Choose Your Own Device Promises A More Secure Future

Mobile World Congress (MWC) kicked off today, heralding the dawn of powerful, more-functional smartphones and tablets. The quad-core phones and technology improvements will enable more work to be done on mobile devices than was possible before.

With great power comes great responsibility. The extra horsepower will also improve the effectiveness of Trojans, botnets and all associated malware. No doubt the security firms will have a high profile in Barcelona.

Divisive future

The big talking point at MWC will be bring-your-own-device (BYOD) which most pre-show surveys saw as an inevitable change in the way business equipment is acquired and used. At the same time the various analysts also predicted much wailing and tearing of hair in IT departments assailed by the challenges to be faced.

Symantec was particularly concerned about the problems of liability – who is responsible when the hardware goes bits up?

Greg Day, EMEA security CTO and director of Security Strategy at Symantec, told me BYOD initiatives were adding regulatory issues to the security concerns.

“If an employee uses their own phone, particularly in Europe, it brings up issues of liability,” he said. “If Angry Birds doesn’t work well with a corporate app, who is liable? The user or the IT department? There is also the issue that the IT department in some countries would not be able to inspect any personal data on the phone when trying to fix the problem.”

Ownership is an issue yet to be faced. Although the strategy relates to “your own device”, if it gets damaged during the course of business, who fixes it or pays for a new device. How is business and private use balanced when it comes to bill payment. If the user downloads an app that is riddled with a virus, who carries the can for any damage done?

Not just a nightmare for IT but also a headache for the bean counters.

Phone pools

Maybe we will see CYOD coming into play. Choose-your-own-device would mean that IT could specify which phones would be supported, it could tightly control which apps were sanctioned for use – and erase any offending software. Also, the company would purchase the phone or tablet as a business device, allowing the user to store data but defining what was private data and what was not.

Under current rules, emails, instant messages and SMS may be called in if there is a legal dispute or a Freedom of Information (FoI) issue within a company or government authority. This would pose serious issues of which data can be inspected and what cannot be touched. Separation of the two would have to be organised by IT – another reason why CYOD would be preferable.

Carl Leonard, senior security research manager at Websense Security Labs, said: “Giving employees the choice of a range of handsets also necessitates a security service that can cover all makes and types of company devices, whether tablet or smartphone. Cloud-based threat monitoring and policy enforcement is a must.

“BYOD can come at a cost for many businesses, but as time goes by, it is increasingly one which must be paid for in order to modernise the workforce,” he added.

Into the unknown

Many of the problems have yet to be seen. The threats are in their infancy as miscreants feel around the systems to see where the most valuable exploits might lie. Developing a Trojan may amuse some but the ability to spread these to a significant number of users is fairly limited – and therefore not very profitable. One day someone will crack the challenge of how to create a worm-like virus that can spread through corporate networks or over the airwaves. The growth of Wi-Fi enabled phones brings some interesting possibilities.

Much is said of the value of screening apps before they are made available in an app store. Android’s fairly open and broad spread of apps stores is seen as a weakness that can allow malware in but, to be successful, an app would need to become very popular.

The likely attack vector will be targeted emails, spear phishing as it is known. This is equally effective in any environment because it tricks the user into giving away information about secure systems. It depends on the gullibility of the user and has nothing to do with whether it is an Android device or one based on Apple iOS, RIM’s BlackBerry, Microsoft Windows Phone or any of the other operating systems.

Leonard pointed out: “Most individuals have smartphones these days (that they have purchased with their own cash). Often times, these phones are more advanced and up-to-date than the phones given out by companies, and some employees will want to use their advanced devices to connect to the workplace network.”

This means that, under BYOD, new devices will appear all the time. From a security viewpoint, these are untried and untested. Some employees may buy them from cheap Internet sources of unknown trustworthiness. It is likely we will see poisoned hardware going on sale with built-in malware. The price will look good because the vendor will sell at a loss in the knowledge that they can recoup the loss quite easily afterwards by ripping off the customer.

New devices places IT at the bleeding edge of technology. In the past some companies were comfortable with this but only a few. It looks like most companies are about to be catapulted into an uncomfortably insecure future.

Eric Doyle, ChannelBiz

Eric is a veteran British tech journalist, currently editing ChannelBiz for NetMediaEurope. With expertise in security, the channel, and Britain's startup culture, through his TechBritannia initiative

View Comments

  • To facilitate BYOD businesses must give employees easy but secure access to the organization's applications from various devices (including iPads, iPhones, Android devices and Chromebooks), while minimizing the intervention required by IT staff. An ideal solution for such a scenario is Ericom AccessNow, a pure HTML5 RDP client that enables remote users to connect to any RDP host, including Terminal Server (RDS Session Host), physical desktops or VDI virtual desktops – and run their applications and desktops in a browser. AccessNow works natively with Chrome, Safari, Internet Explorer (with Chrome Frame plug-in), Firefox and any other browser with HTML5 and WebSockets support.

    AccessNow also provides an optional Secure Gateway component enabling external users to securely connect to internal resources using AccessNow, without requiring a VPN.

    For more info, and to download a demo, visit:
    http://www.ericom.com/html5_rdp_client.asp?URL_ID=708

    Note: I work for Ericom

  • The whole point of BYOD is so that employees get to use the devices they want. CYOD restricts their options and may not be welcome. Providing IT have the tools to enforce a corporate policy then BYOD is workable.

    The problem with most MDM offerings is they focus mainly on management and less on security. The malware threat is sufficiently real to necessitate the roll out of an effective AV tool. The emphasis needs to be on effective tools rather than "any old free AV client". It is easy to test how effective these are.

    The key question then is how many people actually use a fit-for-purpose AV client? A search of forums suggests complacency may be an issue for some of the more popular tablets and smartphones. Furthermore it isn’t helpful when some manufacturers restrict the options in this area.

    In summary, smartphones and tablets will be increasingly easy pickings for malware unless there is a significant change in attitude.

Recent Posts

Marriott Agrees To Pay $52 Million To Settle Data Breaches

To settle US federal and state claims over multiple data breaches, Marriott International agrees $52…

2 days ago

Tesla Shares Drop After Cybercab Unveiling

Mixed reactions as Elon Musk hypes $30,000 'self driving' robotaxi called Cybercab, as well as…

2 days ago

AMD Launches New AI, Server Chips To Expand Nvidia Challenge

AMD unveils new AI and data centre chips as it seeks to improve challenge to…

3 days ago

Chinese Hackers Breach US Wiretap Systems – Report

AT&T and Verizon among US broadband providers reportedly hacked to target American government wiretapping platform

3 days ago