Do the Risks of BYOD Outweigh the Benefits?

Steve Hasselbach is a Senior Solutions Architect (AKA Marketing Guy -- but he's also a serious techie) for Peak 10, a datacenter company. In his work he deals with his clients' security problems, and often shakes his head at how security unconscious so many businesses are, even after endless publicity about corporate IT security holes costing companies millions of dollars.

He says, "...it doesn’t shock me anymore, but you’d be so shocked and surprised at how noncompliant this country is in terms of businesses around things like healthcare data and all that." In this interview, Steve talks about how (surprise!) the current BYOD trend is making things worse, but isn't necessarily responsible for the worst security holes, and offers benefits that might outweigh the increased security risks it brings.. (Note: The transcript contains material not included in the video.)

"The transcript contains material not in the video

Then it's not a transcript, is it?

A Story about BYOD

I used to work at BlackBerry. Obviously a company serious about security for corporate customers with BES.

We would meet with those customers, and gather requirements about what features and security they needed. We'd review laws and industry rules, and we built software to meet those needs.

IT departments said:
- We need to be able to control what applications can run on devices
- We need to lock down the device and remove applications like messaging
- We need to prevent copy and paste. We need to turn off lots of features.

So we built these things. We let them lock down the device. That's what the laws said, and that's what our customers wanted.

Then some executive would ask, why am I carrying around two phones? And why are we buying people BlackBerry's when they have iPhones or Androids. Why can't I cut and paste?

And then execs started to realize how much money they could save by getting employees to use their own phones.

And security went out the window. BlackBerry, listening to their customers, dug their own grave.

Re:A Story about BYOD

[110010001000]

Actually this should be modded up. You should never implement what customers say they want. You should find out what they want. And definitely don't ask the IT people. They have a very narrow view of the world.

Re:A Story about BYOD

[DeathSquid]

BlackBerry, listening to their customers, dug their own grave.

No. The market has spoken and the vast majority of customers clearly do not want what BlackBerry built.
Blackberry was listening to someone, but it obviously wasn't the people who made the ultimate purchasing decisions.

This is a very important business lesson. Understand who your customers really are. They are the people who will pay money for your product or services. This sounds simple, but there are often many entities that look like customers but aren't really. The IT department who claims to represent customers may or may not be aligned with them. How will you find find? Talk to the customers.

It's a scam.

[SuricouRaven]

Buy Your Own Device. It's a means to allow your employer to skimp on the hardware expenditure and get you to unwittingly pay instead, and feel empowered for it. You don't even get to keep your device for personal use, as security requirements demand the employer maintain control over it so long as it is used for business purposes.

Re:It's a scam.

[Locke2005]

Buy Your Own Device doesn't save money because it is unsupportable; supporting every possible piece of hardware costs more than just giving every employee a cheap smart phone.

Sigh

[Billly+Gates]

At the end of the day the users always win anyway. IT just has to suffer and endure

Not even company mobile on the wifi

[magarity]

Heck, where are these people working with such lax security? Here at a health insurer, I can't get permission to put my company issued smart phone on the company wifi, never mind a personal device.

Which BYOD are we talking about?

[damn_registrars]

Build Your Own Datacenter?

Bring Your Own Device?

Build Your Own Dessert?

Bury Your Own Dead?

I think we could have had an expansion of this acronym in the summary, just for clarity...

Yes

[countach44]

If it is a needed tool for work, the company should provide it. I have many coworkers whose only phone number is their work phone, only laptop work laptop, etc... It may seem like a convenience, but when your employer has the ability to always contact you because you use that cell phone for personal purposes, it's not so convenient.

Re:Yes

[ILongForDarkness]

Have people never heard of email/call forwarding? Leave your work phone in the office, forward the calls to your personal number. Is it that hard?

I've never carried a work phone or been on call without compensation and refuse to do so. The only reason it is "assumed with the salary" is because people refuse to ask: and what will I be being paid for those hours? Never got a huge amount of money but about 100-150 for a weekend or so + 1.5X time if I actually got a call for a minimum of 4 hours pay. Ie you call me and it takes 10 min to fix I get my $100 oncall + 6hrs pay. You have to make your personal time expensive so your employer doesn't feel free to waste it.

Re:No

[NotInHere]

good network security such as MAC registration

MAC addresses are quite public, static, and easily fakeable information, they are by no means a "good" way to authenticate devices.

Re:Ah, How about NOOOO?!

[BradMajors]

The difference is between being an employee versus being self-employed.