BYOD: User Policy Considerations
Questions and key points companies should consider when establishing BYOD policies.
An article at Computerworld ponders whether or not bring your own device (BYOD) is giving the "inmates in the asylum" all the control.
BYOD is a security risk for companies, one that is going to get talked about a lot now that technology has made sure we never ever have to be disconnected from our jobs. A recent Harris Interactive Poll found that more than 50 percent of employees use portable devices to take sensitive information outside the company walls. Now those portable devices include not only smartphones and tablets, but also laptops and flash drives. The vast majority of companies allow employees to use those devices and have an encryption policy for those devices, the poll found, but only 34 percent actually enforce those policies on personal devices (and just 35 percent for company-owned devices).
Another survey done by SolarWinds and Network World isn't any more promising. Interviewing 400 IT professionals about BYOD, more than 65 percent said they don't have the necessary tools in place to manage personal devices on the corporate network, and 27 percent said they aren't certain of all the personal devices that are accessing the network.
No wonder it seems like the inmates are running the asylum. It seems like companies are saying, "Here we trust you to be safe and secure with your device and we know you won't do anything foolish to compromise the network or corporate data." If you think that not developing and enforcing a BYOD security policy isn't a big deal, you are setting yourself up for a failure of the security system.
Let's face facts: People are careless. Look at the number of forgotten phones and computers at TSA security checkpoints. It baffles me - how can you forget to pick up your phone or computer? And people are nosy. They will look over your shoulder to see what you are working on. And then there are the phone snoops - probably the same people who snoop in your bathroom cupboard. If your phone is sitting on a table or countertop during a social gathering, the phone snoop will casually pick it up and go through your text messages, pictures, email, without thinking twice about it. Someone tried to do that with my phone once, but my phone is password-protected. Too many people don't bother with that simple level of security.
Kevin Vlasich, cryptography and information security specialist at Imation, provided me with a few tips to share with IT professionals on how to better secure the network and company data from the influx of BYOD. Vlasich warns to always assume the following:
1. The worst! Don't hire a penetration tester. Save your money and assume "they" will get in - 75 percent of organizations have suffered data loss from negligent or malicious insiders!
2. Employees will use their personal devices on the corporate network, even if they are told not to. More than 50 percent of employees use portable devices to take confidential data out of their companies every day.
3. That your employees value convenience more than security. If a security policy is overly cumbersome or inconvenient, employees will find a way around it. Don't underestimate the ingenuity of employees looking to circumvent procedures that slow them down.
4. That flash drives will be lost and IT will never know: Losing a $10 flash drive can be even worse than losing a laptop. Stolen or lost laptops are reported, $10 flash drives are quietly replaced. Use encrypted flash drives or don't use them at all - right now only 35 percent of companies enforce data encryption on company-issued devices.
5. That an organization's first and last defense against a security breach is its own employees. Training employees on good security practices offers the most bang for the buck. Everyone should learn how to recognize phishing attacks and fake anti-virus software advertisements - if it looks too good to be true, it really is.