Bring your own device trend spooks enterprise security folks

Bring your own device trend spooks enterprise security folks

Summary: Fifty-eight percent of information technology security and audit pros view employee-owned mobile devices as a security risk to the enterprise, according to a survey.

SHARE:
TOPICS: Security
21

Fifty-eight percent of information technology security and audit pros view employee-owned mobile devices as a security risk to the enterprise, according to a survey.

The ISACA, a security industry group, surveyed 2,765 IT leaders around the world. Of that group, 712 were based in the U.S.

Bring your own device (BYOD) is a key item in the consumerization movement, which dictates that employees will increasingly use their own gear and expect that business software will operate more like consumer tools such as Google and Facebook.

Obviously, security pros aren't on the bandwagon yet. The breakdown goes like this:

  • 58 percent view employee owned devices as an enterprise security risk;
  • 33 percent say work-supplied devices are a security threat.
  • Nevertheless, 27 percent of security pros argue that the benefits of BYOD outweigh the threats.

In a nutshell, the ISACA is arguing that BYOD can bring innovations to the enterprise and cut costs, but there is a risk.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • RE: Bring your own device trend spooks enterprise security folks

    Due to Corporation's snails' pace movement toward incorporating these types of devices into the enterprise.
    Bodazapha
    • RE: Bring your own device trend spooks enterprise security folks

      @Larry Dignan: Tell that to your blogger Jason Perlow. His disdain for the Blackberry has made him to proclaim repeatedly that "bring your own device" is the way to go in the enterprise

      Of course like most of the things Perlow says, he's usually very off reality.
      nomorebs
    • BYOD - No Problem for Cryptoexpress

      Cryptoexpress.com is a SaaS that delivers highly secure, device to company server, encrypted voice and data communications integrated with IPv6 SIP VOIP, SMS, IM, Calendar, Contacts databases etc and which fully supports all PCs, tablets and smartphones, including RIM. Cryptoexpress is the service that RIM should have developed.
      1000010810
  • RE: Bring your own device trend spooks enterprise security folks

    I thought the percentage would be higher than 58%. We have a strict no BYOD policy. If we didn't issue it to you then you won't put it on our network. It is a safety issue, we do not need confidential files getting into the hands of others.
    LoverockDavidson
    • RE: Bring your own device trend spooks enterprise security folks

      @LoverockDavidson

      I never thought I would agree with LoverockDadidson on anything;) But you took the words right out of my mouth: once I saw the 58% figure, my first question was, "when will the remaining 42% get a clue?"
      mejohnsn
  • RE: Bring your own device trend spooks enterprise security folks

    Never at all should people be bringing in anything other than corproate assets. They're idiots if they think they could bring in their own devices. <br><br>The risk of corporate espionage/data theft is too great. The risk of malware making its way onto the network is too great.
    The one and only, Cylon Centurion
    • RE: Bring your own device trend spooks enterprise security folks

      @Cylon Centurion Riiiiiight because your internal Network is so secure. Do you work for Sony or Lockheed?
      Bodazapha
      • RE: Bring your own device trend spooks enterprise security folks

        @Bodazapha

        Heh. I don't know who was working for Sony, but they aren't anymore I'm sure.

        Lockheed Martin, though, was able to detect and mitigate that attack almost instantly. It's not fair to group them with Sony. You could substitute Google, after all they couldn't figure out a way to lock down their networks, considering how many boast their engineer's brightness.

        Maybe Sony should hire some of those Lockheed IT folks. Kudos to them for doing a bang up job protecting their assets.
        The one and only, Cylon Centurion
    • RE: Bring your own device trend spooks enterprise security folks

      @Cylon Centurion
      NAC, Citrix gateway. employee owned devices no problem.
      tiderulz
  • RE: Bring your own device trend spooks enterprise security folks

    Blah. Enterprise, Corporations, Computers, All a waste of time
    X41
  • RE: Bring your own device trend spooks enterprise security folks

    How many of those users have a clue to securing their device..bigger question..how many even care !..and you want personal & confidential info on those devices..if the security IQ of the folks I work with is any indication of the overall...all I can say is caveat actor...
    wayoutinva
  • Enterprise IT spooks ME

