BYOD - no assumptions please
BYOD Response
Response to:
http://www.techweekeurope.co.uk/comment/the-dangerous-world-of-bring-your-own-devastation-byod-58919#comment-form-box
Mr. Doyle's article, "The Dangerous World of Bring your Own Devastation", is an interesting mix of wake-up call and assumption, and as such poses many more questions than it purports to answer - if indeed it answers anything about data security.
There are however, a couple of home truths, and these are quite accurate:
The first is that people are lazy and will always take the easiest route, and security can suffer. No one enjoys changing Passwords, remembering odd mixes of letters, numbers and symbols etc, and so invariably they do not bother to. Maybe ICT could hold the answer to helping people with strategies or prompts? Whatever way - it just takes a thought about the "customer".
Secondly, Mr Doyle's article suggests that you really can't count on everybody doing their job properly. This is sad really, but we've seen examples in the press on numerous occasions ( I say numerous, I could possibly think of maybe five or six ) and it only takes one person to flout the system and bring disrepute to an organisation. That said, it only takes one person to "whistle-blow" about something and that disrepute may be a given.
While highlighting the issues Mr Doyle chooses to highlight about Bring Your Own Device, it's rather easy to forget that many of the security issues also exist with organisation's own in-house systems.
What I'm saying is that the issues brought up here are not just confined to BYOD, although I agree, such initiatives in less than assured organisations extends the risks, but it is often more likely to be people's attitudes that bring dangers in to security of data.
Mr Doyle suggests (but then says this is speculative!) that "Anonymous", the perpetrator of recent hacking incursions on the public sector, may have been able to gain access to sensitive passwords through less than secure cloud-based systems.
Equally I would say they could have gained access to sensitive e-mails by finding a lost phone, a USB stick (which he also mentions)
Overhearing a conversation,
Picking up a phone message (News of the World esque)
Intercepting a text, or down the local rubbish to where someone hadn't correctly disposed of some paper-based material.
Speculation is great when you try to build up a profile of possible issues, is not really useful when it leads to conclusions that are are purely based on assumptions. People could quite easily misread what is written here and start to make their own assumptions about the real reasons why bring your own device (devastation) may or may not be useful, effective, popular, costly.
I want to highlight the fact that this is not about BYOD, but is in fact a security issue that transcends a number of current strategies already in use in the real-world by giving some actual examples of how things can go wrong.
But please bear in mind that these examples are not presented in any way as reasons not to deal with the central issues. You can put as many strategies in places as you like; you can make as many rules; you can deny as many people access to technologies; you can takeaway facilities, but you can't account for the willingness of a person to adhere to any rules.
Example 1: I know of a situation where police returned a laptop to a public sector organisation. It had been found on a market stall number of miles away from its starting point. No one knew it was missing; there was no record of his whereabouts; there was no asset register; no one knew what data resided on the hard drive. I said I wouldn't make any assumptions, but let's say the hard drive had been erased. The question is, was there data that could still have been recovered from the laptop that was sensitive, or critical?
Example 2: What happens when a member of staff at senior level loses four (4) mobile telephones in a period of six months? This happened. I've no idea whether these were recovered, and I had no idea what was contained on those phones, but they weren't part of a bring your own device program.
If someone cannot be trusted to look after device is provided by an organisation, the organisation could quite easily find itself being slapped with hefty fines.
Example 3: An expensive laptop was loaned to a CEO while his device was being checked and upgraded. That same loan laptop was intended to be provided elsewhere in the organisation at a later date, so it was erased just to ensure that any sensitive data was removed. The laptop was then stored in a secure area, but it went missing. Now apart from the fact that a theft occurred, who's to say what critical data, private information, or sensitive content could be rescued from the hard drive?
Example 4: Regular maintenance of desktop PCs does not just become neglected when funding cuts bite hard. I know situations where proactive maintenance was not undertaken for many years, yet the desktop devices were used year-on-year, without a thought for what was being stored. The upshot of this was, in part slower performance - but that resulted in people leaving machines running night and day to save delays in start-up and shut-down. This could equally be true in any shared work environment where ICT policies are poorly managed. Each users will had their own logins, but behind-the-scenes the caches, the storage, the history in fact, grows. Anyone with the systems administration could retrieve that data. Hopefully when the systems are eventually decommissioned the process of data destruction will be thorough.
