Bring your own device – An Infosec issue ?

I have been thinking about the Bring Your own Device ( BYod) issue for quite some time now, indeed I am even speaking at a conference in the near future on this very topic. The same question keeps popping up in my mind but seems to be ignored by most of the infosec media, is BYoD an infosec issue ? Certainly of you read the media they will tell you that it is with big fines being leveled ( maybe) for lost or stolen devices and huge security issues if your employees are are allowed to used their own kit.

However I beg to differ, sure BYoD has a security angle but if we examine all the stake holders it is clear that security is not the main one.  Another issue is that most of the BYoD stories that you read are either from the USA or from small companies based mainly in the UK. Companies that trade across the EMEA region are often forgotten in the rush for “shiny things”. The issues that can occur when you start to deploy such a policy across multiple jurisdictions especially with the local implementations of employment law, works councils etc  we have in Europe. Please note that I am not going to link to each an every piece of employment law that I mention below. Most of it is in local languages and to link to each place would make this a magnum opus just use this as reference material.

Lets look at the stake holders one by one

1. Information Security – have responsibility for the data and access

2. ICT – have responsibility for the device its self and supporting software

3. Human Resources – have responsibility for the usage of the phone and any personnel related legal conditions

4. Legal – Have responsibility for compliance with legislation

5. Finance – Have to make sure that some one pays the bills

Of the stakeholders above it is really 3, 4 and 5 who have the most to loose from an improperly implemented BYoD policy. Lets examine them in more detail one by one

HR, dependent on how your organisation is set up they probably are responsible for remuneration, benefits and compliance with employment law. Allowing employees to bring their own device opens up a whole host of issues. In some EU countries the law is such that you must provide all tools that an employee needs to do their job, you could therefore end up with a bill for smart phones if you allow them and the employee can then claim they are needed. Additionally, imagine you do not provide smart phones to some levels but allow them if an employee wants to bring their own. A certain employee discovers that they can be more efficient ( or are perceived as more efficient) due to their smart-phone. This is not all that far fetched if you have service personnel who get jobs from a central system, imagine one employee has to login and get the jobs one by one where as one with the latest device can see more than 1 job and schedule better ? you could easily end up in a situation where you can not reward the employee who was more efficient as the tool they were efficient with was not an official tool.

Another area that come up on the HR plate surrounds “essential users”, that is users who need a mobile device as pert of their job. Think again back to service engineers, they typically have a set vehicle if they need certain aspects of the vehicle for their job ( car ring capacity for example), they also have a dependence on their device such that if there is an issue they cannot work. Will these users be allowed to bring their own devices ? will you have a pool of them to hand out if a personal device breaks and cannot be replaced ?

HR is probably the largest area of issue but your exposure to it will vary dependent on how your work force is made up, the countries you operate in and many other factors.

Legal, apart from the cross over issues stated above, there are many potential pitfalls. One of the largest will surround ownership particularly around the data. Unless you have a solutions that can enforce encryption and other security settings ( and you could be crazy to deploy without one), there are massive issues if an unencrypted device was lost and was found to contain senstive data. There are also issues around  data ownership, monitoring and interception. All of these will need to be resolved for all territories you intend to roll this out to.

Lastly, finance or whomever will be picking up the bills. Some companies roll out BYoD but stating here’s 50 Eur a month ( or whatever the  if your bill is higher it is your own problem. This  works if employees do not travel and make predictable use of their phone. Imagine however an employee who travels around between countries. Now the data and call cost can vary quite a lot. Will you allow employees to put in their own SIM’s  will you enforce that they can bring their won device but will use a company SIM ? If you allow ( or force them ) to take their own mobile contract how will you perform cost control ? will 10,000 individual contracts really be cheaper than 1 contract with 10,000 numbers allocated ?

I started this post bu stating that BYoD is not an infosec issue, and I stand by that premise. Sure there are data security issues, but products can easily resolve these issues. Go get the Gartner Magic quadrant and choose your poison, the real issues lie elsewhere.

By the way you might have noticed that I have written this post about BYoD and then focused on mobiles… well laptop’s and desktops will be included as well ( eventually) and they have a whole host of issues as well. Stay tuned for a blog on that extension.