BYOD: “Bring Your Own Disaster?” Why the corporate dream come true could turn into your worst nightmare

Pierre-Yves Popihn2

Bring Your Own Device is the alternative IT strategy that allows authorised users to employ personally selected and purchased devices to access corporate applications. A simple concept – but the devil is in the details.

Par Pierre-Yves Popihn, Solution Architect Manager pour NTT Com Security

Bring Your Own Device is the alternative IT strategy that allows authorised users to employ personally selected and purchased devices to access corporate applications. A simple concept – but the devil is in the details.
Though a new trend, BYOD has already latched onto the corporate world, and many organisations are eager to test the waters. According to a Dell survey published early 2014, 93% of the IT decision makers interviewed allowed to access to the organization’s network via personal devices.1 This is not surprising, considering many companies initially cited a diverse set of alleged benefits, citing improvements in productivity, creativity, communication, employee and customer satisfaction, cost savings and even information security.2 With these upsides, one would think any corporate leader would be stupid not to at least try it out. Then why is BYOD now being termed as “Bring Your Own Disaster?”
The bottom line is that BYOD leaves us with unanswered questions – too many, according to Colin Humphreys (Director of Data Center), particularly regarding two issues that would be critically damaging to your business if mishandled.

It’s an interesting concept that has the potential to change IT in a big way. But so far, it hasn’t been well thought out. When you get down to the details of supporting an IT environment, there’s too much that can’t be predicted, and far too much at stake.” –Colin Humphreys

If you are planning on implementing a BYOD policy in your company, there are a few major things you first need to consider:
1. What information is it that I want employees to be able to access via BYOD?
2. How will I secure it?
3. How will I license it?

Licensing and compliance

Understanding, differentiating, choosing between and finally implementing a variety of software licensing models is a complex undertaking even in a traditional IT environment. It gets worse when added to the mix are virtualised desktops, an influx of mobile devices, alternative application delivery models and BYOD policies.
Licence management vendors have more or less ignored the BYOD trend so far; this makes it difficult for IT leaders to mesh the somewhat behind-the-times, device-focused licensing models with today’s mobile and user-focused environment, given the high costs and challenges associated with monitoring a larger number of users and devices. As new mobile devices are added to your asset pool, your costs rise and your compliance position is endangered – unless you plan carefully. You’ll need to determine who is using which software on which device and how valuable this usage is to your business. You’ll need to know how to manage the licence requirements of multiple software vendors, and guarantee that you’re following the rules.
You’ll need to decide whose responsibility it is to ensure that software is properly licensed. If you decide that it is the organisation that bears responsibility, will your employees allow their personal devices and software usage to be monitored by the company? According to a recent study, “almost 70 percent of employees in the United States and Europe would stop using their own device for work purposes if they knew their employer could remotely wipe or lock it,” and an additional “83 percent of staff would stop using their own device or still use it with deep concern, if they knew their employer could see what they were doing at all times.”3 Unfortunately, if your company is to properly protect your data and security, you would need to have this kind of access to employees’ personal gadgets. Additionally, if a wipe is needed, the employee is at risk of losing personal files along with the breached company data. On the other hand, if you decide that the employee should bear responsibility, you’ll have the end user sign a contractual agreement. But what happens when a stranger finds it or a family member plays around with it?
Companies have three goals in this area: to remain compliant with licence agreements, to ensure that no more licences than necessary are purchased, and to guarantee that users have access to the software they need. To meet these goals and avoid costly compliance penalties, companies often resort to securing site licences to cover all devices. You’d like to avoid this – if only 60% of the workforce requires a particular software package, you don’t want to pay extra for the remaining 40% to get it as well. Costs may rise even higher depending on the network access method and architecture, the location and type of the device and the licensing model secured by the organisation. Businesses looking to launch BYOD tend to choose this extremely costly ‘solution’ – or worse, they underestimate the impact of these licensing and compliance concerns and find themselves in a swamp of uncertainty at a later phase.

Data integrity and Resources

With the advent of BYOD comes a flood of the newest mobile devices, of varying models and owned by employees who have varying levels of security awareness and IT literacy. Businesses today are already
fighting an uphill battle when it comes to security. A poorly implemented BYOD strategy will lead to lost and/or compromised data, with causes ranging from misusing or losing the device itself, developing and deploying unreliable new enterprise applications and the outside exploitation of architectural, software or network vulnerabilities.
According to Dell’s study, just under half (47%) of companies surveyed were unknowingly leaving themselves exposed to BYOD threats and vulnerability. And nearly a quarter (24%) of IT decision-maker respondents believed that misuse of mobile devices and operating systems are the underlying cause of a security breach.1 The problem is that you cannot protect your organisation against threats that you are not aware of, and BYOD opens you up to too many potential threats. When these threats end in a breach, it can potentially cost a company within the millions or billions.4 If and when a data breach leads to a lawsuit, IT infrastructure that accommodates BYOD will be forced to stand up to closer, stricter scrutiny. In short, BYOD tends to undermine the effectiveness of even the most impenetrable security measures.
Another issue at hand is company resources: can your system even properly support a BYOD network? Can you afford it? Constructing and maintaining BYOD requires not only the proper IT solution but highly trained and experienced staff—this usually means three people who to provide 24×7 support—both of which cost a substantial amount of money. These individuals require various skills, including “hardware and storage area network management skills, network engineering and virtualization skills.”5 In many of these cases, it is more prudent to outsource managed services providers who have the knowledge, ability, and IT resources to keep your system safe and keep costs from hitting the roof.

