The Dangerous World Of Bring Your Own Devastation (BYOD)

The fact that Anonymous hackers could attend a “private” conference call between police forces on each side of the Atlantic holds a solemn warning to all businesses.

It is suspected that the hackers gained access to the call through an email that was privately sent but publicly stored by one of the European invitees. In these days of growing use of mobile devices, it is common for apps to include email-on-the-move and therein lies a potential problem.

Going for the juggler

Bring your own device (BYOD) sounds like a good idea but a lot depends on how the email and business information is handled. Organisations like the police are not very happy to allow private emails to be mingled with personal emails. In fact, BYOD obviously cuts no ice with the concept of lawkeeping. This should also be the case in many organisations that handle sensitive information.

Consequently, police officers usually have two devices: one supplied by the force and the other bought by themselves for personal use. The problem is that phone juggling is never popular, and some organisations’ phones are shared between staff shifts so there is a temptation to “consolidate” messages by forwarding emails to a service like Gmail, Hotmail or Yahoo Mail.

It’s purely speculative, but this is possibly how Anonymous grabbed the email. A European police officer forwarded the FBI email to a public service account which was protected by a guessable password. Alternatively, the email may have been stored on a poorly protected police server.

People are lazy when it comes to passwords, torn between satisfying Microsoft Active Directory’s requirements for a mix of capital letters, lower case and numbers, and being something that is memorable. A thorough and detailed Annual Data Breach Report scheduled for release by security firm Trustwave tomorrow will show that the top password in business is “Password1” – “Well, it satisfies Active Directory’s requirements and it’s very easily recalled”, Nicholas Percoco, senior vice president and head of Trustwave SpiderLabs, told TechWeek Europe today.

There are several scenarios but all point to the same thing. Managing information is becoming more difficult as technology, especially mobile devices, pervades our everyday lives.

Policing the policies

Policies are the only protection that companies really have to guard their intellectual property rights (IPR) and other private information. The problem with policies is that they are undertakings by the staff to follow guidelines but they cannot enforce compliance. Even if 99 out of 100 staff, firstly, comprehend the policy document and, second, successfully apply it, the one remaining person can still bring a company down.

It was always the case that employees could take data home with them with or without their company’s blessing. The data “sieve” was leaky but the holes were few and far between. On top of this the maximum data transfer was somewhat limited. Assuming a good block on outward-going data over the Internet, the average user would be limited to loading up floppy disks – a slow and laborious method.

Now we have USB sticks, USB drives and, probably most threatening of all, smartphones and tablets. There have been numerous cases of lost USB sticks hitting the news but data stolen from public email systems are hard to trace if username and password have been correctly applied.

We are seeing many moves to ensure apps, particularly those for Android-based devices, are not carrying Trojans but there are many other ways that security can  be breached. Countless users employ the same username/password combinations across the multiple and diverse systems they use. It does not take an evil genius to consider writing an app that requires the user to register a password and then try applying the information gathered to other online services.

The problem is particularly evident when a BYOD strategy is in place. You may be able to control, to a certain degree, what data the user has access to but you cannot control what they do with the data or which apps and games share the user device environment.

Eric Doyle, ChannelBiz

Eric is a veteran British tech journalist, currently editing ChannelBiz for NetMediaEurope. With expertise in security, the channel, and Britain's startup culture, through his TechBritannia initiative

View Comments

  • http://www.johnarudkin.net/page13/page13.html

    Response to:

    http://www.techweekeurope.co.uk/comment/the-dangerous-world-of-bring-your-own-devastation-byod-58919#comment-form-box

    Mr. Doyle's article, "The Dangerous World of Bring your Own Devastation", in an interesting mix of wake-up call and assumption, and as such poses many more questions than it purports to answer - if indeed it answers anything about about data security.

    There are however a few home truths, and these are quite accurate:

    The first is that people are lazy and will always take the easiest route, and security can suffer. No one enjoys changing Passwords, remembering odd mixes of letters, numbers and symbols etc, and so invariably they do not bother to. Maybe ICT could hold the answer to helping people with strategies or prompts? Whatever way - it just takes a thought about the "customer".

    Secondly, Mr Doyle's article suggests that you really can't count on everybody doing their job properly. This is sad really, but we've seen examples in the press on numerous occasions ( I say numerous, I could possibly think of maybe five or six ) and it only takes one person to flout the system and bring disrepute to an organisation. That said, it only takes one person to "whistle-blow" about something and that disrepute may be a given.

    While highlighting the issues Mr Doyle chooses to highlight about Bring Your Own Device, it's rather easy to forget that many of the security issues also exist with organisation's own in-house systems.
    What I'm saying is that the issues brought up here are not just confined to BYOD, although I agree, such initiatives in less than assured organisations extends the risks, but it is often more likely to be people's attitudes that bring dangers in to security of data.

    Mr Doyle suggests (but then says this is speculative!) that "Anonymous", the perpetrator of recent hacking incursions on the public sector, may have been able to gain access to sensitive passwords through less than secure cloud-based systems.
    Equally I would say they could have gained access to sensitive e-mails by finding a lost phone, a USB stick (which he also mentions)
    Overhearing a conversation,
    Picking up a phone message (News of the World-esque)
    Intercepting a text, or
    down the local rubbish to where someone hadn't correctly disposed of some paper-based material.
    Speculation is great when you try to build up a profile of possible issues, is not really useful when it leads to conclusions that are purely based on assumptions. People could quite easily misread what is written here and start to make their own assumptions about the real reasons why bring your own device (devastation) may or may not be useful, effective, popular, costly.

    I want to highlight the fact that this is not about BYOD, but is in fact a security issue that transcends a number of current strategies already in use in the real-world by giving some actual examples of how things can go wrong.

