“Everyone wants to be connected,” Eric Montague says. “But some companies don’t allow employees to bring their devices to work.” He pauses, as though to let the full horror of the device-less workplace sink in. “Those companies don’t have happy employees.”
The BYOD (bring your own device) issue gives IT managers and internet security contractors plenty to fret over. Montague, being the latter, has a lot to say on the subject. His firm, Executech, offers a suite of IT services. Including those involving data security. “Ninety-five percent of the data breaches we see involve BYOD,” he says. “And most of them are totally well-meaning employees who don’t know they’re doing anything wrong.”
Montague has isolated the core of the BYOD dilemma: people are so plugged in that they go almost catatonic if you take their smartphones and other devices away. In a competitive labor market , you’d better have some pretty sweet perks to compensate for the deprivation.
On the other hand, BYOD workplaces open up a lawless cyber-frontier. Nobody has a handle on the Wild West of crisscrossing data streams, malware, sensitive information, remote access, phishing and compromised devices—it’s too much, too complex, even for IT professionals to contain.
Illustration by Bryan Beach
Gregg Frohman thinks we shouldn’t necessarily try to contain it. “In the past,” he explains, “you set a perimeter, and you didn’t let anything get inside. Like a castle.”
Frohman is with Eastwind Networks, a Utah SaaS firm providing breach-detection products. He explains the enemy is probably already within the gates. “Sure, you can still have your castle”—corporate firewalls, in his analogy, standing in for walls of stone—“but you don’t know what malware your employees are bringing into the system every day.”
Frohman’s approach involves active monitoring. Picture a busy city. You could drop a security perimeter around the outside, but that would cost a lot. It would also stifle the very activities that make the city, well, the city. A better strategy would be to have lots of cameras. Now, imagine that these cameras are so sophisticated they can read body language and tell who has malicious intentions. They alert police, who can apprehend the would-be perpetrator.
OK, forget about the ethical and legal implications, because my analogy has reached its useful limit. The point is, breach-detection software is really good at spotting malware. And the malware has no way of detecting that it is being detected. Therefore, the security professional can watch malicious software or human hackers in real time. And counteract them.
Because cyber-intrusion can be extremely subtle—the average time between break-in and detection, according to Frohman, is 260 days—IT security folks struggle to stay abreast. The criminals, often, keep several steps ahead of the good guys and gals. Eastwinds aims to correct the asymmetric relationship. By taking away cybercriminals’ greatest weapon, secrecy, Eastwinds’s breach detection software levels the playing field.
A human firewall
Corporate cyber security is also about social engineering, says Jake Hiller, who owns Intelitechs, another Utah IT contractor. Like Montague, Hiller deals with BYOD security issues daily.
“Employees need to be trained. They need to understand proper IT vigilance.” In addition to a rigorous set of security protocols, people need to be less trusting, he says. “Train the user to be a human firewall.”
Hiller recommends such measures as good antivirus software on all devices, password rotation, a robust training regimen for all employees and strict legal policies crafted around an organization’s specific security risks.
He also recommends that a company require full hard drive encryption and remote wipe software on all personal devices—managed and administered by the company’s IT department or outside security contractor. “That way, if someone loses an iPhone with passwords or other sensitive data, the security department wipes it clean.” If devices are fully encrypted with a service such as BitLocker, he says, “a thief can steal a laptop, but can’t access a thing. Unless he has the encryption key.”
BYOD debates tend to center around smartphones. These most ubiquitous of devices aren’t any more or less secure than, say, laptop computers, according to Pete Ashdown. The CEO of XMission, a Utah broadband provider, says that “smartphones are responsible for the majority of security breaches simply because they are the most prevalent device that enters and leaves the workplace.”
MDM (mobile device management) solutions take an approach similar to that advocated by Jake Hiller: install software on a smartphone that enables a central authority to keep it secure. Or try to, at least. In the BYOD era, dozens of MDM companies have proliferated, jostling to emerge as the leader in a growing market. MDM software, essentially, allows an administrator to push specific security measures through to private devices. The administrator can alter the security measures to keep pace with the organization’s changing BYOD policies.
And finally, the administrator can monitor whether employees are following BYOD protocol and take corrective action. Indeed, some MDM systems emphasize the surveillance aspect—monitoring how employees use their devices. If all of this sounds a bit Big Brother-ish, well, it is. Most people, however, don’t bat an eye. Forced to choose between being intruded on or being unplugged, almost all choose the former.
Containerization, however, has come to the rescue, resolving—at least conceptually—the tension between personal privacy and corporate liability. It’s based on a simple idea: keep personal data and corporate data entirely separate—while they occupy the same device, mobile or otherwise.
Imagine a secure container inside of a much larger, not-so-secure area. That larger area is your device. The container is the area of your device that is allowed to access a corporate network. Big Brother no longer needs to creep through your entire device. Just the corporate container. Given a worst-case scenario that necessitates a data wipe, the administrator can wipe only the container and leave the rest of your device intact.
Does containerization work? Yes … and no. Containers must be purchased and deployed from third-party vendors. And, of course, each container has its benefits and drawbacks. Compatibility issues arise, such as unexpected complications between phone hardware, container and corporate data systems. The novelty and sophistication of containers practically guarantee the need for a professional security firm to administer them.
Aside from these downsides, however, containerization shows considerable promise. Perhaps container solutions will become increasingly viable over time as they develop further.
There is no clear panacea for BYOD security liabilities short of banning personal devices entirely. Is the choice, then, one of draconian edict or absolute vulnerability? Not necessarily. Employers loath to bring down the hammer can take heart.
Each organization will have its own vulnerability profile based on a number of factors. These range from the type of data it stores and the sensitivity of that data to the number of employees, the resources of the organization and other particulars. If a company can accurately gauge its vulnerabilities, it can deploy some combination of Hiller’s social engineering, software security solutions and top-down policy enforcement.
Getting employees to buy into a security program goes a long way. An organization can explain to employees that the alternative is to relinquish their devices while at work, and that the security measures actually benefit them. Employees that stand behind a corporate security plan are employees that can act as that human firewall.
Corporate risks get riskier. People grow ever more attached to their electronic appendages. Hackers become bolder. The world spins on. And, hopefully, in the complexity of it all, each organization finds the right balance. And continues to adjust.