Example 5: To exemplify the fact that BYOD is not the fault - but that the responsibility lies fairly with the ICT Department, its successful implementation of policies and how people interpret these I want to present another brief scenario. This is again, a real example.
Just suppose that a group of customers wanting to use their own devices were not aware of the policy that they should not be used. What if a system was so poorly secured in the first instance that they were able to access the server names and start to access their work emails without really understanding the potential implications and risks they were taking. Now, the information about what is involved was circulated.
What if you were a member of staff who didn't really know about the technicalities, and along comes a well meaning colleague and sets your phone up for you - telling you it's all above board? You then release malware onto the organisation's server? This could easily happen with certain less than well secured operating systems - especially Android. Who would be at fault? Maybe you accidentally sent a rather personal email over the organisation's network that was intercepted, and brought to a disciplinary hearing? Whose fault would this be?
In each case above there are questions that, while relevant to BYOD, are also just as relevant in corporate established installations. To single out BYOD singularly is a big mistake - and missing the point.
I contest that any organisation that has poor systems, strategies and policies, stand an equal - if not an increased chance of a security breach.
As I mentioned earlier, none of the examples cited is an assumption nor speculation. They are all based on what I have seen or experienced every one of these situations, and all under the management of ICT Departments in the public sector.
The fundamental question here is: do you trust the staff who use and access the sensitive data in your organisation? Do you trust your ICT Department to understand the issues at stake? If not, then something has to be done to shift the risk from the organisation to the individual.
Of course you and your ICT division or department has to be very sure that you have done everything you possibly can to ensure that all risks are mitigated. If you can't be sure of that as an ICT Department, then there are some very serious things you ought to be doing in terms of making your service fit for purpose.
You can never mitigate every risk, and that's just a fact of life.
I want to leave you with one more thought. The arguments for and against BYOD have a lot to do with the way that you communicate your strategy and the terms and conditions of the use of your service to all parties who are using or accessing sensitive or critical public information.
Imagine for a moment that bring your own device is implemented in or associated with your organisation without you actually owning it. What I mean here is, imagining your systems, how would you cope if people just discovered how to access them and the data without your involvement or knowledge. It could pose a serious risk if, as a result data was leaked, because you were neither in control nor at the table when it comes to being able to influence either the rollout or the adoption process.
What would you do? To try and ban the access BYOD strategies would be rather like closing the stable door after the horse has bolted.
Ultimately, the responsibility for how data of a sensitive nature is handled lies with those people in most parts of the organisation that deal with the tools required to work with that data. That would be true of "carbon paper" being misappropriated as much as it is about ICT. It's no surprise then that it ends up these days being the ICT Department who bear the burden in many cases. What I am saying, in effect, is that while there is a responsibility, as much if not more responsibility lies with the individual and in most cases the individual will only understand their responsibility if it is clearly and regularly communicated in a memorable and reasoned way.
What is needed, I suggest here, is that the strategy, the policy, and the communication be well implemented and that there is no reason why trends such as bring your own device, the use of cloud services, and the ultimate flexibility of various devices cannot be put to a sensible, effective, efficient, and individually satisfying use.
BYOD, is now more than a trend. BYOD is becoming something that both employer and employee can embrace - but it will always build on a trust and an understanding of the risk. This will not be about cost saving ultimately, although it ought to be possible with sensible study to show what an effect staff using their own devices might bring to the workplace.
The ICT Department would need to be prepared to be open-minded, to shelve platform biased views, and to embrace variety. This is not an easy ask in many. It may frighten some, as well as being beyond the experience of others.
The question is, what sort of ICT department is yours? Adaptive, open, thorough, flexible and trusting; or risk aversed, closed, untrusting, limited in outlook and unwilling to explore potential futures?
Your choice.
http://www.techweekeurope.co.uk/comment/the-dangerous-world-of-bring-your-own-devastation-byod-58919?all_comments=true
As Appears in publictechnology.net 30/04/2012
BYOD isn't a device issue - it's still a core security problem
John Rudkin, an independent ICT consultant, feels there are too many unexamined assumptions flying around when it comes to BYOD
I've always been a staunch advocate of BYOD (Bring Your Own Device). But I've also remained realistic about it applicability in any particular application. Certainly there are some serious questions, and a great deal of work needed, to establish it across the board in some public sector and sensitive data applications. I certainly agree that - but at the same time, I see some organisations are banning it while other embrace it with gusto.