    @wayoutinva My experience is that someone with their own device probably knows more than the "enterprise security folks". :-) I remember a meeting with the CIO of a billion-dollar US retailer who fired a shot at an internal software idea I was pitching (wasn't working in IT but made my own software demo) because it would temporarily store some purchase order data on a local user's PC and that would be a security risk. I didn't want to embarrass him by pointing out that the supply chain user (who was technically under him as he was also VP of Supply Chain) spends a large part of the day looking up bills of lading on carrier's websites, which come across as scanned images. Internet Explorer caches all of those images on the hard drive, so the user's drive is already full of purchasing data. :-) On top of that, the existing system prints out bill of lading data for all freight claims whether we need them or not (one of the things my program sought to fix). All the ones that aren't used get dumped in a recycle bin, which everyone on the floor reaches into for scrap paper because only the legal department is allowed post-it notes (!). Visiting sales people also dip their hand in for paper as the bin is just outside a conference room. At that time the building was rented and an outside cleaning crew came in at night to clean, all of whom could simply walk off with the papers in the bin. But my program, which required a password to access the database and a password to access the computer and which only temporarily cached information (which I could do encrypted) was a security risk according to the CIO. :-)

    I won't even get into the CEO's underling, a Director with a 6-figure salary and alleged MBA (somehow obtained while getting his bachelor, which is nonsensical), wanted to avoid getting permission for my program at all by SECRETLY replacing the existing in-house program with my own and making its output look identical (down to the errors on the existing report of which I was the only one who ever noticed/cared). He even tried offering suggestions about what I could say if we were caught. Not surprisingly, I declined this idea and the idea of creating an intentionally buggy program and a few months later after working their for just under six months.

    These and other experiences make me laugh when I hear about "enterprise security folks" (and stuff like Sony doesn't surprise me at all except that it doesn't happen more often). Our IT was so bad (and remember at that time we had over 680 stores, over a billion in cash and no debt, etc.) that our department had a network share we used to share spreadsheets and such with each other RUN OUT OF SPACE (that's like a corporate accountant letting a check bounce). When I tried to find out what was going to happen I was told IT "didn't know" what they were going to do. After a week, they apparently conferred with my 35-year-old idiot Director who somehow barely knew how to turn a computer on (his own words) and they had this idea: revoke access to the shared drive for those who DON'T regularly use it. Upon hearing this, I repeated it slowly for my director to be sure I heard right. I had. I repeated it even slower to be sure he understood it. He did. Yes, they were going to reduce use of the drive by preventing people who DON'T USE IT from using it. Hmmm... Of course a day later a colleague wanted me to check out his spreadsheet which was on our shared drive and I kindly informed him that I no longer had access to the *department's* shared drive. That made the whole point of a department shared drive useless, so I guess in that case they did accomplish something. I was at the end of my rope there and in an uncharacteristic outburst during a department meeting when I brought up the drive and was told, two weeks on, that IT still "hadn't decided what they were going to do", I offered to walk to the Best Buy three blocks down the street, buy a $60 hard drive, come back and show IT how to install a new drive, which was meant with glares and silence from my Director.

    "33 percent say work-supplied devices are a security threat" sums up things nicely. That's 33 percent of IT folk who don't feel up to the challenge of their job and doubt they can do it adequately. This reminds me of the early '90s as a part-time employ of a community college. When they first set up Internet access, I was floored when I was told that it was going to be for *faculty and staff only* and no students would be allowed access - in fact, unless they were taking a programming course, students didn't even have access to our mainframe (yes, an antique VAX, and the school taught Cobol, bless'em). One full-time employee who'd been there for quite some time had the honesty to privately tell me as I explained that this was the only college I'd ever seen to have a policy like this, "The IT staff is deathly afraid that some 19-year-old will get on the system, hack it, and none of them will be able to do a thing about it. They're afraid they'll get shown up by a kid and all get fired." Makes sense when the guy who got the top job did it because he had a master's degree, which was a requirement. Of course, it was in BIOLOGY. Yes, if we had real bugs he could help - computer bugs, not so much. I was once tutoring a kid in C programming and his program was really wrong and I asked him who helped him with it earlier, as I thought one of our tutors had gone rogue or something. He described the man who had helped him, and yes, it was my boss, the MS in Biology head of campus IT.

    Sorry, but my experience has taught me that someone with their own devices might very well be ahead of the enterprise IT security folks in skill and knowledge.
    jgm2
    • RE: Bring your own device trend spooks enterprise security folks

      @jgm@...

      Wow, are you kidding? Someone who can now play Angry Birds on a tablet is smarter than your IT security person?

      You have obviously never worked in IT, let alone security, but the biggest danger is the idiot with the device first, then the device, then a lack of a coherent policy on the network.

      It is the idiots who are approving purchases of phones and tablets without understnading how they will (or won't) work on the network who are the danger, plain and simple.
      omdguy
      • RE: Bring your own device trend spooks enterprise security folks

        @omdguy Not any more. I walked out after six months.

        Please don't tell me I've never worked in IT. I've done tech support, networking, written commercial software in use at Fortune 1000 firms, etc. In the 80s I was in a college internship program at age 14, putting on a tie and working at a multinational in IT during the summers.

