Gartner’s Recent webinar presented research which puts BYOD (Bring Your Own Device) security in a completely new light. Gartner presenter, Dionisio Zumerle, began the webinar by defining BYOD from a security point of view: “The practice of deliberately breaching enterprise security by putting sensitive data on an unknown, uncontrolled, untrusted, unmanaged device.” In other words, he pointed out that, for IT departments, BYOD means nothing but trouble and hard work. Zumerle indicated that if companies go ahead with BYOD plans, they will have to rethink their current approach to security.
First of all, the ‘D’ in BYOD. If you really let your employees bring their device of choice, you, as a company, will have to manage them. Zumerle pointed out it’s not just a simple matter of managing, for example, android devices, because each version of android has its own peculiarities which the IT team must manage. This puts the IT staff always on the back foot. They have to react to new devices and operating systems coming on the market, which means there is a gap between user acquisition and security implementation. Gartner’s research found two reactions to this dilemma. Some companies just throw up their hands and let employees access their company data with any device they want, hoping that nothing bad will happen, while other companies refuse to allow such access and stick with their traditional network setup. This last strategy seems to have other implications. Employees will use their mobile devices to access the company network whether they are allowed to or not. In fact, about 50% of all employees say that their employers either don’t know they are accessing the network with their own devices or that the company simply has no policy to control this. And would they tell their employer if their device had been compromised? Almost 60% said they were either not sure or that they would not report such a breach. Even if a BYOD policy existed, about one-third would still not report a breach.
Such results show that BYOD needs to be managed to improve security. Zumerle pointed out, however, that MDM (Mobile Device Management) does not guarantee security. Security is a dynamic process in which vulnerabilities are exposed over time. IT departments have to discover their network’s weak points as they go along and then shore them up. Rather than see this as a negative, Zumerle says this must be seen as the only way to increase security. Companies must see this as an opportunity to improve security rather than as something negative. Unfortunately, as he pointed out, customers won’t see it this way. They will always blame a company for a breach.
Zumerle ended the presentation with a few recommendations. He suggested that companies must find a way to protect data without managing devices. In addition, he thought it necessary for companies to embrace BYOD risk if they want to get a handle on proper device management.
Many will not be so happy to hear that risk is an inherent part of any BYOD policy. Most companies simply can’t afford to consider one major breach as an opportunity. Such a breach could just as well bring down their company or organization. At InZero Systems, we favor a COPE (Corporate Owned Personally Enabled) policy. I asked Zumerle what he thought of such a policy. He admitted it is easier to manage one device that the company controls, but stated that the momentum towards BYOD is entrenched in corporate minds. (see my post on this dilemma). Since the WorkPlay Tablet separates one tablet into a work zone and a play zone at the hardware level, an employee is free to act as irresponsibly as they want in their personal zone and it will not have an impact on important corporate data. Again, for companies uncomfortable with the inherent risk involved in BYOD, this tablet is a viable solution.