Carl Weinschenk spoke to Rich Dakin, the CEO, co-founder and chief security analyst for Coalfire. The company released a survey in August that said BYOD is real, but it often is poorly secured.
The dramatic change in the realm that IT departments oversee — which in a few short years has moved from desktops behind a firewall to ubiquitous mobility — is difficult for both users and IT departments to handle. The problem, said Rich Dakin, is that many organizations have not made the problem adjustments. He told IT Business Edge blogger Carl Weinschenk that even the most rudimentary security steps often are neglected.
Weinschenk: What did the research find?
Dakin: The most important finding is the reality that personally owned smartphones, laptops and tablets are in the workplace. The first question was: Are you using company or personal laptops? Over 70 percent of respondents said that they were.
I think everyone is coming to grips with the fact that BYOD is really a trend. We found that 16 percent had company-provided laptops or smartphones. I was surprised it was so much. The last time I was aware of anyone issuing any kind of smartphone or tablet was in the BlackBerry days when companies managed a BES server and issued the smartphone. That went with it as a company — phones with an OS that gave IT complete command and control. I was not aware of anyone issuing Android or Apple tablets or iPhones and iPads in this way, but they are.
Weinschenk: How are people using these devices?
Dakin: Email as you would expect was far and away the highest usage. It was above 90 percent usage for personal devices. Second, at 80 percent, were social networks.
So the first two findings were that personal device use is above 80 percent and that the types of usage include very sensitive company email running next to not very beneficial social networks. I read articles that say unsafe and insecure social media now is running side by side with company data. We proved that that’s the case. I don’t think anyone will see that as surprising. That’s confirmation.
Weinschenk: What was surprising?
Dakin: The first thing that was surprising is that some companies are so serious that they are issuing company devices that are hardened. The second thing that is surprising is that recognition of the risks is high but the actions being taken to mitigate that risk is very low.
Weinschenk: Tell me about that second surprise.
Dakin: There’s been enough press and education that tell people that understanding that the risk is high and that it is unsafe to use social networks side by side with sensitive company data. We then asked a couple of questions to see if anyone really is focused on mitigating that risk. We found that over 50 percent of devices don’t require passwords, the simplest control. And of those that do require passwords, almost 50 percent say the passwords are not strong enough to really provide protection.
Weinschenk: Is it that IT departments just can change fast enough, like the difficulty of adopting to seat belts, though it's obvious that they make driving safer?
Dakin: I see it as continuous spectrum in the IT world. It’s a little different than the silliness of driving a ‘69 Corvette without shatterproof glass. It's a continuum. In IT we go in shifts of tectonic plates … We went from green screens to PCs, from PCs to networks. Then the Internet allows thin clients. Still another is going mobile and going cloud to serve those mobile devices. We are seeing industry not stepping up to understand how dramatically different the landscape is. The risk management in place for the PC and desktops no longer is adequate.
Risk management programs are not changing with the risks because the change was in a very short period of time and dramatic. It is not a continuum of time. It is very dramatic. We went from no iPhone to everyone has one in 18 months. Enterprises did not act at the same pace that the technology shifted. The speed by which technology changed and the rapid acknowledgement of the types of new risks and threats were not directly and comparatively addressed in risk management programs. Now we see a gap that grew almost overnight from limited risk to very great risk, so companies across the board have to adapt to very new risk profiles.
Weinschenk: And the change opens the enterprise, something that is very foreign to them.
Dakin: It is against everything they know about IT processes. Can you remember back to the days when IT ran batch jobs? I remember the green and white lined papers. You had to answer very correctly and ask politely for IT to print and process your data request. IT then had to come to grips that there are browsers. We went from batch jobs to browsers. Now we going into very smart devices that no one has control over. Controlling the infrastructure no longer is the idea. It’s controlling the data.
Weinschenk: Again, it's not just the change, but dramatic nature of that change.
Dakin: It’s operating risk management and security in the post-firewall era. In the last generation, even with Web access, the data was behind firewalls. Most of Web browsers were protected by firewalls that could provide security, network monitoring, intrusion protection and other techniques. There were a lot of controls in the infrastructure. Now we have personal-owned devices. There are no firewalls.
Weinschenk: So how should IT start dealing with this new environment?
Dakin: At best, mobile device managers need some infrastructure control. Now we are driving organizations to think of what data to make available to which users. We ask: Does the data have to be encrypted? We are much more data-centric. Now we must think of how to put firewalls in front of mobile devices. It is a change to make control mechanisms to be more data-centric.
Weinschenk: What specifically do you advise?
Dakin: We recommend a seven-point program. Step one is identify all sensitive data. Once that's done, you must mark how mobile users can access that data. Step two is to establish server-side or cloud-side controls to protect the data. Step three is to require all mobile users to register their devices. Step four is to establish user policies for mobile devices — including authority to remotely wipe the device. Step five is to review mobile device security to include network access control and mobile device management solution (and other security tools). Step six is to encrypt sensitive data and step seven is to audit and assess mobile environments manually.
Weinschenk: Does this all have to be done at once?
Dakin: I would start at the top of the list. You can do them step by step and you will be incrementally safer as you go. You can go all the way through the cycle. Most of the community with specific solutions will see this is the NIST SP 800-30 approach to risk management. It’s the same framework that security professionals have been very conversant with over the years.
Weinschenk: What is the biggest remaining hurdle?
Dakin: The biggest thing we haven’t worked about because it’s the biggest wildcard is how to train users to operate mobile devices safely. It’s not 100 percent control because each of us can determine that we don’t want to operate safely. But the bulk of users if they know the risks would probably choose to operate safely.