OK, so maybe BYOD isn’t statistically likely to kill you. But the hype of BYOD just might get you to focus on the wrong things. In the past couple of days, there are all sorts of echo-chamber reports amplifying Virgin Business Media’ assertion that, “Last year 51 per cent of the UK’s secure IT networks were breached due to employees using personal devices.” Sorry, I find this claim to be distracting.
Where are the details?
For one thing, this assertion lacks context – what percentage of these organizations have substantive proof they’ve been breached with a personal device as the vector? How many of these same organizations were breached due to users falling for phishing emails on company-owned systems? What constitutes a “breach” in the minds of these 500 CIOs in the survey? And that’s just scratching the surface.
The data (as far as I can see) isn’t being published for us to dig in and find out more about the questions, answers, and specifics of this study.
Why does this bug me? It gets back to the distraction factor. Breaches that succeed via employees are not inherently a device problem – after all, the user is the new perimeter and organizations (or organisations, as the case may be) need to invest in education to help those users act in security-aware ways.
Those same organizations must also implement policies to clearly communicate expectations of those users, and invest in controls to make it easier for those users to do the right thing, while making it more difficult (or at least create meaningful consequences) when people do the wrong thing.
I agree with one thing
One area in which I agree with Virgin Business Media’s assertion is this:
“Without clear policies in place to deal with this influx of personal devices, larger businesses may be facing even more security threats as people unwittingly use unsecure devices on secure networks.”
“With sales of tablets expected to have gone through the roof over Christmas, it looks like personal devices in the workplace is here to stay. But with just a fifth of large firms having a BYOD policy, businesses will continue to experience security breaches until connectivity, security and user policies are put in place.”
Getting people up in arms about the onslaught of dangerous mobile devices doesn’t really solve the problem. On the other hand, getting people up in arms about investing in employee training, good policies, and technology to support those policies and mitigate the risk of insecurely configured devices can help a great deal.
Oh, and those top 20 security controls Adam has been writing about? They help with mobile devices, too.