Bring your own BS to work
Bring Your Own Device (or BYOD) is a trend that really started a little more than a couple of years ago, but I have noticed a significant hype in the overuse of the term in 2013. The concept is nice and I agree it does make sense… If you run a small, hipster company and you have long brainstorming sessions with your R&D team at your local Starbucks. The concept of BYOD for the enterprise is absurd, to say the least. And here is why.
First is the most obvious issue of data security. A device that is moved across different networks, particularly network with different security infrastructure and measures, is at risk of having its data compromised. It is just the way it is. In fact, many organisations have restrictive policies for specific users or devices that limit their access to the Internet, or the use of external drives. Also, most enterprises are likely to have minimum hardware and software requirements, as well as policies and procedures in place that render the concept of BYOD unfeasible, unsuitable and unacceptable.
Let’s get one thing straight. With the concept of BYOD the device belongs to the employee, not to the employer. Sure the employer can tell the employee which sites they can or can’t access from their enterprise network; but that’s pretty much it. The employer has no right to dictate to the employees which vendor, model, hardware or software specifications their devices should have. One person might find it perfectly OK to spend over 2,000 Euros on a laptop, while others wouldn’t go over 400 Euros. Also, an employer has no right to tell an employee to buy a Dell over a Toshiba (or vice-versa) as their own personal devices (with their own money), or to tell them to run Windows 8.1 rather than Windows 7, Linux or whatever other OS the owner of the device might fancy. After all, let’s not forget that the owners of those devices are the ultimate administrators of their devices, and they have the ultimate decision and power to do whatever they want with it — and this is out of the control of the enterprise. To pretend otherwise is beyond naïvety. It is foolish. And any attempts to minimise or downplay this fact is reckless.
Also there is the issue of security software, such as anti-malware and anti-virus. The enterprises run Symantec? I don’t care. I run Kaspersky, and you are not telling me what security software I can or cannot run on my laptop. And you certainly can’t tell me what other software or apps I can and cannot install on my device, what hardware I can plug in it or in which networks I can run my device on.
Moreover, let’s consider risk management and our mitigating options for BYOD. In risk management we have the following major strategies to handle risk: Prevention, Probability Reduction, Impact Reduction, Transferal, Contingency and Acceptance. When dealing with devices (i.e. assets) a company has little to no control over, the risk mitigation options are greatly compromised. Prevention is virtually impossible and one might as well ban the concept of BYOD in its entirety. Even if using some sort of sand-boxing, virtualisation or software-as-a-service, data can be compromised, be it by copying cached data or taking screenshots (to name a few methods). Probability reduction is an illusion. An organisation might publish guidelines for BYOD and threaten their employees with disciplinary actions (up to dismissal) if they fail to comply, but good luck with that reactive approach. Transferal doesn’t really apply, at least not to secure data and other intellectual property in a proactive way. Therefore I reckon an enterprise would really be stuck with contingency and acceptance (both reactive approaches). I can sum this thought by saying the following:
The concept of Bring Your On Device (BYOD) imposes great obstructions towards the implementation of proactive mitigation strategies to minimise the risk of security, compliance and governance breaches.
Concerning contractors, sure that organisation could establish in their contracts with 3rd-party professionals their requirements on devices used within their infrastructure. Or could they? For the sake of the argument, let’s put aside any legal considerations for the moment. Even if an organisation managed to subjugate their entire workforce to bring their own devices and bow down to every single absurd policy, there are other forces at play here: standards, specifications, compliance and governance. Iíll end with a provocative statement: I assert that there is no way in hell an ISO 27001 certified organisation could ever implement the concept of BYOD, as it is defiles the fundamental controls of the 27001 norm; no matter the scope of their ISO 27001 implementation. And I am sure there are many other standards that would fail miserably when facing the concept of BYOD.