Mandatory BYOD

Fri 29 June 2012

I was reading a ZDNet article this morning which observed that more and more executives think about making BYOD mandatory. I know that some of my clients are thinking about it, and if you read the article it makes sense, in a certain way - it's less expensive to companies if users come in with their own smartphones and computers; users tend to take better care of their own equipment than company-provided equipment and as a result, IT departments may benefit from less solicitation from their users.

I'd like to point out two things, however. First, this statement:

"Companies and agencies are recognizing that individual employees are doing a better job of handling and managing their devices than their harried and overworked IT departments."

I'm sorry... What?  I've done IT support for home users and one thing I can tell you for sure is that most people haven't the slightest clue about handling and managing their devices safely. Most home computers I've worked with have had at least one of the following:

  • Had Antivirus and firewall software that's not up-to-date, mostly due to the fact that users have purchased a subscription license and not realized it had to be renewed
  • Been exposed to malware which has been left unchecked. If the user is a fan of illegally downloading software, music, or video of any variety, the exposure is of course much greater. If the household has family, especially children aged 10 or older, exposure is almost a certainty
  • Is slow or not functional. This boils down to two things: either the machine is completely overloaded with software (crapware, trials and other programs) or the machine is well over its due date -- which means that if the hardware dies, replacing the equipment will be nigh impossible and the chances of recuperating data are slim.

Second, I'd like you to consider the findings of the Verizon data breach report. These stipulate that 10% of all data breaches they've dealt with are physical, and 5% of all data breaches are due to misuse (read: disgruntled employee, abuse of privileges, etc...)*. Can you think of a better environment for data ex-filtration than a BYOD environment?

*: They do go on to indicate that less than 1% of the compromised data comes from misuse. What does this mean? Large companies like LinkedIn, Facebook or Sony PSN have **lot* of information; when their data is breached, it's typically by the millions. That skews the figures because in comparison the secret formulation of your latest cancer drug is fairly small -- but the value is easily comparable.*

BYOD is coming, make no mistake about that. However, my take on this is that as IT policy-makers it is up to us to set the pace and the guidelines for such endeavors; it's not good enough to throw up our arms and say that it's happening anyway. We need to find efficient compromises and, while policy and security is catching up with technical innovation, make sure no one gets hurt.

Happy policy-making,