        You apparently didn't read anything I wrote past the first sentence. The idiots with the devices can very well be the IT folks... like the one that told me my Windows desktop couldn't be changed to make the task bar auto-hiding "for security reasons". Or the brain-trust who spearheaded developing a "dashboard" for a billion-dollar retailer but didn't want to spend any money so decided to have just one employ develop it from scratch and use Access 97 to do it. They ended up with something that was so slow they have to pre-compute a lot of the data on another machine, which they do once a month in an undocumented process (unless the one person who knows how to do it is on vacation). That means the "dashboard" data can be up to 30 days or more out of date. I told the poor developer when he was done, "That's not a dashboard - it's a rearview mirror!"

        I've watched firms send 3 tech workers at $80 an hour each to a client. I explain to the tech people I need a record layout of one of the client's system's outputs so I can make it work with the software I'm developing for their client. Reply: "I don't know what you mean." I explain what a record layout is and they go back and forth about changing the client's existing system to "whatever I come up with" in terms of data format. I explain it's insane for them to modify the existing system rather than make my program compatible as it hasn't been written yet. We go back and forth for days and after two straight weeks I'm still getting "I'm not sure what you want". I have my boss talk to the CEO, the CEO has them sent to his office, calls them The Three Stooges and has security escort them from the building with orders to have them arrested if they ever show up again. They bring in one regular guy who has a record layout for me by lunch. I don't know if the CEO paid them their collective $240 an hour, though.
        Another major manufacturing firm had "a guy from the loading dock" handling their PCs when their main IT guy was sick. One Director of another major manufacturer (their products are in every hardware store in the country) distrusted his IT people so much that he once called up the consulting firm I was working for (which was doing work for him) and said, "My IT people explained to me why we had a service outage today. Now I wanted to call you guys to learn what really happened." :-)

        I'm sticking with my original premise: that competence in IT is as rare as it is in any other field nowadays, which is pretty rare indeed. :-)
        jgm2
    • RE: Bring your own device trend spooks enterprise security folks

      @jgm@...
      couldn't agree more
      cym104
    • RE: Bring your own device trend spooks enterprise security folks

      @jgm@...
      What you stated shows that IT is no different than any other department. Bad management breeds bad decisions everwhere. Too many times I've seen IT security being run by people with no clue to the technology they are monitoring.
      harrim47
    • RE: Bring your own device trend spooks enterprise security folks

      @jgm@...

      You obviously haven't had the same experiences I have.

      Oh, sure, there are truly incompetent people who have managed to use their winning personalities and no shortage of misrepresentations to end up in positions of authority - I certainly have met plenty of them. But... You're giving the average person far too much credit. I've cleaned the same malware off of the same person's machine three weeks in a row after - get this - they repeatedly disabled their antimalware software because it wouldn't let them download their "TV show." This was after having explained to them that disabling their antivirus software was, in general, a *bad* thing to do and that there was *no way* that even "highly compressed" was their show going to be 200K in size. This is not an isolated incident. I've been doing this work for a very long time and have seen this type of thing time and time again. No, overall the professionals I've worked with in the industry have been far more competent with their technology than those left to "their own devices."

      I've also seen more than one person use the "This is more secure than that - and you allow that," argument without fully understanding the differences between the two practices, the attack surfaces in question and the risks presented by each. The case you describe sounds pretty straightforward but please don't categorize IT security professionals as being incompetent enough as a group as to make the statistics meaningless. There are plenty of us out here who are quite skilled and who would *never* open their network up to the horrors of the average user's personal equipment.

      Personally, I think that (short of Cirtix and VMWare type solutions - which isn't really what I feel the question is about) it's the industry professionals who support this idea as a money saver who are not really thinking it through. After the support issues are accounted for, there will be no money saved in most environments.
      YetiChick
  • RE: Bring your own device trend spooks enterprise security folks

    It is a threat without a doubt the number should be higher, but the threat should be mitigated. Turn off Exchange Active Sync if you are using it and use a secure app like Good, Afaria or its ilk to prevent access to your corporate data.

    You cant hide from these devices and you cant let them run amok either. Don't stick your head in the sand, tackle this and in the end make your users productive and secure.
    ploco9
  • RE: Bring your own device trend spooks enterprise security folks

    Our high school network is by definition open to any malware a curious teenager might download at home and bring in with him/her. Our intranet assets are as vulnerable as any on the Internet. Fortunately for both the internet and our intranet there are adequately effective standard defences. BYOD doesn't make things any worse.
    PassingWind
    • RE: Bring your own device trend spooks enterprise security folks

      Wow that was odd. I just wrote an really long comment but after I clicked submit my comment didn't show up. Grrrr... well I'm not writing all that over again. Regardless, just wanted to say superb blog! <a href=http://gates-millenium-scholarship.com/>gates millenium scholarship</a>
      gates08