To BYOD or Not BYOD? Let Your Risk Decide

Before the iPhone came to town, BlackBerry was all the rage. No one had smartphones, but all the cool people had a BlackBerry. Technology evolved, and it was soon out with the old and in with the new, thus giving rise to the somewhat problematic enablement of BYOD programs.

Considering the financial, legal and security factors that come into play with BYOD, deciding whether to allow employees to do work on their personal devices isn’t an easy task. With the inherent lack of control and visibility into personally owned devices, organizations are wondering whether issuing company-owned devices might be the more secure option.

Security, though, isn’t always the deciding factor. As is the case in most investments, cost often drives the final decision. Enabling BYOD can be more cost-effective for companies, making it a financing issue rather than an information security issue, said John Carnes, CISSP, an information security architect who spoke on background.

“They can put corporate email on your phone, give you a few bucks in a stipend, and everybody is happy,” said Carnes. It all sounds fine, but there are also legal complications with a BYOD program.

Though the cost savings of BYOD can be real, it has to be carefully and properly managed. “It’s important to factor in the security friction that an anti-BYOD stance can cause—and that can be disastrous for security in the long run, as frustrated users often find workarounds that expose the corporate data to additional risks,” warned Dr. Richard Ford, chief scientist, Forcepoint.

Who Owns the Assets?

Research published by Clutch found that employees use personal devices for routine, daily work activities. Among those surveyed who use a personal device for work, 86 percent check their email and 67 percent access shared company documents.

According to the research, 64 percent of employees using their personal devices to conduct work transactions, indicating that BYOD has blurred the lines between their personal and professional lives with corporate and personal assets commingling in digital spheres.

With corporate-owned devices, though, asset ownership is clearly defined. As an employee, if I don’t turn in my phone at end of my employment, the company can come after me. That’s not the case with BYOD.

The Limitations of Control in BYOD

An additional challenge to enabling BYOD is the question of whether employees are keeping up with technology. “You have to ensure that people are keeping devices up to date. What happens when the iPhone 4 doesn’t take the next security patch or the Android phone doesn’t have the newest security update? What is your policy and how do you manage that when it’s an employee owned device?” Carnes said.

According to industry experts, BYOD as a strategy is effectively impossible to fully secure. Speaking on background, Erik von Geldern, CISSP, said that because individually owned devices (of any kind) are specifically used for personal matters unrelated to business function, they are exposed to the full threat landscape of the internet and must at all times be considered compromised by a business.

“BYOD must assume that individuals exercise good internet hygiene and have not engaged in any behavior that would lead to a compromised device,” von Geldern said.

In contract, when a business issues a fully controlled device to a user, it can be controlled with the same level of scrutiny as an internally controlled asset. “DLP solutions, web filtering solutions, multifactor authentication solutions, etc., can all be enforced. Without these controls in place, you cannot assert that the data on the device is well-secured,” he noted.

Security Solutions for BYOD

Some BYOD solutions offer “containerized” functionality, where allowed resources exist only inside of a heavily secured application on an individually owned device, von Geldern said. “While this strategy may be acceptable for very limited use, it may allow an attacker that had compromised a device to observe and or acquire sensitive information from the device. Controls do exist in this context that check for certain requirements for the container to open, but a compromised device could certainly falsify the responses to these checks.”

Ultimately, deciding which security controls are best comes down to risk. Depending on the organization, it may be appropriate to allow certain tasks to be completed within a BYOD context. More sensitive tasks, von Geldern said, should be considered carefully before allowing them out to that extent.

While Carnes said that he can’t ubiquitously say that every company should not adopt a BYOD program, he did say that the decision begins with analyzing the risk in the company to decide if BYOD is worth it.

“I would say for the most part it is a risk-based approach. Companies that are doing it are driving hard from a finance perspective, but if you look at the financial implications from a risk perspective, there are huge factors that can play into making companies understand that the risk is not necessarily worth it,” he said.

Thinking Ahead

If we were to fast forward our calendars by only a few years, we’d likely be looking at drastic changes in the way we interact with our mobile devices as the result of increased 5G connectivity.

The demand from users to be able to access their data whenever and however they want will be even greater, which will challenge companies to make sure they are protecting the vast amounts of data they own.

“These desires are going to exist in tension until we see improved solutions in the device space—perhaps secure device partitioning, for example, that gives the user a personal space and a controlled corporate space too,” said Ford.

The containerization of mobile is definitely a space to watch, and continued advancements in technology will most certainly make for an interesting ride.

Kacy Zurkus

Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus