The personal device at work
More and more employees are opting to use their own personal devices in the workplace but what does this mean for corporate network security?
BYOD – chief information officers hate the concept but today’s employees, especially the Generation Y workforce who eat, drink and sleep the Internet demand it.
In case you’re unfamiliar, the acronym which means “Bring Your Own Device,” refers to the trend of mobile workers bringing their own mobile devices, such as smartphones, laptops and Tablets, into the workplace for use and connectivity.
Gone are the days where workplace communication devices were limited to the office phone, desktop or sanctioned smart devices.
Like it or not, many enterprises have opened up their networks for more consumer devices to be plugged into their IT infrastructure.
Gina Tan, South East Asia regional director at networking firm Brocade said that the company PC is becoming a thing of the past, as businesses increasingly allow, and even encourage, employees to bring their own devices into the workplace and access corporate applications.
This essentially allows application availability at anytime, from anywhere, and will help businesses slash procurement costs, she said.
A recent report commissioned by managed services provider Avanade revealed that globally, enterprises are bracing for the “unstoppable shift in the use of consumer technologies in the workplace.”
The report, titled Dispelling Six Myths of Consumerisation of IT, is based on a survey conducted in 17 countries of more than 600 senior business and IT leaders.
The global report noted that 88% of executives have noted that employees are using their own personal computing devices for business purposes.
In the same vein, the latest Mobile Workforce Report from US-based WiFi network provider iPass Inc found that the number of mobile devices coming into corporate networks globally has grown to 3.5 devices, up from 2.7 in 2011.
Experts are also agreeing that BYOD can increase efficiency as the learning curve is shortened if the workers are able to use their own equipment as they already know how it works.
Additionally, the chances are high that these personal devices are probably the latest in the market with better operating systems and processors for faster work processing as compared to a company’s usually aging inventory.
BYOD also helps to retain young employees. For many of them, flexible work conditions, social computing and the freedom to use personal devices at work seem to be more important than the pay itself.
Like many of her generation, 25-year-old Suhaila Ghani grew up with the Internet and is totally at home with every sort of electronic device. She demands the freedom to communicate in multiple streams anytime, anywhere and from any device.
The freshly-minted graduate chose to join an ICT consulting firm over a higher-paying GLC job because her current employer does not restrict access to social networks and personal technology to be used at the office.
Her attitude is in line with the 2011 Cisco Connected World Technology Report that revealed one in every three college students and young employees believes the Internet is as important as air, water, food, and shelter.
The same report found that two in five respondents said they would accept a lower-paying job that had more flexibility with regards to device choice, social media access, and mobility over a higher-paying job with less flexibility.
Cisco Malaysia managing director Yuri Wahab said that in view of such findings, companies have to be mindful of new rules to attract young talent.
“The pervasive use of social networks and mobile devices in Malaysia is set to drive demand for more flexible work environments among the younger workforce,” he said.
But there are others like bank employee Yap Meng Yow, 27, who are okay with company-sanctioned desktops as he understands that working in highly data-sensitive environment means that any data leakage could spell a disaster to the company’s reputation and trust among its clients.
Despite the benefits, BYOD is creating serious challenges for businesses. It is more than just shifting ownership of the device to the employee as there are many complex and hidden implications for which a strategy needs to be defined in advance of implementation.
Many of these technologies were not built with enterprise requirements in mind, so IT management teams often feel uncomfortable about security and support. To them, it is akin to having hundreds of wild devices roaming their networks.
Research In Motion Asia Pacific director of security Jane Lu noted that the paradigm has shifted from co-sponsored devices to BYOD which has increased the complexity for IT people.
But can they rely on the end-user for security? “The answer is no,” she said. Things that seem like common sense to IT personnel such as not forwarding your company e-mail to your personal e-mail or storing company data in consumer apps do not register as security risks with the average end user.
In the age of the application store, the simplest malware vector is the user “accepted” install, Lu said. “Malware-infested apps created by creative hackers could hide sophisticated data farming that collect all sorts of user data without their knowledge,” she said.
A thirty-year-old publishing company staff El-Faris (not his real name) said he uses his iPod touch and Android smartphone often to connect to his office network to download, install and play games.
Just like most users, he simply glosses over an app’s terms and conditions (like permission to access the phone’s functions or install third-party apps) and usually presses the OK button to carry on with an installation.
He does not have any mobile antivirus software on either device because he believes that Apple’s iOS does not have any viruses.
In terms of his Android device, he said that there are no important pictures or data on his smartphone that is worth stealing.
This general attitude is reflected in the 2011 Cisco Connected World Technology Report that revealed when it comes to security-related issues in the workplace, seven out of 10 employees admitted to knowingly breaking IT policies on a regular basis, and three in five believe they are not responsible for protecting corporate information and devices.
According to a Juniper Networks Threat Centre report, mobile malware samples increased from 11,138 in 2010 to 28,472 last year.
Another report from security firm F-Secure showed that over the same period Android malware overtook both Pocket PC and Symbian malware to dominate the mobile scene.
“Organisations cannot rely on smart device vendors for security either because there are just too many devices and it is time consuming to address all of them,” Lu said.
Proactive BYOD policy
According to Lu, companies should be proactive in developing an enterprise-wide wireless security strategy when formulating a BYOD policy.
Some of the areas to consider include authentication to the network and to the device; virus and other malware protection; application control; security of connections such as WiFi and Bluetooth on mobile devices and over-the-air (OTA) device management.
“Also, organisations need to be consistent with their existing enterprise security mandate and focus on corporate data protection as the end goal,” she said.
A Trend Micro sponsored IDC report Embracing Consumerisation With Confidence published last December also suggested that companies need to think like a consumer to identify the potential risks of consumerisation and educate end users on why certain policies are put in in place.
The report also said that there is no one-size-fits-all approach to most IT initiatives, and that consumerisation is no different so companies need to find the right approach by considering a number of points.
Beyond making choices around device support and liability, organisations need to make decisions about the amount of freedom that they are comfortable giving end users and to find solutions that match that comfort level.
Here to stay
Despite the obvious security concerns, trying to keep employees from using their personal devices at work may seem like fighting a losing battle.
The consensus among experts is that, no matter how companies look at it, there is no denying that the BYOD concept is here to stay.
As the popularity of technology trends like cloud computing, social media, consumerisation of IT and mobility keep on growing, enterprises have no choice but to adapt to the changes and be proactive in managing the attached security risks.