Do the Risks of BYOD Outweigh the Benefits?

Steve Hasselbach is a Senior Solutions Architect (AKA Marketing Guy -- but he's also a serious techie) for Peak 10, a datacenter company. In his work he deals with his clients' security problems, and often shakes his head at how security unconscious so many businesses are, even after endless publicity about corporate IT security holes costing companies millions of dollars.

He says, "...it doesn’t shock me anymore, but you’d be so shocked and surprised at how noncompliant this country is in terms of businesses around things like healthcare data and all that." In this interview, Steve talks about how (surprise!) the current BYOD trend is making things worse, but isn't necessarily responsible for the worst security holes, and offers benefits that might outweigh the increased security risks it brings.. (Note: The transcript contains material not included in the video.)

Commentary by Cartoon

[sehlat]

http://onthefastrack.com/comic...

"The transcript contains material not in the video

Then it's not a transcript, is it?

No

[unencode200x]

No. As the old saying goes, possesion is nine tenths of the law. If data is on someone BYOD device then there can be questions as to who owns it. Even with contracts, etc. it's all a civil matter. The sheriff won't get involved.

With a company-owned device there is no question. If someone leaves and they still have your $800 phone... the cops will at least listen and there is no question as to whether you can brick it.

I'm all for freedom and stuff but I've seen this go south too many times.

Re:No

[Chris+Mattern]

Then don't you mean "yes, the risks outweigh the benefits"?

BTW, I agree with you from the employee side of the matter. My company provides me a phone. It is theirs. I have my own phone. It is mine. This arrangement suits me very well. As long as the company wants me to have a phone to use on company business, they will need to continue to provide me with one.

Re:No

[UnderCoverPenguin]

I do not use my tablet or phone for company business (other than short phone calls). If the company really wants me to use such a device for company business, they will have to provide it. I've told them this when they've said "just use your tablet". And their response has, so far, been "Oh. Then don't worry about it." the customer liaison "engineers", "resident" engineers, their managers and department directors (and above) have company issued phones and tablets. The rest of us don't, despite the fact it would benefit the company if we did.

Re:No

[NotInHere]

good network security such as MAC registration

MAC addresses are quite public, static, and easily fakeable information, they are by no means a "good" way to authenticate devices.

Re:No

[unixisc]

I personally got 2 phones. One was an iPhone, which I use exclusively for personal use (i.e. facetimeing relatives), whose number I don't share w/ anybody outside family. The other is a Moto X, which I don't share w/ family, but which I use exclusively for work, assuming that they don't provide me anything. So if any office wanted to configure it for any official work, I'd let them, and reset the phone whenever I left that job. That way, I keep my work and personal lives completely separate.

One good way any employer could work w/ me on this, if it didn't want to provide a phone - pay my monthly bills for that work number.

Re:No

[Xest]

Yep, in fact, with the new European Court of Human Rights ruling that states employers can snoop on private data on a machine used at work I would refuse to ever bring my own device in to a work place now. It's too risky, there's not a chance I'm going to enter into a situation where my employer potentially has the legal right to look through all my personal e-mails, photos, communications and so forth ever.

For me BYOD is a big no no, I wouldn't touch it with a barge pole, the slightest chance that an employer might be allowed access to pillage data from my personal devices is enough to push me away.

Even outside of that with devices like phones, I like a separation between my personal phone and my work phone because I can turn my work phone off out of hours. I don't want to be pestered by work on my personal phone in my time, when I'm off sick, when I'm on holiday, perhaps even after I've quit the company. I made the mistake early in my career of allowing people at work my personal phone number as well as my work one as my work one didn't always get reception. After a shitty call on a day off from a user that shouldn't have even had the number but had obviously been handed it by someone, about a support issue that didn't even have anything to do with me, I demanded that my personal number be removed altogether and I always switched my work phone off the second I left work making it clear if they want me to answer in my own time they need to pay me on-call pay.

Frankly as I see it BYOD is basically just an attempt to merge personal life and work life so that exploitative companies can further entrench themselves in every aspect of your life to make sure that you're always on the clock.

Re:No

[unencode200x]

Interesting. It sort of sounds like a bit of irony here. People wanted to BYOD so they just started doing it for convenience or what have you. Then, employers figured out they could save money and snoop. So now, some employers require ("embrace" is the dumb ass buzzword I hear) and get the benefit of the employee always being available, save hundreds on a phone and a lot on a plan, and have control of the device.

Re:No

[lsatenstein]

good network security such as MAC registration

MAC addresses are quite public, static, and easily fakeable information, they are by no means a "good" way to authenticate devices.

