignorance is their demise.
The latest Cyberthreat Defense Report by The CyberEdge Group has discovered some interesting trends. Although “Mobile devices (smartphones and tablets) are perceived as IT security’s weakest link” (p.5), 77% of the firms studied plan to have BYOD (Bring Your Own Device) policies in place within the next two years. This attitude persists despite the fact that over 80% of these companies admitted to being successfully attacked during the past year. Furthermore, despite being the victims of inadequate security, only 40% believed they would be successfully attacked in the future. Some would, with justification, refer to such an attitude as ‘being in denial’.
On the surface, a BYOD policy seems to be ideal. Companies would not have to buy computers for their workers. Workers would be free to work from anywhere at any time. Even on vacation, lying on a sandy beach under a palm tree or sitting on a mountaintop, workers could still use their mobile devices to do work, hence, productivity increases and everyone is happy… at least on the surface.
But here is what actually happens. Your company tells workers that they must or can use their own mobile devices at work. In other words, they can use them to connect to the company network. Unfortunately, at the same time, you’ve just given cybercriminals a number of potential breach points equal to the number of your employees with mobile devices. Eventually, one of these employees will visit a bad website or download malware and, the next thing you know, your company data has been compromised.
But humans are not moths. They have the ability to reason. Some companies will understand that they must manage these devices. They must prohibit certain forms of activity that could cause a security breach. They implement MDM (Mobile Device Management) policies. In so doing, they gain a certain amount of control over these employee devices in order to protect themselves. That should solve the problem, right?
Well, unfortunately, human nature is not as easily managed as mobile devices are. Read any comments on any forum about BYOD and you’ll see a lot of angry employees saying basically the same thing. “First they expect me to buy my own device and then they think they have the right to tell me how to use it.” One thing a company doesn’t need is angry employees with access to important company information. People being what they are, they will try to find ways to circumvent such policies. Use any form of software protection you may choose, containerization, virtualization, or the TrustZone, all have been compromised and will be compromised again. As many writers on the topic have concluded, it is not a matter of if you will be successfully attacked, but when.
However, you cannot logically explain the dangers of flames to a moth. Try as you may, they will head happily towards the flame. The pressure to keep abreast with the latest trends coupled with the encouragement and promises of security software providers and those who provide MDM services will lead most companies to embrace BYOD. So, yes, this trend is unstoppable, but, perhaps, the meaning of the acronyms will change. MDM? Mobile Device Mayhem. BYOD? Bring Your Own Demise.