The BYOD Security Dilemma
March 29, 2012
The Information Security Forum this week released a report titled 'Threat Horizon 2014' that looks at the continued global threat to computer networks, businesses and individuals from cybercrime. But one section of the report also looks at 'Internal Threats', which at first glance would seem like another discussion about malicious insiders who attack the network because they’re disgruntled. In fact, the Internal Threats identified in this report are from new technology that comes into an organization, sometimes presenting security issues its advocates weren’t aware of. A case in point is BYOD.
BYOD is the situation where employees are allowed to 'bring your own device' to work and IT will allow it to access the corporate network, also known as Bring Your Own Disaster. But companies need to balance acceptance of consumer-built smartphones and tablets with control of those devices to protect their networks. “Organizations are unlikely to slow their adoption of new technology,” the report states, “[But] along with business benefits come potential vulnerabilities and methods for attack.”
The report looks at a variety of new technologies, including cloud computing, that can create new internal threats to an organization, but Steve Durbin, global vice president of the Information Security Forum (ISF) says BYOD is certainly one of them. The ISF is a UK-based, but worldwide, independent not-for-profit organization that shares research and other advice on security best practices for organizations.
“Consumer devices were never intended to be highly secure,” he says. Durbin cites the example of the Google Android applications marketplace, Android Market, as proof. Google had to add new security controls in February after reports that a high number of applications there turned out to be instruments for delivery of malware to the device.
“I described the Android apps market as Route 1 for any cybercriminal or hacker. That’s where you go,” Durbin says.
“Unless you’ve thought through your BYOD strategy, unless you’ve put in place some real good governance around it and you get your users to sign up to acceptable use policies, there’s very little you can do to enforce some of these things,” he adds.
The management consulting firm Janco Associates recently published a report suggesting a 'BYOD Policy Template' organizations should consider to welcome BYOD into the workplace but not at the expense of security.