The rise of employees being allowed to ‘Bring Your Own’ (BYO) device into the workplace is a major set-back for information security. However, this development is being led by senior managers who are largely ignorant to the risks.
Who is to blame, and how bad is this situation?
A couple of years ago, the idea that employees might be encouraged to bring their own computing devices into the organisation, and use them for work, would have been considered a crazy idea – and a big backward step for information security.
However, a recent study by ISACA members shows that 23% of UK businesses are already allowing this. The industry even has a catchy name for it ‘Bring Your Own’ (BYO).
Why is BYO being pushed so strongly. Clearly, the rise of the iPad has played a big role. You only have to walk down a first class rail carriage to see more of these in use by high salary individuals than traditional laptops. Clearly, device manufactures are all for it – giving them a convenient entry into the business market with what was only ever designed as a consumer product. Their concern is sales, not ensuring that security is maintained.
Ian Mann, founder of ECSC, says “Information security professionals all recognise the risks. Devices outside of organisational control are a source of vulnerabilities. They create a route for hackers to obtain confidential information, and this area is likely to be the next big cause of security breaches”.
So, is the answer to ban all employee owned devices? Perhaps not, according to Lucy Sharp of ECSC, “Rather, you need to assess the risks. What access are you giving them, what data may be accessed from (or stored on) these devices.”
As with all technology developments, you need to understand the risks, and develop appropriate controls to allow you to exploit new opportunities without compromising your information security.
Ian Mann, commenting on senior managers says, “The big problem here is one of communication. Security and IT teams find it difficult to challenge the CEO who wants to use their iPad. However, in our experience, if you effectively communicate the risks to management, they make more sensible decisions.”
Paul Lambsdown, Sales Director with ECSC adds, “As with all technology developments, there are potential business benefits – and these cannot be ignored. It is the role of information security to facilitate new developments, whilst protecting critical information.”