A new security feature is randomizing the mac id, and insuring the randomised mac address is distinct from the hardware mac. Every relog in to a system will generate a new fake mac.

A Story about BYOD

I used to work at BlackBerry. Obviously a company serious about security for corporate customers with BES.

We would meet with those customers, and gather requirements about what features and security they needed. We'd review laws and industry rules, and we built software to meet those needs.

IT departments said:
- We need to be able to control what applications can run on devices
- We need to lock down the device and remove applications like messaging
- We need to prevent copy and paste. We need to turn off lots of features.

So we built these things. We let them lock down the device. That's what the laws said, and that's what our customers wanted.

Then some executive would ask, why am I carrying around two phones? And why are we buying people BlackBerry's when they have iPhones or Androids. Why can't I cut and paste?

And then execs started to realize how much money they could save by getting employees to use their own phones.

And security went out the window. BlackBerry, listening to their customers, dug their own grave.

Re:A Story about BYOD

[110010001000]

Actually this should be modded up. You should never implement what customers say they want. You should find out what they want. And definitely don't ask the IT people. They have a very narrow view of the world.

Re:A Story about BYOD

[zlives]

blackberry dug their grave by assuming their lead will never be taken over and to turn a blind eye towards innovation, convenience and just the plain old shiny.
they are trying to dig themselves out a bit now... ( i am a BB user) and users are realizing security may even be necessary.
lets see how it shakes out.

Re:A Story about BYOD

Actually this should be modded up. You should never implement what customers say they want. You should find out what they want.

They want it all. Oh, and fuck you if you don't bring it to them. Next question.

And definitely don't ask the IT people. They have a very narrow view of the world.

Yeah, can't imagine the highly trained technical staff corporations employ to keep them running would have a fucking clue as to why you would want to implement a secure solution on a highly portable device with internet access, bluetooth, wireless, and a microphone that can be hidden damn near anywhere.

Blackberry would still have a market niche, if corporations actually still gave a fuck about mobile security. They don't, and I'll never understand that bullshit given the obvious attack vectors on these devices.

Re:A Story about BYOD

[Austerity+Empowers]

IT departments said:

Cover my ass, do these ridiculous things

Then some executive would ask

Why are you doing these ridiculous things? They are ridiculous, employees are in open revolt, are not reliably carrying their leashes or are compromising them or outright replacing them. Stop doing these things.

And security went out the window.

A false sense of very corporate bureaucrat version of security went out the window.

BlackBerry

was not listening to its customers, it was listening to their keepers. People who were both requiring employees to keep an electronic leash, but also putting 20kV through it and making sure the choker collar also had spikes. It's not really a wonder the keepers got shot down.

Now I ask, has there ever been a time when "the data" was secure, even before BYOD, before wifi, before the internet? Isn't this just some insane paranoid fantasy in most cases? I've talked with older coworkers about how certain things were done before the internet, and not surprisingly found that security was more lax then than it is now, but about as easy to get around if you wanted to. It ultimately relied on employees to exercise judgement, and sometimes some employees exercised poor judgement (intentionally or otherwise) and Bad Things Happened. Someone was blamed, someone got fired, new ineffective policies were created but never invalidated because it would be years before next major Bad Thing Happened. On the whole, employees don't knowingly shit in their own beds, and hackers don't normally bother with corporate dregs because they know Joe Bob in data analysis probably has a very limited and possibly misleading collection of valuable data. What they really want is SVP Joseph Bobertson, who carries very little data, but all of it of extreme utility. It is only by the power of paranoia and hyperbole do we believe that every note, and every spreadsheet Joe Bob creates must be 100% corporate value.

Re:A Story about BYOD

[DeathSquid]

BlackBerry, listening to their customers, dug their own grave.

No. The market has spoken and the vast majority of customers clearly do not want what BlackBerry built.
Blackberry was listening to someone, but it obviously wasn't the people who made the ultimate purchasing decisions.

This is a very important business lesson. Understand who your customers really are. They are the people who will pay money for your product or services. This sounds simple, but there are often many entities that look like customers but aren't really. The IT department who claims to represent customers may or may not be aligned with them. How will you find find? Talk to the customers.

Re:A Story about BYOD

[jgtg32a]

In the end their security may very well be crap, but have you seen the competition?

Re:A Story about BYOD

[jonhorvath]

There should be a new slogan

"Attempting to secure everything will guarantee nothing is secure."

BYOD has been a fail boat since always

[Karmashock]

all of this because idiots want to play angry birds on the corporate network.

BYOD needs to be killed with fire

It's a scam.