Risk Management

There are certain routes your company can take if you do choose a BYOD platform, and want to manage risks. Intel now uses a private cloud through which employees can access company services and information; to mitigate security concerns, they determine access privileges based on users’ device and location. They support over 40 mobile applications – simple but effective ones that allow employees to more easily and quickly communicate with each other, access internal information, approve purchase requests and join audio and video conferences.
Choose Your Own Device (CYOD), or Corporate-Owned Personally Enabled (COPE) systems have become increasingly popular as more BYOD issues have come to light. CYOD is the opposite idea of BYOD; instead of allowing employees to have their personal devices for corporate use, CYOD offers them a choice of company-owned devices to use on both a corporate and private level. The employees can pick between a number of models to use, and since the device is company-owned, it can be wiped or disconnected from the corporate network at any time, giving the company more power over security. To combat having to provide payments or reimbursements for the employees’ own devices, the company can use the models as leverage to secure low-cost deals with wireless or data vendors.6 Another positive aspect of choosing CYOD over BYOD is that IT can focus on a smaller range of devices and contracts than if every individual was to bring their own personal gadget.
This may all seem great, but it still does not account for the ‘human factor.’ Individuals will still take these devices out with them wherever they go, leaving their phones or tablets open to be compromised by other factors. What if a family member or stranger gets hold of the device? What if they lose it? What if they upload/download harmful software or applications? What if they use an unsecure WIFI connection at a local café? CYOD is less of a gamble, but there are still risk factors that remain unaccounted for.
Risk management is possible for BYOD, but not to a significant level without serious planning, money, time, research, and careful coordination—particularly if you’re looking to minimize your risk by implementing multiple solutions at once. Failing to provide a well-developed BYOD policy could inadvertently lead to “shadow infrastructure”—your employees may circumvent corporate policy in large and small ways, possibly leaving you with even less control over your security position. Additionally, if your solutions are effective but overly restrictive or aggressive, you risk deterring employees from using BYOD, rendering the entire exercise futile.

A question of trust

What BYOD really boils down to is responsibility. Who installs the antiviruses? Who makes sure systems are updated? Who maintains and fixes the device when things go wrong? Who licenses the software used on the device? Who has ultimate control over the data on the device? When an employee does corporate work on a corporate device, there is no grey area. Bring in BYOD, questions surrounding responsibility arise, and the lines begin to blur.
Today’s employees are increasingly IT-literate. But does the average employee in your company know enough to be entrusted with the information security of your organisation – or even an important part of it? And even if they do, how eager are they to protect corporate data to the best of their ability?
On a private phone, tablet or laptop, employees are bound to have extra downloaded applications and software. Unfortunately, this unknowingly—or unconcernedly—opens not only their personal information up to risk, but also that of the organisation if it uses any form of BYOD. According to Will Markham, security practice lead at Colt Enterprise Services, “one of the most common threats comes from employees who download and install unauthorized software, without understanding the potential risks associated with their actions.”7 Even further, a recent report by Gartner stated that there was no way for IT to assume responsibility for these devices without them being company-owned.6 It only takes one mobile device to take down a corporation, which is why many organisations are now dropping BYOD as quickly as they picked it up and renaming it, “Bring Your Own Disaster.”8 BYOD seemed like the next IT dream, but now that corporations are implementing it, flaws in the system are starting to emerge. The tendency with more comprehensive technology and devices is to assume that security and simplicity are built in—after all, it’s meant to make our lives easier, right? BYOD is not something that you can ‘plug and go’ with; it takes research, understanding, resources and strict regulation. When implemented and managed correctly, it could be a great tool and an asset to a company. But since it is still in its infancy, we haven’t yet worked out all the kinks. With the growing popularity of BYOD, organisations have latched on to the benefits without thinking it through, and therefore were unable to see or adequately prepare for the risks until it was too late.
The BYOD revolution is here, so be careful what you wish for.

More about NTT Com Security (previously Integralis): www.nttcomsecurity.com

  1. Dell Survey: “Protecting the organization against the unknown.” Link: http://software.dell.com/documents/protecting-the-organization-against-the-unknown-whitepaper-27396.pdf
  2. Gartner, Inc.: “Bring Your Own Device: The Facts and the Future.” Links: http://www.gartner.com/newsroom/id/2466615 http://my.gartner.com/portal/server.pt?open=512&objID=256&mode=2&PageID=2350940&ref=clientFriendlyURL&showOriginalFeature=Y&resId=2422315
  3. Eddy, Nathan: “Study: Employees Unaware Of Employers’ BYOD Policies.” Link: http://www.techweekeurope.co.uk/news/byod-policies-140484
  4. Dell, Inc.: “Securing the Enterprise Workspace.” Link: http://i.dell.com/sites/doccontent/business/solutions/whitepapers/en/Documents/dell-security-whitepaper.pdf
  5. Humphreys, Colin
  6. Rossi, Ben: “Taking mobility by the reins: the rise and fall of BYOD.” Link: http://www.information- age.com/technology/mobile-and-networking/123457739/taking-mobility-reins-rise-and-fall-byod
  7. Dell Press Release: “Dell Global Security Survey: Organizations Overlook…” Link: http://www.dell.com/learn/us/en/uscorp1/secure/2014-02-20-dell-global-security-survey
  8. Green, Chloe: “You can’t ignore BYOD and hope it will go away.” Link: http://www.information- age.com/technology/mobile-and-networking/123457542/you-can—t-ignore-byod-and-hope-it-will-go-away

© 2015 Strategies Telecoms & Multimedia | Contact |  -