At the Virus Bulletin conference this past September in Dallas, Righard Zwienenberg from ESET gave a presentation entitled BYOD. BYOD stands for Bring Your Own Device, but he reframed the acronym to “Bring Your Own Destruction”, that is, he alluded to the security implications of bringing your own device.
BYOD is the latest trend sweeping business and schools. More and more people are bringing their own personal devices from home and using them for business. Rather than companies issuing people laptops, they let people use their personal machines from home – machines such as tablets and smart phones. They then use their devices to access the corporate network and access corporate data. But while more and more people are using their own devices in the workplace, only 25% are aware of the security risks. And it is this lack of awareness that spells potential destruction for the enterprise.
Bring your own device from home has many advantages:
- Size – Your own smart phone and tablet are small and lightweight. They are easy to carry and to transport. No one likes carrying around a heavy laptop and the trend is to go smaller.
- Battery life – Most devices have a battery that lasts an entire workday. How long would my laptop last on battery alone? Maybe a couple of hours.
- Cost – Devices are cheaper than laptops. Some employers may even get away with pushing the cost onto employees (we’ll let you use your own device, and we can spend the money elsewhere).
- Easy adaptation – Consumers are familiar with their device and can customize them to their liking.
However, it’s not all fun and games with BYOD. There are some serious drawbacks as well:
- Content management – Most devices have a proprietary OS. How are they supposed to connect to your corporate network and take advantage of everything?
- Updates – There is no standard mechanism for issuing updates. At work, Microsoft IT forces me to install security updates every so often. They couldn’t do that for my iPhone (if I had one), which means that they lose control of patching vulnerabilities.
- Difficult to protect – Because devices are non-standard, outbound traffic is hard to monitor (data leakage, outbound spam, etc).
- No multi-tasking – Devices are great, but working on multiple things at once on them is very difficult.
- Plug-ins – Corporate supported plugins are often not supported.
- Interchangeability – Applications for different devices are frequently not interchangeable (e.g., text editors).
- Physical security – Smaller devices can be easily stolen and easier to conceal (under a thief’s clothing) because they of their size.
Given all this, what can we do? Should we allow BYOD on the work floor, or any professional environment for that matter? The first part of that question is whether or not we can actually stop it. Secondly, even if you could, would you even want to? Banning these things is unrealistic;the USB drive is ubiquitous and difficult to police even if you do warn employees of the security risks. There is simply too much foreign media and too many options.
No, trying to stop the tidal wave of BYOD is not a winning strategy.
It’s impossible for a corporate security team to know about all the features of new OS’es, new firmware upgrades, security patches, and so forth. But software companies are coming up with ways improve security. For example, Windows 8 includes “Windows To Go” that allows a corporation to create a full corporate environment by booting from a USB drive. All of the corporate standards can be on that USB key. Furthermore, it can have security extras like preventing the USB key from being removed otherwise the device freezes in 60 seconds. Furthermore, it can be protected with BitLocker.
So what should you do?
- Acceptance – We need to accept that BYOD is here to stay. But because of this, companies must institute a form of device control. Instead of BYOD, how about C(hoose)YOD? Just select the devices you can manage, allows corporate protection to be installed, and that has updates.
- Use a form of device control – With BYOD, you always run the risk of losing the device but if the data is encrypted, the worst case is that all you have lost is the device. This controls which ports are available, it avoids data leakage, and monitors which files are exported to portable media.
And that’s what I learned about BYOD(evice|estruction) at Virus Bulletin 2012.