Bring your own device trend spooks enterprise security folks
Summary: Fifty-eight percent of information technology security and audit pros view employee-owned mobile devices as a security risk to the enterprise, according to a survey.
Fifty-eight percent of information technology security and audit pros view employee-owned mobile devices as a security risk to the enterprise, according to a survey.
The ISACA, a security industry group, surveyed 2,765 IT leaders around the world. Of that group, 712 were based in the U.S.
Bring your own device (BYOD) is a key item in the consumerization movement, which dictates that employees will increasingly use their own gear and expect that business software will operate more like consumer tools such as Google and Facebook.
Obviously, security pros aren't on the bandwagon yet. The breakdown goes like this:
- 58 percent view employee owned devices as an enterprise security risk;
- 33 percent say work-supplied devices are a security threat.
- Nevertheless, 27 percent of security pros argue that the benefits of BYOD outweigh the threats.
In a nutshell, the ISACA is arguing that BYOD can bring innovations to the enterprise and cut costs, but there is a risk.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
RE: Bring your own device trend spooks enterprise security folks
RE: Bring your own device trend spooks enterprise security folks
Of course like most of the things Perlow says, he's usually very off reality.
BYOD - No Problem for Cryptoexpress
RE: Bring your own device trend spooks enterprise security folks
RE: Bring your own device trend spooks enterprise security folks
I never thought I would agree with LoverockDadidson on anything;) But you took the words right out of my mouth: once I saw the 58% figure, my first question was, "when will the remaining 42% get a clue?"
RE: Bring your own device trend spooks enterprise security folks
RE: Bring your own device trend spooks enterprise security folks
RE: Bring your own device trend spooks enterprise security folks
Heh. I don't know who was working for Sony, but they aren't anymore I'm sure.
Lockheed Martin, though, was able to detect and mitigate that attack almost instantly. It's not fair to group them with Sony. You could substitute Google, after all they couldn't figure out a way to lock down their networks, considering how many boast their engineer's brightness.
Maybe Sony should hire some of those Lockheed IT folks. Kudos to them for doing a bang up job protecting their assets.
RE: Bring your own device trend spooks enterprise security folks
NAC, Citrix gateway. employee owned devices no problem.
RE: Bring your own device trend spooks enterprise security folks
RE: Bring your own device trend spooks enterprise security folks
Enterprise IT spooks ME
I won't even get into the CEO's underling, a Director with a 6-figure salary and alleged MBA (somehow obtained while getting his bachelor, which is nonsensical), wanted to avoid getting permission for my program at all by SECRETLY replacing the existing in-house program with my own and making its output look identical (down to the errors on the existing report of which I was the only one who ever noticed/cared). He even tried offering suggestions about what I could say if we were caught. Not surprisingly, I declined this idea and the idea of creating an intentionally buggy program and a few months later after working their for just under six months.
These and other experiences make me laugh when I hear about "enterprise security folks" (and stuff like Sony doesn't surprise me at all except that it doesn't happen more often). Our IT was so bad (and remember at that time we had over 680 stores, over a billion in cash and no debt, etc.) that our department had a network share we used to share spreadsheets and such with each other RUN OUT OF SPACE (that's like a corporate accountant letting a check bounce). When I tried to find out what was going to happen I was told IT "didn't know" what they were going to do. After a week, they apparently conferred with my 35-year-old idiot Director who somehow barely knew how to turn a computer on (his own words) and they had this idea: revoke access to the shared drive for those who DON'T regularly use it. Upon hearing this, I repeated it slowly for my director to be sure I heard right. I had. I repeated it even slower to be sure he understood it. He did. Yes, they were going to reduce use of the drive by preventing people who DON'T USE IT from using it. Hmmm... Of course a day later a colleague wanted me to check out his spreadsheet which was on our shared drive and I kindly informed him that I no longer had access to the *department's* shared drive. That made the whole point of a department shared drive useless, so I guess in that case they did accomplish something. I was at the end of my rope there and in an uncharacteristic outburst during a department meeting when I brought up the drive and was told, two weeks on, that IT still "hadn't decided what they were going to do", I offered to walk to the Best Buy three blocks down the street, buy a $60 hard drive, come back and show IT how to install a new drive, which was meant with glares and silence from my Director.
"33 percent say work-supplied devices are a security threat" sums up things nicely. That's 33 percent of IT folk who don't feel up to the challenge of their job and doubt they can do it adequately. This reminds me of the early '90s as a part-time employ of a community college. When they first set up Internet access, I was floored when I was told that it was going to be for *faculty and staff only* and no students would be allowed access - in fact, unless they were taking a programming course, students didn't even have access to our mainframe (yes, an antique VAX, and the school taught Cobol, bless'em). One full-time employee who'd been there for quite some time had the honesty to privately tell me as I explained that this was the only college I'd ever seen to have a policy like this, "The IT staff is deathly afraid that some 19-year-old will get on the system, hack it, and none of them will be able to do a thing about it. They're afraid they'll get shown up by a kid and all get fired." Makes sense when the guy who got the top job did it because he had a master's degree, which was a requirement. Of course, it was in BIOLOGY. Yes, if we had real bugs he could help - computer bugs, not so much. I was once tutoring a kid in C programming and his program was really wrong and I asked him who helped him with it earlier, as I thought one of our tutors had gone rogue or something. He described the man who had helped him, and yes, it was my boss, the MS in Biology head of campus IT.
