BYOD or Bring-Your-Own- … Ostrich?

When it comes to the bring-your-own-device (BYOD) movement, there are essentially two types of organizations: Those that have programs in place to support it; and those that pretend that, because they have forbidden the practice, it isn’t happening. In the latter group, in which employees are doubtless bringing their own devices, the IT professionals tasked with network security have brought their own ostrich — and its head is buried firmly in the sand.

We all know that mobile devices such as smartphones and tablets bring additional risks. The same can be said of any employee-owned device, including laptops and desktops. Would we like to minimize risk? Of course. But which of the following is riskier?

  • Letting employees who may know little about threats or mitigation strategies sort out what the most appropriate defenses are, install the proper tools, configure them for optimal usability/security and maintain all this in the face of an ever-changing backdrop of newly-discovered vulnerabilities and attack types.
  • Letting subject matter experts chart the course and enable members of the user community to focus on their daily jobs.

Bear in mind that there is not a third option since the devices will inevitably make their way into the environment in one way or another. The only question is whether firms want the employees bringing in these devices to decide on a security strategy for themselves or to allow professionals to provide the necessary training and infrastructure to guide the process.

A Brief History Lesson

Remember when all computing was done under tightly controlled environments? All computers were on raised floors behind access-controlled doors, with security guards logging everyone’s comings and goings, all under constant surveillance by security cameras. (Alright, so maybe some of you don’t remember this. Just take my word for it. It really happened.)

Then, the first PCs burst onto the scene, and the idea that sensitive data might now sit on or under someone’s desk in an open cubicle caused the security department to break out in hives. As if that weren’t enough; laptops soon started showing up, and it was as if the data center had grown legs and could now be carried to and from external meetings just as easily as it could end up at the beach with an employee wanting to check email from time to time while on vacation. Worse still, this precious resource could get nabbed from a hotel room or car seat and wind up in the hands of a competitor in short order. By that point, the hives were breaking out in hives of their own.

But, as we all know, it didn’t stop there. Now, we have mobile devices with the power and storage capacity of yesterday’s mainframes in a size that fits conveniently in an employee’s pocket — or on the floor of the taxi that employee took an hour ago. At this point, the medical analogies fail me.

The point is that, with each turn of the technological crank, doomsayers have predicted the end of IT security as we know it; and yet, life goes on. Not only has the world not come to an end, but smart organizations have figured out how to ride the waves of new technology and improve their competitiveness in the process. When viewed from this historical perspective, it becomes clear that those companies that figure out how to leverage change and manage risk are going to be the winners. The others? Well, we will get to read about them in the history books.

BYOD Is Just the Beginning

It’s not only devices that employees are introducing into the equation; it’s also public cloud services such as iCloud, Gmail, Dropbox, Evernote and so on. In fact, the more we move to mobile devices with always-on Internet connections, the more we are going to leverage these capabilities because they were made for each other. Any attempt to pre-emptively block all public cloud services is just as likely to fail as an attempt to prohibit the use of smartphones and tablets for business purposes. The better strategy is, once again, to figure out how to get out in front of the trend and exercise prudent control over how these devices and services can be used in a secure manner instead of simply forbidding them and running the risk of driving their use underground, where you will no longer have the ability to influence how they are used.

In the end, users are going to bring their own devices, clouds and anything else that awaits on the technological horizon. The only question is whether you also want them to bring their own security as well while the organization chooses to hang out with the ostriches.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…