Bring-your-own-device means all manner of hardware is starting to appear on the network. Eric Doyle argues that there is safer path
Mobile World Congress (MWC) kicked off today, heralding the dawn of powerful, more-functional smartphones and tablets. The quad-core phones and technology improvements will enable more work to be done on mobile devices than was possible before.
With great power comes great responsibility. The extra horsepower will also improve the effectiveness of Trojans, botnets and all associated malware. No doubt the security firms will have a high profile in Barcelona.
The big talking point at MWC will be bring-your-own-device (BYOD) which most pre-show surveys saw as an inevitable change in the way business equipment is acquired and used. At the same time the various analysts also predicted much wailing and tearing of hair in IT departments assailed by the challenges to be faced.
Greg Day, EMEA security CTO and director of Security Strategy at Symantec, told me BYOD initiatives were adding regulatory issues to the security concerns.
“If an employee uses their own phone, particularly in Europe, it brings up issues of liability,” he said. “If Angry Birds doesn’t work well with a corporate app, who is liable? The user or the IT department? There is also the issue that the IT department in some countries would not be able to inspect any personal data on the phone when trying to fix the problem.”
Ownership is an issue yet to be faced. Although the strategy relates to “your own device”, if it gets damaged during the course of business, who fixes it or pays for a new device. How is business and private use balanced when it comes to bill payment. If the user downloads an app that is riddled with a virus, who carries the can for any damage done?
Not just a nightmare for IT but also a headache for the bean counters.
Maybe we will see CYOD coming into play. Choose-your-own-device would mean that IT could specify which phones would be supported, it could tightly control which apps were sanctioned for use – and erase any offending software. Also, the company would purchase the phone or tablet as a business device, allowing the user to store data but defining what was private data and what was not.
Under current rules, emails, instant messages and SMS may be called in if there is a legal dispute or a Freedom of Information (FoI) issue within a company or government authority. This would pose serious issues of which data can be inspected and what cannot be touched. Separation of the two would have to be organised by IT – another reason why CYOD would be preferable.
Carl Leonard, senior security research manager at Websense Security Labs, said: “Giving employees the choice of a range of handsets also necessitates a security service that can cover all makes and types of company devices, whether tablet or smartphone. Cloud-based threat monitoring and policy enforcement is a must.
“BYOD can come at a cost for many businesses, but as time goes by, it is increasingly one which must be paid for in order to modernise the workforce,” he added.
Into the unknown
Many of the problems have yet to be seen. The threats are in their infancy as miscreants feel around the systems to see where the most valuable exploits might lie. Developing a Trojan may amuse some but the ability to spread these to a significant number of users is fairly limited – and therefore not very profitable. One day someone will crack the challenge of how to create a worm-like virus that can spread through corporate networks or over the airwaves. The growth of Wi-Fi enabled phones brings some interesting possibilities.
Much is said of the value of screening apps before they are made available in an app store. Android’s fairly open and broad spread of apps stores is seen as a weakness that can allow malware in but, to be successful, an app would need to become very popular.
The likely attack vector will be targeted emails, spear phishing as it is known. This is equally effective in any environment because it tricks the user into giving away information about secure systems. It depends on the gullibility of the user and has nothing to do with whether it is an Android device or one based on Apple iOS, RIM’s BlackBerry, Microsoft Windows Phone or any of the other operating systems.
Leonard pointed out: “Most individuals have smartphones these days (that they have purchased with their own cash). Often times, these phones are more advanced and up-to-date than the phones given out by companies, and some employees will want to use their advanced devices to connect to the workplace network.”
This means that, under BYOD, new devices will appear all the time. From a security viewpoint, these are untried and untested. Some employees may buy them from cheap Internet sources of unknown trustworthiness. It is likely we will see poisoned hardware going on sale with built-in malware. The price will look good because the vendor will sell at a loss in the knowledge that they can recoup the loss quite easily afterwards by ripping off the customer.
New devices places IT at the bleeding edge of technology. In the past some companies were comfortable with this but only a few. It looks like most companies are about to be catapulted into an uncomfortably insecure future.