As we ended last week, Android fans seemed to take the notification that an obscure U.S. government department was looking at Android phones to mean that the President was going to switch to Android. This seemed unlikely, however. The level of testing that the BlackBerry had gone though and passed for this very secure duty was well beyond anything an Android device had yet completed, and some doubt remained that Android could complete it.
This week, as expected, the office of the President indicated that it was not only not switching, it wasn’t even looking to switch, suggesting that even should the office start the process, any resulting decision would likely be months if not years in the future and then the decision would still have to favor Android. In recent testing, while iOS, Android and BlackBerry QNX all had risks, the QNX risks appeared to be to embedded systems and not phones, and for smartphone security, the platform was unmatched.
So, effectively, this was a non-event. However, it still pulled a lot of ink because of the cloud surrounding BlackBerry and a growing Android fan base that is struggling to deal with Android security problems. Given the focus on security and the number of government-financed attacks by everyone from the NSA to China, it would seem ill advised to switch to a less secure platform.
This appears to be the downside of BYOD. Perhaps IT should consider that there are bigger risks than angering employees or executives who want to use their favorite device for work.
Increasingly, we are getting all our communications over a smartphone, whether we are doctors, financial analysts, government officials or executives. The kinds of communications include protected information about patents, financial information about trades, confidential government programs and material deals that can move stock. The result of leaks can be everything from embarrassing reports to criminal investigations, depending on the size and scope of the leak. At the very least, a lost, stolen or compromised phone can provide enough information so that the thief or their employer could steal the identity of the phone owner and trick others into providing information that was for their eyes only and protected, as noted above.
Take against that risk the need to have the latest smartphone so that the user can impress more people, play more games, or run that one personal app that they can’t live without and there is a clear imbalance toward stupid. I mean, seriously, when are any of those things even under consideration when the future health and security of the company are at risk? This is where the BYOD initiative breaks. Yes, on its face (particularly if the employee is buying the device), it appears cheaper. But the risk that the device could materially compromise the company is already incredibly high and it isn’t decreasing. On the contrary, even security companies like McAfee are restructuring products to address threats that didn’t even exist a few years ago, suggesting this is no time to play ostrich, or Sgt. Schultz, and pretend we didn’t see anything.
Wrapping Up: Maybe It’s Time to Reconsider BYOD
Maybe it is time to reconsider BYOD, at least with respect to security, and make sure the devices people are carrying to work actually meet what should be increased standards for security and compliance. Watching the disaster that happened at Target (which cost some IT folks their jobs), and some of the news surrounding stolen and lost laptops, I don’t think this should start and end with smartphones, either. It should include every connected device that employees use to communicate and access company information. And given that Target was penetrated through an unsecure partner, perhaps you should put in place rules that include partners. Then, don’t use those that aren’t in compliance with your security rules or, at least, treat them as you would any other unsecure connected entity and assume they are compromised, thus limiting their access and ability to do damage.
The world is becoming more and more dangerous. Now is far from the time to lay down our security policies and gleefully open the doors, accidentally or on purpose, to our confidential information. Something to think about this week.