    But please bear in mind that these examples are not presented in any way as reasons not to deal with the central issues. You can put as many strategies in places as you like; you can make as many rules; you can deny as many people access to technologies; you can takeaway facilities, but you can't account for the willingness of a person to adhere to any rules.

    Example 1: I know of a situation where police returned a laptop to a public sector organisation. It had been found on a market stall number of miles away from its starting point. No one knew it was missing; there was no record of his whereabouts; there was no asset register; no one knew what data resided on the hard drive. I said I wouldn't make any assumptions, but let's say the hard drive had been erased. The question is, was there data that could still have been recovered from the laptop that was sensitive, or critical?

    Example 2: What happens when a member of staff at senior level loses four (4) mobile telephones in a period of six months? This happened. I've no idea whether these were recovered, and I had no idea what was contained on those phones, but they weren't part of a bring your own device program.
    If someone cannot be trusted to look after device is provided by an organisation, the organisation could quite easily find itself being slapped with hefty fines.

    Example 3: An expensive laptop was loaned to a CEO while his device was being checked and upgraded. That same loan laptop was intended to be provided elsewhere in the organisation at a later date, so it was erased just to ensure that any sensitive data was removed. The laptop was then stored in a secure area, but it went missing. Now apart from the fact that a theft occurred, who's to say what critical data, private information, or sensitive content could be rescued from the hard drive?

    Example 4: Regular maintenance of desktop PCs does not just become neglected when funding cuts bite hard. I know situations where proactive maintenance was not undertaken for many years, yet the desktop devices were used year-on-year, without a thought for what was being stored. The upshot of this was, in part slower performance - but that resulted in people leaving machines running night and day tro save delays in start-up and shut-down. This could equally be true in any shared work environment where ICT policies are poorly managed. Each users will had their own logins, but behind-the-scenes the caches, the storage, the history in fact, grows. Anyone with the systems administration could retrieve that data. Hopefully when the systems are eventually decommissioned the process of data destruction will be thorough.

    Example 5: To exemplify the fact that BYOD is not the fault - but that the responsibility lies fairly with the ICT Department, its successful implementation of policies and how people interpret these I want to present another brief scenario. This is again, a real example.
    Just suppose that a group of customers wanting to use their own devices were not aware of the policy that they should not be used. What if a system was so poorly secured in the first instance that they were able to access the server names and start to access their work emails without really understanding the potential implications and risks they were taking. Now, the information about what is involved was circulated.
    What if you were a member of staff who didn't really know about the technicalities, and a well meaning colleague sets your phone up for you - telling you it's all above board? You then release malware onto the organisation's server? This could easily happen with certain less than well secured operating systems - especially Android. Who would be at fault? Maybe you accidentally sent a rather personal email over the organisation's network that was intercepted, and brought to a disciplinary hearing? Whose fault would this be?

    In each case above there are questions that, while relevant to BYOD, are also just as relevant in corporate established installations. To single out BYOD singularly is a big mistake - and missing the point.

    I contest that any organisation that has poor systems, strategies and policies, stand an equal - if not an increased chance of a security breach.

    As I mentioned earlier, none of the examples cited is an assumption nor speculation. They are all based on what I have seen or experienced every one of these situations, and all under the management of ICT Departments in the public sector.

    The fundamental question here is: do you trust the staff who use and access the sensitive data in your organisation? Do you trust your ICT Department to understand the issues at stake? If not, then something has to be done to shift the risk from the organisation to the individual.
    Of course you and your ICT division or department has to be very sure that you have done everything you possibly can to ensure that all risks are mitigated. If you can't be sure of that as an ICT Department, then there are some very serious things you ought to be doing in terms of making your service fit for purpose.

    You can never mitigate every risk, and that's just a fact of life.

    I want to leave you with one more thought. The arguments for and against BYOD have a lot to do with the way that you communicate your strategy and the terms and conditions of the use of your service to all parties who are using or accessing sensitive or critical public information.

    Imagine for a moment that bring your own device is implemented in or associated with your organisation without you actually owning it. What I mean here is, imagining your systems, how would you cope if people just discovered how to access them and the data without your involvement or knowledge. It could pose a serious risk if, as a result data was leaked, because you were neither in control nor at the table when it comes to being able to influence either the rollout or the adoption process.

    What would you do? To try and ban the access BYOD strategies would be rather like closing the stable door after the horse has bolted.
    Ultimately, the responsibility for how data of a sensitive nature is handled lies with those people in most parts of the organisation that deal with the tools required to work with that data. That would be true of "carbon paper" being misappropriated as much as it is about ICT. It's no surprise then that it ends up these days being the ICT Department who bear the burden in many cases. What I am saying, in effect, is that while there is a responsibility, as much if not more responsibility lies with the individual and in most cases the individual will only understand their responsibility if it is clearly and regularly communicated in a memorable and reasoned way.

    What is needed, I suggest here, is that the strategy, the policy, and the communication be well implemented and that there is no reason why trends such as bring your own device, the use of cloud services, and the ultimate flexibility of various devices cannot be put to a sensible, effective, efficient, and individually satisfying use.

    BYOD, is now more than a trend. BYOD is becoming something that both employer and employee can embrace - but it will always build on a trust and an understanding of the risk. This will not be about cost saving ultimately, although it ought to be possible with sensible study to show what an effect staff using their own devices might bring to the workplace.

    The ICT Department would need to be prepared to be open-minded, to shelve platform biased views, and to embrace variety. This is not an easy ask in many. It may frighten some, as well as being beyond the experience of others.

    The question is, what sort of ICT department is yours? Adaptive, open, thorough, flexible and trusting; or risk aversed, closed, untrusting, limited in outlook and unwilling to explore potential futures?

    Your choice.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

6 mins ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

3 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

4 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

5 hours ago