William Emmanuel Yu, Ph.D., CISM, CRISC, CISSP, CSSLP
Bring your own device (BYOD) is a growing trend. According to International Data Corporation (IDC), 40 percent of devices at work are personally owned.1 Understandably, there has been some push back, with a great deal coming from IT administrators particularly in terms of security and cost impact.2, 3, 4 For example, IBM defined policies blocking applications such as Siri and Dropbox because of potential information leakage and privacy concerns.5 But when IT managers restrict BYOD liberties, usage is driven underground. In a study by SkyDox in 2012, 60 percent of users use free file-sharing applications and 55 percent of these do not report such usage to their IT departments.6 VisionCritical also states that 66 percent of young employees (20 to 29-year-olds) will circumvent anti-BYOD rules and 30 percent will install and use their own applications.7 Whether for work or play, users want to use their own devices and their own applications—whether an organization allows it or not. Thus, it is better for organizations to address this in a structured manner within their overall IT governance context.
In an earlier BYOD era, some organizations allowed employees to bring their own laptops and notebooks to the workplace and/or supported teleworking—allowing employees to bring corporate laptops and notebooks outside the office. Today, with the advent of smartphones (full mobility as opposed to nomadic laptops and notebooks) and cloud computing, additional concerns have emerged that need to be considered.
IT departments and professionals must reassess current actual usage and find a new balance between user preferences, organizational needs and information security requirements. With respect to BYOD, this should be no different. This article details additional BYOD security concerns that emerge when considering greater mobility and third-party cloud computing.
Smartphones and other full-mobility devices, such as tablets, are becoming more and more pervasive. Due to the wide range of choices, greater functionality and potential for improved productivity, users increasingly feel it is their right to use their personal mobile devices at work. However, this usage raises a number of additional concerns that are not usually considered when dealing with BYOD in the context of laptops and notebooks:
The earlier generation of BYOD rules already considered network-based services when they were drafted for laptops and notebooks. In addition, organizations have put in place teleworking rules for employees to bring their equipment home and use these to access network-based assets. However, there are additional considerations when these network services are hosted and controlled by third parties:
The key solution here is to find a balance between what the user wants and what the organization needs. Both users and organizations stand to benefit from BYOD. In many cases, organizations do not even have rules for BYOD.11 For those who do have BYOD or teleworking rules, many of these rules may be dated, as they were designed for laptops and notebooks. These rules must be updated to apply to mobile and third-party, cloud-specific considerations. Nevertheless, BYOD, in this era of full mobility and cloud computing, can bring benefits to organizations, but they need to establish appropriate security mechanisms based on IT governance and manage them well.
1 Burt, Jeffrey; “BYOD Trend Pressures Corporate Networks,” eWeek.com, 5 September 2011, www.eweek.com/c/a/Mobile-and-Wireless/BYOD-Trend-Puts-Pressure-on-Corporate-Networks-186705/2 Stamper, Jason; “BYOD: Bring Your Own Devastation?,” Computer Business Review, 15 August 2012, www.cbronline.com/blogs/technology/byod-bring-your-own-devastation-15082012 3 Help Net Security, “BYOD Increases Costs for Most Organizations,” www.net-security.org/secworld.php?id=13403 4 Kidman, Angus; “Ten Unpleasant Truths About BYOD,” Life Hacker, Australia, www.lifehacker.com.au/2012/08/ten-unpleasant-truths-about-byod/5 Darrow, Barb; “IBM Stung by BYOD Pitfalls,” Gigaom, 21 May 2012, http://gigaom.com/cloud/ibm-stung-by-byod-pitfalls/ 6 Business Wire, “New Survey Finds Over Half of Employees Use Unauthorized Consumer Based File-Sharing Apps at Work,” 7 June 2012, www.businesswire.com/news/home/20120607005125/en/Survey-Finds-Employees-Unauthorized-Consumer-Based-File-Sharing7 Messmer, Ellen; “Young Employees Say BYOD a ‘Right’ Not ‘Privilege’,” Comm Solutions, 19 June 2012, www.commsolutions.com/blog/2012/06/young-employees-say-byod-a-right-not-privilege/8 Occurs when the firmware or BIOS has been corrupted or when hardware has been improperly installed; it will render the device unable to boot. Urban Dictionary, www.urbandictionary.com/define.php?term=Brick&defid=21892519 Home routing refers to the act of sending the message to an element in the network instead of the message going directly to the subscriber. The concept expands beyond SMS to voice and data traffic. 3GPP, TR 23.840, www.3gpp.org/ftp/Specs/html-info/23840.htm10 Op cit, Darrow11 Venkatraman, Archana; “IT Considering BYOD to Bring Flexibility Must Not Forget Mobile Device Management,” blog, TechTarget, 21 August 2012, http://virtualdatacentre.blogs.techtarget.co.uk/2012/08/21/it-considering-byod-to-bring-flexibility-must-not-forget-mobile-device-management/
William Emmanuel Yu, Ph.d., CISM, CRISC, CISSP, CSSLP, is the technology vice president at Novare Technologies and a consultant at SMART Communications. Yu is working on next generation telecommunications services, valued-added systems integration and consulting projects focused on fixed mobile convergence and enterprise mobility applications with mobile network operators and technology providers. He is actively involved in Internet engineering, mobile platforms and information security research. Yu is also a faculty member at the Ateneo de Manila University, Philippines, and Asian Institute of Management, Manila, Philippines.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.