Sorry, but my experience has taught me that someone with their own devices might very well be ahead of the enterprise IT security folks in skill and knowledge.
RE: Bring your own device trend spooks enterprise security folks
Wow, are you kidding? Someone who can now play Angry Birds on a tablet is smarter than your IT security person?
You have obviously never worked in IT, let alone security, but the biggest danger is the idiot with the device first, then the device, then a lack of a coherent policy on the network.
It is the idiots who are approving purchases of phones and tablets without understnading how they will (or won't) work on the network who are the danger, plain and simple.
RE: Bring your own device trend spooks enterprise security folks
Please don't tell me I've never worked in IT. I've done tech support, networking, written commercial software in use at Fortune 1000 firms, etc. In the 80s I was in a college internship program at age 14, putting on a tie and working at a multinational in IT during the summers.
You apparently didn't read anything I wrote past the first sentence. The idiots with the devices can very well be the IT folks... like the one that told me my Windows desktop couldn't be changed to make the task bar auto-hiding "for security reasons". Or the brain-trust who spearheaded developing a "dashboard" for a billion-dollar retailer but didn't want to spend any money so decided to have just one employ develop it from scratch and use Access 97 to do it. They ended up with something that was so slow they have to pre-compute a lot of the data on another machine, which they do once a month in an undocumented process (unless the one person who knows how to do it is on vacation). That means the "dashboard" data can be up to 30 days or more out of date. I told the poor developer when he was done, "That's not a dashboard - it's a rearview mirror!"
I've watched firms send 3 tech workers at $80 an hour each to a client. I explain to the tech people I need a record layout of one of the client's system's outputs so I can make it work with the software I'm developing for their client. Reply: "I don't know what you mean." I explain what a record layout is and they go back and forth about changing the client's existing system to "whatever I come up with" in terms of data format. I explain it's insane for them to modify the existing system rather than make my program compatible as it hasn't been written yet. We go back and forth for days and after two straight weeks I'm still getting "I'm not sure what you want". I have my boss talk to the CEO, the CEO has them sent to his office, calls them The Three Stooges and has security escort them from the building with orders to have them arrested if they ever show up again. They bring in one regular guy who has a record layout for me by lunch. I don't know if the CEO paid them their collective $240 an hour, though.
Another major manufacturing firm had "a guy from the loading dock" handling their PCs when their main IT guy was sick. One Director of another major manufacturer (their products are in every hardware store in the country) distrusted his IT people so much that he once called up the consulting firm I was working for (which was doing work for him) and said, "My IT people explained to me why we had a service outage today. Now I wanted to call you guys to learn what really happened." :-)
I'm sticking with my original premise: that competence in IT is as rare as it is in any other field nowadays, which is pretty rare indeed. :-)
RE: Bring your own device trend spooks enterprise security folks
couldn't agree more
RE: Bring your own device trend spooks enterprise security folks
What you stated shows that IT is no different than any other department. Bad management breeds bad decisions everwhere. Too many times I've seen IT security being run by people with no clue to the technology they are monitoring.
RE: Bring your own device trend spooks enterprise security folks
You obviously haven't had the same experiences I have.
Oh, sure, there are truly incompetent people who have managed to use their winning personalities and no shortage of misrepresentations to end up in positions of authority - I certainly have met plenty of them. But... You're giving the average person far too much credit. I've cleaned the same malware off of the same person's machine three weeks in a row after - get this - they repeatedly disabled their antimalware software because it wouldn't let them download their "TV show." This was after having explained to them that disabling their antivirus software was, in general, a *bad* thing to do and that there was *no way* that even "highly compressed" was their show going to be 200K in size. This is not an isolated incident. I've been doing this work for a very long time and have seen this type of thing time and time again. No, overall the professionals I've worked with in the industry have been far more competent with their technology than those left to "their own devices."
I've also seen more than one person use the "This is more secure than that - and you allow that," argument without fully understanding the differences between the two practices, the attack surfaces in question and the risks presented by each. The case you describe sounds pretty straightforward but please don't categorize IT security professionals as being incompetent enough as a group as to make the statistics meaningless. There are plenty of us out here who are quite skilled and who would *never* open their network up to the horrors of the average user's personal equipment.
Personally, I think that (short of Cirtix and VMWare type solutions - which isn't really what I feel the question is about) it's the industry professionals who support this idea as a money saver who are not really thinking it through. After the support issues are accounted for, there will be no money saved in most environments.
RE: Bring your own device trend spooks enterprise security folks
You cant hide from these devices and you cant let them run amok either. Don't stick your head in the sand, tackle this and in the end make your users productive and secure.
RE: Bring your own device trend spooks enterprise security folks
RE: Bring your own device trend spooks enterprise security folks