Just when you thought you had BYOD under control – enter the Life of BYON

An IT manager friend of mine recently reprimanded a young employee for spending up to 80% of his day surfing shopping and music sites from his desktop. This fact having come to light through web filter, firewall and bandwidth logs. Duly warned and with web filters having been tightened the employee went back to 'work'. Several weeks later a new notebook PC appeared on the employee’s desk, which also seemed to consume most of his attention throughout the day.
A quick check of the network showed no new systems on the network, so perhaps it was being used offline? Maybe so, if it wasn't for the fact that our manger then then spotted a new wireless connection he hadn't seen before in his wireless connection list. Yes you guessed it. Having been caught using the company network for his own purposes, our young scallywag had brought his own wireless hot spot to work and was using that to while away his time on YouTube, Facebook and eBay.

Like BYOD before it, the march of Bring-Your-Own-Network (BYON) is happening silently, stealthily and almost completely outside of management control. Nearly all modern smartphones and 3/4G tablets can be instantly turned into wireless hot spots allowing it and any other wireless-enabled systems within range to be connected to the web, whether out and about or at the workplace desk.

From an employee’s viewpoint this makes perfect sense. They may have been denied permission to connect their personal devices to the corporate network, or don’t want the hassle of seeking these approvals and have the company install special (MDM) control software on their personal devices. They will be aware that many sites like social media, betting and music download sites (i.e. the very places they want to go) are either blocked, or their use monitored. And besides, their brand new 4G tariff gives them a cool 12Mbps speed with all-you-can-eat data – which is probably not true of the clunky corporate LAN struggling to deliver even a tenth of that; assuming of course the firewall blocking allows you to view or download anything you are remotely interested in.

So what’s the problem with BYON? From a security and capacity perspective you might say, “better them doing it on their kit than mine”, or “at least it’s hardware and software I don’t need to provide support and capacity for”, but you’d be missing the point. Someone spending a large part of their workplace time pursuing personal interests represents a huge hit to productivity and the bottom line once you have enough people doing it. With the bigger issue being that you can’t readily detect, monitor or quantify it. These things also tend to become endemic in the workplace culture and hard to reverse after a very short time.

The situation also drives a coach and horses through any policies you might have regarding improper or illegal material being viewed in the workplace, as it bypasses any of the filters or logs you probably spent fortunes putting in place to avoid. Furthermore the assumption those personal WiFi hotspots are completely air-gapped from the corporate IT is a dangerously weak one. In that unless you have a tight lockdown on all your office PCs preventing their connection to unauthorised wireless points, backed up with DLP on everything to ensure files downloaded elsewhere cannot be transferred to any office systems; there is a real risk of bridging the secure enterprise network to insecure private ones at multiple points. Plus of course there’s the bigger risk that sensitive data will go the other way, by leaking out through the insecure access point or being carried out on an unprotected personal device.

So what to do about it? First and foremost check your security, staff and acceptable use policies are clear and unambiguous regarding the use of BYON and personal wireless hot spots in particular. In the above case of the employee using his own kit to surf the web all day; the BYOD policy written over a year prior made no mention of personal hot spots or their use. Consequently their use had run out of control before the issue came to management’s attention. Next carry out a business risk assessment involving the key risk stakeholders including HR, IT, and security to identify the risks in both scenarios of either permitting or banning the use of personal WiFi hot spots. If the organisation opts to allow their use, you’ll need to define the precise what, when and how of their acceptability and then enshrine it in corporate policy. If you opt to ban them, then work out how you are going to detect and respond to the exceptions which will occur. In all cases you’ll need to consider how to prevent any personal network connection, whether allowed or not, from circumventing your entire enterprise security infrastructure.

What security measures can IT take to ensure security of enterprise data and does MDM really have a role in security?

"The map is no longer the territory". The 'map' in this case represents the inventory and network diagrams that used to tell IT people where all the systems and endpoints were on their network. The 'territory' on the other hand represents reality, in terms of what's actually out there and connecting in. Prior to the mobile and BYOD explosion the map and the territory were pretty much the same, give or take, but I believe this is no longer the case and is becoming less so every day. The unstoppable trend is that more employees are using their own smartphones and tablets for work, creating an upward surge of consumer mobile devices accessing corporate networks and storing corporate data. Organisations must therefore prepare themselves for a world where the dominant endpoint is not a desktop computer, but a mobile device.

Latest research shows nearly three-quarters of smart device owning professionals are using those personal devices to access company data, yet more than three-quarters of organisations are failing to manage that activity effectively. Some time ago I wrote an article entitled 'You can’t protect what you don’t know you’ve got', and this challenge of finding out what, where and how myriad personal devices are connected and what amount and value of your corporate data is on them, is the primary question you need to answer before attempting to secure anything.

The definition of what constitutes the "personal cloud" remains an area of intense debate. Most purchasers of popular smartphones will be automatically granted access to a personal cloud like Google or iCloud for backing up and providing extended storage for their device, and this is therefore a good starting point in defining what the personal cloud is, and where some of your corporate data might already be.

MDM is certainly a route to take if BYOD is identified as a growing risk, but where you start depends to what degree BYOD has already been allowed to creep in by stealth. Most devices connect wirelessly and many employees have connected their device to the network by finding out the wireless password. So once you have MDM in place you might consider changing all the wireless passwords to force users off the network before allowing them back on in a more controlled, inventoried and secured way.

Riding the social media wave

Social media has revolutionized both our personal and business lives over the past five years.  We can Tweet crime to our local police station. We can connect with companies on Facebook.  We can conduct extensive research on almost anybody and any company by conducting a Google search and reviewing social media profiles.  We can even arrange flash mobs and a single Tweet written in a few seconds can be read by tens of thousands of people within minutes.

From the beginnings of the humble email address as a unique online identifier, any one of us now have several online identities, complete with photos, employment history and even what we had for breakfast.  These identities persist.  We forget about old ones and set up new ones, whilst at all times this information is in the public domain for seven billion people in the world to hear. Without a doubt, by using social media, you will get heard.

Businesses have struggled to grasp social media and whether it construes a benefit or risk to the bottom line.  Most early non-adopters of social media simply enforced outright bans, as just saw social media as employees wasting time during working hours.  The employees simply waited until they got home, non-the-wiser that what they Tweeted could still bring their employer to its knees.  On another hand, some businesses that have opened up social media for their employees have ended up in court as they have failed to control what was being said and were held severally liable in libel cases.  Staff have had to be laid off, solicitors involved and public relations restored - no easy or cheap feat.

Either permitting or denying social media to employees in the workplace clearly presents a risk and that’s why all businesses, big and small, need to take action. There are no silver bullets or technological solutions that can stop your employees using social media and disclosing information. The problem can only be solved with a holistic people and process-based approach.

I would recommend at minimum a Social Media Policy and Security Awareness Programme to help tackle these issues.  Ensure employment contracts are correctly drafted.  Ensure your insurance covers the event of information disclosure and can assist with legal costs in the event of libel or confidentiality breach cases.  If your company does endorse social media, then setup your own Twitter and Facebook accounts so you can interface with employees and present consistent messaging to the outside world via your PR department, and via no other means.  It’s not a tough nut to crack, but you have to raise the security bar of everyone in your organisation to make your Social Media Strategy a success.

The worst you can do is do nothing.  Ride the social media wave and do not fall beneath it.