[SuricouRaven]

Buy Your Own Device. It's a means to allow your employer to skimp on the hardware expenditure and get you to unwittingly pay instead, and feel empowered for it. You don't even get to keep your device for personal use, as security requirements demand the employer maintain control over it so long as it is used for business purposes.

Re:It's a scam.

[JaredOfEuropa]

Not this argument again. In most places I've seen implement BYOD, it always started as an optional scheme. Get a company Blackberry if you're eligible (same rules as before), or get your corporate mail, calendar, contacts and certain documents on your own phone. Or you can have both. And when such a scheme launched, pretty much all the execs dropped their company BB and started using the Android or iPhone they already owned. In some companies the Blackberries all but disappeared in a few short monts.

Re:It's a scam.

[Chris+Mattern]

And when such a scheme launched, pretty much all the execs dropped their company BB and started using the Android or iPhone they already owned. In some companies the Blackberries all but disappeared in a few short monts.

So, because the execs are technical idiots who don't understand that they're handing over the keys to their personal life at their own expense, I should do the same?

Re:It's a scam.

[Locke2005]

Buy Your Own Device doesn't save money because it is unsupportable; supporting every possible piece of hardware costs more than just giving every employee a cheap smart phone.

Re:It's a scam.

[JackieBrown]

Buy Your Own Device. It's a means to allow your employer to skimp on the hardware expenditure and get you to unwittingly pay instead, and feel empowered for it. You don't even get to keep your device for personal use, as security requirements demand the employer maintain control over it so long as it is used for business purposes.

I haven't worked for a job where I was not allowed to use my BYOD for personal use. It was a pain that they could remote wipe my phone, but with Android and root, it was pretty easy to block that ability.

My new job uses GOOD which sounds good in principle - a sandboxed corporate environment that doesn't interact with my personal stuff. Problem is that GOOD checks for root and I'd rather use adaway and lug my laptop around than get work emails/calender on my phone. There is an old version of GOOD that I can use along with a xposed module but that version no longer works very well with my phone (it freezes allot).

Re:It's a scam.

[germansausage]

Um. No. You're doing it wrong. The only thing my employer gets to keep control of is the company email on my phone. He can remotely delete it at any time. The rest of the phone and my own email and all the apps, data, and media on it belong to me and my employer has no way to access it. He pays half the monthly bill and any work related extra costs like roaming when I travel for work. Seems fair.

Re:It's a scam.

[JesseMcDonald]

It was a pain that they could remote wipe my phone, but with Android and root, it was pretty easy to block that ability.

Where I work, rooting an enrolled device, or otherwise taking steps to circumvent the device policy, is a violation of the terms you must agree to to enroll in the BYOD program. Devices which the employer cannot remote-wipe are not eligible for the program, regardless of the reason. It's probably the same at most other places. Is the cost and inconvenience of a separate work device worth losing your job over?

Sigh

[Billly+Gates]

At the end of the day the users always win anyway. IT just has to suffer and endure

Ah, How about NOOOO?!

Now people or companies don’t want to necessarily pay for the laptops, well the users want to use their own laptops--there you go.

If I need a laptop for work then my employer needs to buy me one.

If I need a cell phone, my employer needs to buy me one AND the plan. Track what I do on their phone? No fucking problem from me.

We are NOT carpenters, plumbers, mechanics, or tradesmen (or are we now?) where we have to supply our own tools. But if an employer insists that I use my own phone for work and if gets hacked well, that's THEIR problem and THEIR fault.

Re:Ah, How about NOOOO?!

[Architect_sasyr]

Why should a plumber or any of the others need to supply their own tools anyway?

Re:Ah, How about NOOOO?!

[Chris+Mattern]

Because they'll look pretty silly showing up at the work site without them, because then they won't have any tools to work with. This is the standard for any physical laborer or mechanic. This works for them, since there's no need for the worker to link his tools to anything of the employer, and the worker does better with tools he has selected and is familiar with. Doesn't work that well for IT, where the tools need to mesh closely with the employer's setup to work.

Re:Ah, How about NOOOO?!

[Architect_sasyr]

Except surely the argument then is that my laptop, which has been configured to my tastes with my installed programs etc. etc. is a more viable tool for use than a work supplied laptop - pro BYOD.

Re:Ah, How about NOOOO?!

[Chris+Mattern]

That is indeed a cogent argument in favor of BYOD. In fact, it's my opinion it's the best argument in favor of it. But to my mind, it fails because a computer needs to be more closely integrated to the employer's systems then a manual worker's tool--a fact which is only made worse by the fact that those systems aren't standardized the way building hardware is. Even if an IT worker is moving from job to job the way a manual laborer does--and admittedly some do--the different set ups from job to job means he can't use the same tools the way the laborer does. And a worker's tools don't involve his personal information.

