Get with IT: The BYOD Security Loophole

May 21, 2012
Corporate bigwigs who don’t think the rules apply to them are the problem nobody’s talking about

Are you on the “bring your own device” (BYOD) bandwagon? It’s the buzzword — arguably business problem — of the year, and it impacts practically every business in some fashion. After all, a large percentage of users have a phone and/or a tablet these days, and everyone wants to get their devices online and transact business, now.

Which side of the BYOD equation are you on? Does your organization embrace users connecting their personally-owned mobile devices to business systems? Or, does management take the stance of “No mobile!”? Unless you work for a highly-restrictive government facility, I’m guessing you fall into the former category. The funny thing about BYOD that seems to be afflicting every organization is what should be done about the nonchalant and careless executives who have exempted themselves from any and all mobile security policies and standards that you and your team are trying your darnedest to implement.

Think about it. You have a culture of security. You have someone — perhaps a team of people — in charge of managing information risks. You’ve got the network perimeter, applications and other critical areas of the network under control. Yet you — and just about everyone else — has a group of people who do not believe in secure mobile computing. At least they don’t believe in it if it impacts them.

I know we have to be smart about balancing security with usability and convenience, and we have all made mistakes in that area. But to have a group of users completely negate everything you’ve worked towards so they can play with their toys in the boardroom and on the golf course? Come on.

Here’s the real underlying issue with BYOD and mobile security. It’s the fact that people in IT, information security, compliance and internal audit aren’t willing to stick their necks out and try to “enforce” their mobile security policies. Who’s going do that? Very few, and therein lies the problem.

Yet still, the problem with mobile security is as glaring as ever. Don’t take this the wrong way. I’m not trying to sensationalize mobile security risks, but I don’t want to trivialize them either. The risk of a mobile-related security breach is real in businesses of all sizes and industries.
A quick peek at the Privacy Rights Clearinghouse Chronology of Data Breaches at www.privacyrights.org confirms this reality. And that breach database — like all others — only tells part of the story. It’s the undetected and unreported breaches that fill in much of the gap.

Another glaring mobile security risk is intellectual property. How’s that going to be looked up by your board, your investors, and even business partners and customers when such critical information is lost or stolen — especially when something could’ve been done?

As James Champy said, “Many executives are insulated from reality and consequently don’t know what the hell is going on.” I do believe that certain people in management understand what’s at stake. How could they not know? Whether or not executives in your organization choose to bury their heads over this issue is one thing, bit it is still the responsibility of those of us in IT to quantify the problem, make it known and then do something about it however we can.

If you are in a situation where it is just not possible to lock down executive phones and tablets, then keep good records. There’s nothing more degrading than someone who devalues what you professionally recommend while, at the same time, the blame is placed on you when the “you know what” hits the fan. So, educate, inspire and, perhaps most importantly, CYA.

Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Atlanta-based Principle Logic, LLC. With more than 23 years of experience in the industry, he specializes in performing independent security assessments revolving around minimizing information risks. He has authored/co-authored 10 books on information security including the best-selling “Hacking For Dummies” as well as the newly-released “Implementation Strategies for Fulfilling and Maintaining IT Compliance.” In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website principlelogic.com, follow him on Twitter at @kevinbeaver and connect to him on LinkedIn.