Information security is hard. Complete security is not just virtually implausible–it is pretty close to impossible. Enter BYOD–Bring Your Own Device–and the almost, practically, nearly impossible becomes whatever is worse than that.
The rattle bag of devices–smartphones, tablets and personal computers–people bring to work and use to access the network and an organization’s sensitive data almost guarantee trouble. With so many ways to get “got,” BYOD makes keeping the bad guys out an absurd proposition.
How hard is it to stay safe with so many different devices connecting to a server, you ask? Let’s just say Donald Trump would have an easier time winning the Latino vote in November.
Keeping an enterprise safe from data breaches, leaks, hacks and cyber shakedowns is all about gaming the perils posed by unplanned complications–whether they come in the form of malware, spyware, Trojans, worms, or increasingly, ransomware–while creating the most advantageous conditions for employee productivity.
If it weren’t for that pesky issue of productivity, the solution would be simple: a zero BYOD policy. An infosec geek’s sense of the nonessential doesn’t take into consideration the massive uptick in productivity that, for instance, smartphones can facilitate. The reason to ban them in the fictional world where cyber security trumps productivity has to do with threat control. BYOD creates a theoretically endless list of ways a hostile party can attack.
And the fact that a breach or hack can greatly reduce productivity is not a hindrance to the proliferation of BYOD practices. It’s a risk most organizations are willing to take.
Because there is no way for IT to keep up with every single program, app and modification (jailbreaking for instance) an individual employee brings over the cyber moat into what should be the inner sanctum of the castle, most organizations are just one human error away from being completely unprotected.
The introduction of an app-laden smartphone is probably the most prevalent form the BYOD threat takes.
There are measures to take. Sandboxing is one of them, a process that involves sending unknown or untrusted apps and other executables to the cloud before bringing them into contact with an organization’s network.
But all of the policing in the world is not going to stop an individual from making a mistake, or worse, from deciding that the people in IT–if the organization even requires BYOD users to check in with IT, which is not always or even often the case–are paranoid and nothing bad will come of downloading a sketchy app that comes from a non-authorized source.
The assumption has to be that bad stuff is coming in through the door. So what now?
While there is no such thing as a completely secure workplace, more organizations are making sure different departments communicate–legal, IT, technology, information security–to keep cyber defenses as strong as possible.
That said, cyber security at the enterprise level is utterly fallible even when the above scenario is in place, and the more common situation unfortunately is that departments do not communicate well.
Worse, far from being considered an enterprise issue, cyber security is relegated to IT, and it’s not terribly uncommon for IT to shrug their shoulders at the enormity of the BYOD problem.
With more ways to get “got” by the bad guys than ever–be they corporate spies, common crooks or nation states–BYOD adds complications that greatly expand an organization’s attackable surface.
The best approach is to set policies, among them sandboxing, controlling who has access to what, encrypting sensitive data, and demanding that multiple-factor authentication be used to access anything on an organization’s servers.
But more than anything, the 30,000-foot view matters here. Always make the prevention of data loss and every other kind of cyber compromise a top priority, organization-wide, by creating a culture where everyone feels like a stakeholder in the never-ending process of shoring up defenses, catch as catch can, against the marauding forces “out there.”