Re:Ah, How about NOOOO?!

[BradMajors]

The difference is between being an employee versus being self-employed.

Re:Ah, How about NOOOO?!

[Chris+Mattern]

My point--in the manual worker's world, there are industry standards he can rely on and will be followed. You mention a case where there are two different standards and you have to follow the right one. In IT you may never see the same standards twice.

Not even company mobile on the wifi

[magarity]

Heck, where are these people working with such lax security? Here at a health insurer, I can't get permission to put my company issued smart phone on the company wifi, never mind a personal device.

Which BYOD are we talking about?

[damn_registrars]

Build Your Own Datacenter?

Bring Your Own Device?

Build Your Own Dessert?

Bury Your Own Dead?

I think we could have had an expansion of this acronym in the summary, just for clarity...

Re:Which BYOD are we talking about?

[cHiphead]

Bite Your Own Dick, obviously.

Re:Which BYOD are we talking about?

[Locke2005]

Bring Your Own Dope -- the Santa Cruz Operation official corporate policy. Actually, BYOD obviously refers to Bring Your Own Device for the purposes of this article.

Re:Which BYOD are we talking about?

[stub667]

Its a very common acronym for Bring Your Own Drinks around here, where you bring your own booze and a restaurant charges a corkage fee. I imagine it does adversely affect security.

Yes

[countach44]

If it is a needed tool for work, the company should provide it. I have many coworkers whose only phone number is their work phone, only laptop work laptop, etc... It may seem like a convenience, but when your employer has the ability to always contact you because you use that cell phone for personal purposes, it's not so convenient.

Re:Yes

[swb]

People who use their work phone or laptop for personal use are stupid.

But the process for me works in reverse -- it's my damn phone, so I will decide how it will notify me of new messages (guess what, my VIP list includes no work addresses), when I will turn it off, what apps I will run on it, etc.

My wife got a new iPhone from work and was wondering if she should get rid of her personal one. I told her "do you want them to see your personal information? what happens when they fire you and you lose the number?" It was pretty hard to convince her to keep her personal phone.

Re:Yes

[Austerity+Empowers]

employer has the ability to always contact you because you use that cell phone for personal purposes, it's not so convenient

At a certain level this is part of the job, and assumed with the salary and benefits. It's not that high, a developer or engineer may have no direct reports, but compared to someone that works in the factory or the sales floor has a significantly greater responsibility and is expected to at least answer a phone call outside of normal work hours. You can carry two phones and drive yourself nuts, or carry one. If the cost becomes significant, you can expense it, I've never been shot down for that. But why deal with multiple devices, isn't that more complexity to deal with?

The one reason i can think of is because I don't trust my IT department, I know they have spyware/malware installed and are busy dicking with my machine. If that is not an issue (as it is in most sensible places), then it's really just more of a headache to deal with dedicated machines and saves me no actual time, and beyond faux ideological principles, does not give me anything back.

Re:Yes

[ILongForDarkness]

Have people never heard of email/call forwarding? Leave your work phone in the office, forward the calls to your personal number. Is it that hard?

I've never carried a work phone or been on call without compensation and refuse to do so. The only reason it is "assumed with the salary" is because people refuse to ask: and what will I be being paid for those hours? Never got a huge amount of money but about 100-150 for a weekend or so + 1.5X time if I actually got a call for a minimum of 4 hours pay. Ie you call me and it takes 10 min to fix I get my $100 oncall + 6hrs pay. You have to make your personal time expensive so your employer doesn't feel free to waste it.

Re:Yes

[Austerity+Empowers]

Those things are usually against company policy, but policy here can be effective because IT can easily trace this, and I'm not clever enough to figure out an excuse why it's a good idea to forward company email to personal accounts over insecure links. I suppose I should look to Hillary Clinton? I actually don't think that's a good idea, when I can do something better with VPN on my personal phone. Particularly since much of my email requires a "secure link" from/to our vendors (VPN has been determined to be secure, in 3 out of 4 past employers, and we simply ignored that fourth one's policy since we COULD plausibly defend it).