Thus an interesting recent article, based on some market research and which sparked some interesting online comments, too, by the way. There are however, a couple of home truths to be considered:
The first - people are lazy and will always take the easiest route, and security can suffer. We all know this to be true. No one enjoys changing passwords every month, remembering odd mixes of letters, numbers and symbols etc, so invariably they just do not bother to. I know, people have told me as much - and guess what? I never did it. I do now though. Maybe ICT could hold the answer to helping people with strategies or prompts? Whatever way - it just takes a thought about the "customer" and what works for them.
Secondly, you really can't count on everybody doing their job properly. This is a sad indictment of fellow colleagues perhaps, but we've all seen examples in the press on numerous occasions (I say numerous; I could possibly think of maybe five or six ) and it only takes one person to fail or flout the system and bring disrepute to an organisation to have a big effect. That said, it only takes one person to "whistle-blow" about something and that disrepute may be a given.
While highlighting the issues this and similar articles and the debate in general highlight on BYOD, it's rather easy to forget that many of the security issues also exist with organisation's own in-house systems anyway. What I'm saying is that the issues we’re starting to identify are not just confined to BYOD, although I agree that such initiatives in less than assured organisations extend the risks, but it is often more likely to be people's attitudes that bring the dangers in.
Thus "Anonymous", the perpetrator of recent hacking incursions on the public sector, may have been able to gain access to sensitive passwords through less than secure Cloud-based systems. If this approach was to be seen as worth agreeing with, we might as well worry about the possibility of an employee accidentally posting his or her password and security details in a letter to a hacker. After all, it COULD HAPPEN, right? But I would also point out Anonymous could have gained access to sensitive e-mails by finding a lost phone, finding an old USB stick, overhearing something in a coffee shop), picking up a phone message and so on.
Speculation is great when you try to build up a profile of possible issues, but it is not really useful when it leads to conclusions that are purely based on assumptions. People could quite easily misread what is written about BYOD and start to make their own assumptions that may or may not be useful, effective, popular, or cost-effective.
Not BYOD at all
I want to highlight the fact that this is not about BYOD at all, but it is in fact a security issue that transcends a number of current strategies already in use in the real-world. I'll do this by giving some actual examples of how it can go wrong, or get out of hand. (Please bear in mind that these examples are not presented in any way as reasons not to deal with the central issues. That is the only way to decrease risk. You can put as many strategies in places as you like; you can make as many rules; you can deny as many people access to technologies; you can takeaway facilities, but you can't account for the willingness of a person to adhere to any rules, or to take the decisions out of your hands.)
Example 1: I know of a situation where Police returned a laptop to a public sector organisation. It had been found on a market stall number of miles away from its starting point. No one knew it was missing; there was no record of his whereabouts; there was no asset register; no one knew what data resided on the hard drive. I said I wouldn't make any assumptions, but let's say the hard drive had been erased. The question is, was there data that could still have been recovered from the laptop that was sensitive, or critical? Risk rating: HIGH (i.e. control was lost).
Example 2: What happens when a member of staff at senior level loses four (4) mobile telephones in a period of six months? This happened. I've no idea whether these were recovered, and I had no idea what was contained on those phones, but they weren't part of a bring your own device programme. If someone cannot be trusted to look after device is provided by an organisation, the organisation could quite easily find itself being slapped with hefty fines. Risk rating: HIGH (= control was lost).
Example 3: An expensive laptop was loaned to a CEO while his device was being checked and upgraded. That same loan laptop was intended to be provided elsewhere in the organisation at a later date, so it was erased just to ensure that any sensitive data was removed. The laptop was then stored in a secure area, but it went missing. Now apart from the fact that a theft occurred, who's to say what critical data, private information, or sensitive content could be rescued from the hard drive? Risk rating: HIGH (as both control and security was lost).
Example 4: Regular maintenance of desktop PCs does not just become neglected when funding cuts bite hard. I know situations where proactive maintenance was not undertaken for many years, yet the desktop devices were used year-on-year, without a thought for what was being stored. The upshot of this was, in part slower performance - but that resulted in people leaving machines running night and day to save delays in start-up and shut-down. This could equally be true in any shared work environment where ICT policies are poorly managed. Each users will had their own logins, but behind-the-scenes the caches, the storage, the history in fact, grows. Anyone with the systems administration could retrieve that data. Hopefully when the systems are eventually decommissioned the process of data destruction will be thorough. Risk rating: HIGH/MED (as control was not maintained).
