The poor old IT department, if there were ever an Olympic sport where you could count the moments between suggesting that technology could change the world and then having it bite you on the backside by an unruly mob, well, they’d be gold medallists.
Naturally, an IT team is predisposed to focus on the challenges and risks that a BYOD culture can bring, which is not a bad thing. In the IT world, BYOD makes the world a more complex place rather than a simpler one. A fixed desktop located on an internal network is always going to be simpler to deploy, easier to manage, easier to secure and much easier to monitor. The risks can be easily identified and mitigated.
The problem with Browsers
With a few exceptions, the main browsers tend to be Chrome, Internet Explorer, Firefox & Safari. The problem arises when every user’s personal device needs its browser software up to date. Take your fixed, standardised, controlled infrastructure away and it’s not quite as easy. Some applications will simply not work on older browser versions or even with specific browsers. The quality of user experience may be compromised if the right browser is not selected. It can be a fickle, inconsistent way of working.
More importantly, not keeping a browser up to date may expose security flaws that place the device and its content at risk. Many have learned that particular lesson the hard way.
Our old nemesis ‘Malware and spyware infection’
The natural by-product of an increasing tech savvy world is that the bad guys are getting smarter and the users are more ‘click-happy’, particularly on mobile devices.
Users are seldom intentionally malicious, although clearly it happens. However it is often more a case of due diligence when time is a constraint. Not all will adopt sensible security protocols to ensure they are free of Trojans and other malicious autobots that might be hiding within what, at the time, looked like a cool free widget or an article containing a part of Kim Kardashian that broke the internet.
In 2013, a study by Alcatel-lucent in 2013 estimated that 11.6 million devices were infected; a number that is simply likely to grow. The fastest growing infection rates was on Android with Windows and Android being the primary operating systems likely to be targeted.
In Wi-Fi we (Don’t) trust
All mobile devices will invariably hop on and off Wi-Fi with reasonable regularity. The bandwidth and access point will play a role in mitigating the risk of contamination. Using unsecured hotspots increases the risk, not only to the user but potentially the corporate network. The bad guys are smart and unsecure access channels are a happy hunting ground. An experiment by Jonny Milliken, Valerio Selis and Professor Alan Marshall proved that an airborne virus could be transmitted via WiFi from router to router and hence from one device to another. The attempts to access precious data are unrelenting on the increase.
Even on-premise WiFi can be problematic. The strength of any WiFi and available bandwidth may well dictate how usable a commercial application is on any given mobile device. It should be remembered that not all devices have the same capabilities when it comes to transmission and reception.
The mechanism of accessing corporate applications, network and resources requires a method of authenticating that the user is who they say they are. Inadequate mechanisms open the door to abuse.
It may not immediately spring to mind, but a business cannot control the peccadillos of its employees. A personal laptop that has been used for social activities that cross legal boundaries is one that can compromise the integrity of the business and all that could entail. Reputation is as much a protected treasure as any other business asset, as is consumer confidence in who they are buying from.
The most precious asset of any organisation is data. Sales prospects, agreements, policies, goals, strategies, Financial Information, Shareholder reports, whatever information an organisation has must be kept secure. The ramifications of data loss can be severe. A user’s device can compromise data in a variety of ways and not just from pernicious access. How much and where on a device is corporate data going to reside? What degree of sensitive data can be trusted to be on a specific users’ device? What about access codes? Is a user storing key account details in plain text somewhere? What happens if a device is lost or stolen, can data leakage truly be prevented?
If the device belongs to a user, do they have complete administration rights over their device? The owner tends to know how to use their device and how to change configurations. One potentially damaging scenario is if a user decides to jailbreak their own device so they can access areas that companies like Apple would rather they did not. Android also has its challenges, although not exactly open source, it naturally lends itself to modification and user changes, given its Linux roots. There is an ever-growing community that seeks to either legitimately change code or simply break it because it can be broken and compromised.
What a user downloads onto their own device is by and large a matter for them. Some applications however, particularly apps for smartphones and tablets, can interfere with commercial applications. There is no way that an IT department can track and recommend, from the hundreds of thousands of apps available, which ones are suitable or which could cause cross-application contamination i.e. result in sub-optimal performance or use.
No matter what technology is used, there is no way of avoiding simple stupidity or oversight by human beings. A human interface is a flawed one simply because we make mistakes and because the users own their devices; mistakes will inevitably happen. Human error will always be the one true constant why there is no such state as 100% secure.
From an IT standpoint, BYOD presents a raft of obstacles. They are challenges that can be met but the solutions are not fool proof and an element of risk will always remain.