By contrast BYOD (legally or no) and installing shit on company property is much less traceable and easily defensible. IT is a CYA organization, they have neither the skillset nor background to evaluate "business need" for any set of applications employees have, and rely on user teams to elaborate such a list. User teams have little concern for IT's CYA policies, time to deal with the process, and do not keep active lists, nor are rigorous with vetting it although such lists exists for our own CYA. So basically unless the app is called "hooters&poon" it's pretty easy to ignore policy. Sensible companies stopped managing employee laptops 5 years ago, my current one doesn't even try, other than an asset tag no one has any code or backdoor access to my mbp, and I have my own image installed on it to be very sure. This of course requires users who aren't abject morons and who have used a computer, but somehow my past two employers managed to do this just fine, it still boggles my mind when my IT friends insist that without all of Windows' big brother nonsense their job would be unmanageable. I haven't had a windows machine at work in 8 years, but we somehow manage to make money.

As for salary for hours, it is a constant negotiation. I benefit strongly from flexible hours and the ability to commute outside of rush hour (and to be able to take kids to/from school), so it's not a major hardship for me to answer calls, get on conference calls, do occasional travel or even to work at other hours. I put in what I feel is appropriate and performance reviews decide if it's acceptable. If it's more than I can give and what I think I can get elsewhere, then it's time to move on. I've found that all companies expect 100% of your time, so generally you find the one that pays the best and try to be reasonable. If a company wastes my time with a lot of overseas nonsense and conference calls, then I am generally less willing to put in extra hours: you waste my time, I will get it back. If a company wants to give me a contract and outlines every last job detail, it tells me that's a job I probably do not want anyway, it's going to be a lot of administration and policing and not a lot of profitable work for either party.

Yes

[Locke2005]

I worked for a company whose official policy was that email accounts could be left logged into on company owned laptops (which would require a password on bootup) but not on employee owned devices. They used corporate gmail, and when I pointed out that gmail had to be logged into in order for google calendar to remind me of the meetings I was scheduled for, the CIO told me (via email) that that was a violation of company policy. So I stopped doing it, but all my coworkers continued to leave their phones logged in to gmail -- they had positive deniability, but I no longer did.

Re: Wrong question.

[ShieldW0lf]

They could use X

BYOD works for me.

[onkelonkel]

BYOD works fine for me. I own the phone, I manage the voice and data plan and the company pays for half. This definitely works out in my favor. If I travel out of the country the company pays for the roaming plan. At work I use the company guest wifi to save on data use. I had to install some kind of app so they can wipe the company email if I lose the phone. My personal email is completely separate. The company has next to no issues supporting me. I don't have to carry two phones. Everybody wins.

I'm not going to carry two phones.

[DeathSquid]

I'm not going to carry two phones. For some people that might be OK, but I've only got so much pocket space and room for chargers at home.

Since I will be using the sole phone I carry for personal use, I have some set-in-stone policies:
1. I get to choose the phone that suits me best.
2. I update the hardware according to my convenience and requirements.
3. The device is completely controlled by me for security and contractual reasons.

So long as a company complies with those policies, I am quite flexible about everything else. I'm happy to be non-contactable out of hours, if the company wants. I'm happy to BYOD so long as I am properly recompensed. I'm happy to have the company supply the phone.

My consultation algorithm:

[Ungrounded+Lightning]

1) Confer with the client. Find out what he wants. (He'll tell you what he wants ADDED to what he is replacing.)
2) Research the client's current operation: Consult his underlings, especially the front-line workers, who know what's REALLY going on. Make friends with them and try to help them out, too. Find out what he currently has. Figure out what (you think) he needs.
3) Propose to the client that he should want what you think he needs.
4) After he's had a chance to think about it, design and build what he NOW wants (which may be what he wanted before, what you think he needs, some mix, or something off in never-never land that he thought up after seeing what you came up with).

  * Maybe he'll come around to your design and think you're the best and brightest consultant to ever come along. Build the spiffy thing and everybody's happy.
  * Maybe he'll want something other than you think he needs. If so:
          * Maybe he's right and you're wrong, because he understood something about his operation that you didn't. Doing it his way might turn out to be better than doing it your way.
          * Maybe you're right and he's wrong, but it's his company and he's paying the bill. He had his chance and rejected your suggestions, so it's on his head. Build the goofy thing and laugh, or sigh, all the way to the bank.

California BYOD laws - sigh

[billstewart]

California law says that companies can only let you use BYOD if they're providing you with equipment and service plans. The assumption is that companies will try to rip off their employees by making them bring their own devices, so it should be forbidden. While I understand that, it means that I can;t just bring my own iPad/Android tablet to work to use as an alternative to the company laptop unless the company also buys me a work phone. (Sigh. Eventually they did that, but the IT department's support for Android has never been as good as their iPad support... So I've occasionally had to haul the laptop on a trip instead of just the tablet.)