The Risks Are Not Worth the Reward
Android is cool, iPhone is cutting-edge and carrying a tablet is convenient. What’s not so cool, cutting-edge or convenient, however, are data breaches, which as everyone already knows lead to millions of dollars in damages year after year. The odd thing about data breaches, though, is that despite the fact that enterprises, SMBs and government agencies are more aware of them, they continue to allow the use of BYOD technologies, which increase the likelihood of a breach occurring. Although no one has come up with a “Moore’s Law” type of equation that demonstrates how data breach risk increases in direct correlation to BYOD, the evidence is clear that it does increase.
How do we know BYOD adoption increases the risk of a breach? Great question. There is an unending chain of headlines, reports and opinions indicating that it does, many based on factual research and on incidents that have occurred. A few of the more recent studies on the topic revealed that nearly half of the organizations allowing employees to connect to their corporate networks via BYOD have experienced a related breach — staggering when you consider the number of breaches that occurred before BYOD hit the market.
Despite the overwhelming risk that BYOD brings, prevailing winds suggest that organizations are convinced they must allow employees to use their own devices to conduct business communications and access data. Whether or not this trend represents a triumph of BYOD providers’ marketing genius or signals that businesses have lost control of the ability to establish basic security rules remains to be determined, although it is probably a combination of both.
Regardless of where an organization stands on the BYOD issue, there are a few basic facts it needs to consider before adoption:
• BYOD has created increased risk exposure that no organization is prepared to handle
• Visibility and monitoring are security essentials that BYOD and MDM can’t provide
• Security-aware organizations do not have to allow BYOD
• You don’t have to trade the promise of sales and productivity for decreased security
Let’s explore these notions further.
BYOD has created increased risk exposure that no organization is prepared to handle
There simply is no way to deal with the risk that BYOD brings. Between Android and iOS alone, there are millions of apps readily available for download, countless numbers of which open up doors in BYOD technologies that hackers and cybercriminals can easily stroll through. Even iOS, long believed to be highly secure, is proving to be vulnerable. As recently as December 2012, researcher Carlos Reventlov identified a vulnerability in Instagram’s iPhone application that could allow an attacker to execute a man-in-the-middle attack on iOS.
Visibility and monitoring are security essentials that BYOD and MDM can’t provide
When it comes to data security, visibility and monitoring are essentials. When it comes to BYOD, even the most advanced MDM solutions cannot provide a comprehensive, granular picture of how employees are accessing and sharing corporate data. Organizations that don’t have visibility into employee activities have no way to determine how, when and where their information is being exposed.
Security-aware organizations do not have to allow BYOD
Any organization that is serious about security does not have to allow BYOD. Most enterprise-class organizations have sophisticated physical security systems that include state-of-the-art surveillance cameras, pin-pad door locks, and ID and access cards. None would allow employees to remove surveillance cameras and replace them with their own, install their own pin-pad locks or issue their own ID cards. In these cases, Bring Your Own Security simply would not work and would never be allowed. The same could be said of BYOD; in the name of security, organizations do not have to allow it.
You don’t have to trade the promise of sales and productivity for decreased security
There is age-old adage in business: “Nothing happens until somebody sells something.” When it comes to BYOD, organizations need to take a hard look at whether or not the security trade-offs are actually worth the assumed productivity and sales rewards. Organizations that dive deep into this issue will probably discover that sales reps using corporate-issued devices are likely closing as many deals as those who are using BYOD, that they are able to respond to emails as fast on a BlackBerry as they can on an iPhone, and that they can access business applications with efficiency.
At this point in the evolution of consumerized mobile devices and smartphones, security is simply too far behind the curve and cannot provide any real defense against data breaches, data theft and compliance violations. Corporate-issued and controlled devices are able to provide not only security but also the functionality needed to enable secure business communications and access to data and applications. There is simply no reason for an organization committed to security, productivity and sales to take on the risks inherent in BYOD.