Such questions are becoming more and more common as we see company after company suffering security breaches. In 2012 at the RSA Conference in San Francisco, a panel of five top security experts addressed this issue. The first question they were asked was, “can we stop data breaches, really?” The answer from all 5 panel members was, “no”. However, they did make a few observations. Larry Ponemon (Ponemon Institute) noted that most severe data breaches are inside jobs. Others noted, “it’s like the war on drugs. We can stop some problems, but the issue is getting bigger and we’re getting worse at stopping it”. And, “one of the concerns employees have about BYOD (Bring Your Own Device) is that the company can confiscate the device. It’s not a mild concern. They’re appalled. They’re reluctant to let the corporation put any sort of agent on their personal device. It’s a major challenge.”
All of this can be reduced to a few key points. First, employees and their browsing habits are responsible for most data breaches. A Check Point sponsored survey of 768 IT professionals from the United States, Canada, United Kingdom, Germany, and Japan found that 72% say careless employees are a greater security threat than hackers. Second, despite this finding, employees don’t really like the idea of companies trying to control the devices that they, the employees, are asked to provide. There, is, indeed, a disconnect between how employers and employees see BYOD. In several of the groups I am a associated with, employers see themselves as doing employees a favor by allowing them to use their own devices to access the company network. On the other hand, employees see it as an infringement on their privacy when companies tell them that they must allow the company to control certain aspects of their smartphone or tablet use. What’s more, even when employees agree to their activity being restricted, they may resent it and find ways to circumvent it. Those employees who sympathize with the company’s position, still may not take security training seriously and forget or brush aside instructions on how to be a more responsible employee when using the network.
Yes, there seems to be a blind rush into BYOD at the moment and, until more and more security issues make headlines, this rush will continue for the next few years. Slowly, a different strategy will emerge when companies realize that they must exert more control over employee mobile devices. To gain such control, they will ultimately need to either supply tablets or smartphones to their employees or agree to pay a certain amount to subsidize employee phone bills. But will this really solve the problem?
When students in the Los Angeles School District were given tablets, one of the first things they did was to break into the ‘protected’ administration files. There are, no doubt, a number of employees who will figure out a way to circumvent company policies or MDM (Mobile Device Management) restrictions. This will remain a problem as long as a company has enterprising, tech-savvy employees. This being the case, company networks will continue to be exposed to malware and cybercriminals by irresponsible employee browsing habits. When the dust settles, companies will find that they are in the same position that they were when they had BYOD policies. The question in the title of this article will, therefore, remain unanswered.
To be up front about this, I am associated with InZero Systems, a company that believes that the only solution to this dilemma is to separate private use from the company network at the hardware level. InZero developed the WorkPlay Tablet which separates one tablet into two by using two separated operating systems, thus, demonstrating how it was impossible for any careless employee activity to compromise company data. Employees, thereby, have the freedom they want and the company has its security. To be as objective about this as possible, I can defer to a test of the architecture by Cygnacom Solutions, an independent testing lab, which confirmed that the, “introduction of malware in one zone does not impact the other because they do not have any shared resources.”
Of course, if a tablet is lost or stolen, the company must have the right to remotely wipe or kill a tablet. Someone getting a tablet in this way would still be able to use traditional hacking techniques to gain control of the corporate side of the tablet, so all efforts must be made to make it inaccessible. The unethical employee would still be a problem. All employees must be made to understand that the work zone must be treated as private property. If you let someone come on your land, you have the right to tell them what they can and cannot do. In terms of the WorkPlay Tablet, once the employee enters the work zone, the gloves are off. All employee actions can be monitored. Copying and pasting can be locked down, browsing can be disabled or strictly controlled and so on. This will not stop an unscrupulous employee from using pen and paper to copy documents, or from giving their password to those who want access to the network.
The above serves the purpose of giving as objective an account of the InZero solution as possible in order to contrast it with possible software solutions. I have made every effort to find one software solution that has not been compromised in some way, from IPad to the cloud. Solutions involving virtualization and encryption have been circumvented. Though there is a flight to the cloud, many companies don’t feel comfortable handing over control of private data to another company to manage.
So has the problem mentioned in the title been solved? In my opinion, yes, it has. I challenge anyone to present a better solution and, in fact, I would welcome it.