The Dangerous World Of Bring Your Own Devastation (BYOD)
A Bring Your Own Device policy has many attractive attributes but the security risks can be enormous and, as yet, unfathomed, says Eric Doyle
The fact that Anonymous hackers could attend a “private” conference call between police forces on each side of the Atlantic holds a solemn warning to all businesses.
It is suspected that the hackers gained access to the call through an email that was privately sent but publicly stored by one of the European invitees. In these days of growing use of mobile devices, it is common for apps to include email-on-the-move and therein lies a potential problem.
Going for the juggler
Bring your own device (BYOD) sounds like a good idea but a lot depends on how the email and business information is handled. Organisations like the police are not very happy to allow private emails to be mingled with personal emails. In fact, BYOD obviously cuts no ice with the concept of lawkeeping. This should also be the case in many organisations that handle sensitive information.
Consequently, police officers usually have two devices: one supplied by the force and the other bought by themselves for personal use. The problem is that phone juggling is never popular, and some organisations’ phones are shared between staff shifts so there is a temptation to “consolidate” messages by forwarding emails to a service like Gmail, Hotmail or Yahoo Mail.
It’s purely speculative, but this is possibly how Anonymous grabbed the email. A European police officer forwarded the FBI email to a public service account which was protected by a guessable password. Alternatively, the email may have been stored on a poorly protected police server.
People are lazy when it comes to passwords, torn between satisfying Microsoft Active Directory’s requirements for a mix of capital letters, lower case and numbers, and being something that is memorable. A thorough and detailed Annual Data Breach Report scheduled for release by security firm Trustwave tomorrow will show that the top password in business is “Password1” – “Well, it satisfies Active Directory’s requirements and it’s very easily recalled”, Nicholas Percoco, senior vice president and head of Trustwave SpiderLabs, told TechWeek Europe today.
There are several scenarios but all point to the same thing. Managing information is becoming more difficult as technology, especially mobile devices, pervades our everyday lives.
Policing the policies
Policies are the only protection that companies really have to guard their intellectual property rights (IPR) and other private information. The problem with policies is that they are undertakings by the staff to follow guidelines but they cannot enforce compliance. Even if 99 out of 100 staff, firstly, comprehend the policy document and, second, successfully apply it, the one remaining person can still bring a company down.
It was always the case that employees could take data home with them with or without their company’s blessing. The data “sieve” was leaky but the holes were few and far between. On top of this the maximum data transfer was somewhat limited. Assuming a good block on outward-going data over the Internet, the average user would be limited to loading up floppy disks – a slow and laborious method.
Now we have USB sticks, USB drives and, probably most threatening of all, smartphones and tablets. There have been numerous cases of lost USB sticks hitting the news but data stolen from public email systems are hard to trace if username and password have been correctly applied.
We are seeing many moves to ensure apps, particularly those for Android-based devices, are not carrying Trojans but there are many other ways that security can be breached. Countless users employ the same username/password combinations across the multiple and diverse systems they use. It does not take an evil genius to consider writing an app that requires the user to register a password and then try applying the information gathered to other online services.
The problem is particularly evident when a BYOD strategy is in place. You may be able to control, to a certain degree, what data the user has access to but you cannot control what they do with the data or which apps and games share the user device environment.