Example 5: To exemplify the fact that BYOD is not the fault - but that the responsibility lies fairly with the ICT Department, its successful implementation of policies and how people interpret these I want to present another brief scenario. This is again, a real example.
Just suppose that a group of customers wanting to use their own devices were not aware of the policy that they should not be used. What if a system was so poorly secured in the first instance that they were able to access the server names and start to access their work emails without really understanding the potential implications and risks they were taking?
What if you were a member of staff who didn't really know about the technicalities, and along comes a well meaning colleague and sets your phone up for you - telling you it's all above board? You then release malware onto the organisation's server? This could easily happen with certain less than well-secured operating systems - especially Android. Who would be at fault? Maybe you accidentally sent a rather personal email over the organisation's network that was intercepted, and brought to a disciplinary hearing? Whose fault would this be? Risk rating: HIGH (= control was lost and security breached).
In each case above there are questions that, while relevant to BYOD, are also just as relevant in corporate established installations. To single out BYOD singularly is a big mistake - and missing the point.
I would contest that any organisation that has poor systems, strategies and policies, stand an equal - if not an increased chance of a high level security breach. As I mentioned earlier, none of the examples cited is an assumption nor speculation. They are all based on what I have seen or experienced in the course of my work. Every one of these situations were under the management of ICT Departments in the public sector.
The fundamental question here is: do you trust the staff that use and access the sensitive data in your organisation? Do you trust your ICT Department to understand the issues at stake? If not, then something has to be done to shift the risk from the organisation to the individual.
Get used to it? Why?
Of course you and your ICT division or department has to be very sure that you have done everything you possibly can to ensure that all risks are mitigated. If you can't be sure of that as an ICT Department, then there are some very serious things you ought to be doing in terms of making your service fit for purpose.
Get used to it. You can never mitigate every risk, and that's just a fact of life. If you do, work will stop or motivation and respect for ICT will drop like a stone.
I want to leave you with one more thought. The arguments for and against BYOD have a lot to do with the way that you communicate your strategy, as well as the terms and conditions of the use you place on your service to all parties who are using or accessing sensitive or critical public information.
Imagine for a moment that BYOD is introduced into association with your organisation without you actually understanding the implications. What I mean here is, imagining your systems, how would you cope if people just discovered how to access them and the data without your involvement or knowledge.
Frightening prospect? It is another example of total loss of control. It could pose a serious risk if, as a result data was leaked, because you were neither involved nor at the table when it came to being able to influence either the rollout or the safe adoption process.
What would you do? To try and ban the access to BYOD strategies would be rather like closing the stable door after the horse has bolted. Ultimately, the responsibility for how data of a sensitive nature is handled lies with those people in most parts of the organisation that deal with the tools required to work with that data. That is ICT. But would the same responsibility lie with Office Supplies if "carbon paper" was being misappropriated and sensitive date was found on that? That data loss is as much about the policies as it is with the example in ICT. It's no surprise then that it ends up these days being the ICT Department who bear the burden in many cases. What I am saying, in effect, is that while there is a responsibility, as much if not more responsibility lies with the individual and in most cases the individual will only understand their responsibility if it is clearly and regularly communicated in a memorable and reasoned way.
What is needed, I suggest here, is that the strategy, the policy, and the communication be well implemented and that there is no reason why trends such as BYOD, the use of Cloud services, and the ultimate flexibility and advantageousness of various devices cannot be put to a sensible, effective, efficient, and individually satisfying use.
The question is, what sort of ICT department is yours? Adaptive, open, thorough, flexible and trusting; or risk aversed, closed, untrusting, limited in outlook and unwilling to explore potential futures?
Your choice.
The author is an ICT and eLearning consultant with experience of working in the public sector, education and private industry, currently working with schools, The Open University and the Third Sector on the Fylde Coast (Lancashire). He was an employee of Apple Computer for 9 years, is an Apple Distinguished Educator, and has a website of his own here
http://www.publictechnology.net/sector/central-gov/byod-isnt-device-issue-its-still-core-security-problem
________________________________