‘Shiny Toy Syndrome’
With employee-owned phones, a not-so-cool security risk
While tech-giddy employees are prone to fawn over every new iThing smuggled into the workplace – devices that are often used in violation of company policy — Internet Technology (IT) security pros at see something very different: a security breach waiting to happen.
For security, the hard fact is that many of these unauthorized devices can slash gaping holes in a parking business’ security system in a nanosecond, exposing company data and applications to hackers.
Indeed, even devices that have been authorized for company use are keeping security IT up-at-night, since their current network software solution may not designed to handle some of the newer smartphones and tablets.
“Bring Your Own Device can be a double-edged sword for enterprise IT departments today,” said Zeus Kerravala, Principal at ZK Research. “On one hand, there are great productivity gains to be had by enabling workers to use their own devices on the business network. On the other, provisioning, securing and managing those devices are a nightmare for IT.”
The reason? Parking firms are able to safeguard their company networks only when they know ahead of time what kind of smartphones and tablets will be logging into to the system.
Add a new smartphone on-the-sly – with a foreign operation system and apps that may be riddled with viruses – and all of security’s carefully coded defenses can be shredded in an instant.
Even worse, the security tsunami created by unanticipated gadgets is expected to grow only more ferocious in the coming year, tech experts say. These days, 48% of smartphones at the workplace are now chosen by employees, rather than IT departments, according to market research firm Forrester.
And at no time do those employees even consult with IT to determine if the company’s computer pros can secure those phones.
“The consumerization of IT, sometimes called ‘Bring Your Own Device’ or BYOD, is one of the newer causes of data vulnerability,” said Mark Harris, a Vice President at Sophos (www.sophos.com), an IT security firm.
Meanwhile, security pros such as those at Wisegate, an invitation-only social network for key players in IT security, also have special concerns about the widespread proliferation of unauthorized Android devices.
“Wisegate members are leery of the Android application marketplace because it is too uncontrolled,” its researchers wrote in a recent report. “Neither the developers, nor the applications, are screened and vetted. So it’s very possible that applications could present a security risk from viruses, malware and other vulnerabilities.”
In addition, the blurring barrier between business and personal technology is causing more than a little hand-wringing when a smartphone or other device suddenly goes missing, and company legal and IT are forced to inform a company employee that their entire device must be “‘wiped” or erased of all data – both business and personal.
While companies generally ask employees to pre-approve such wiping in the case of device loss, Wisegate wrote that such agreements sometimes don’t hold up in court, even if the agreements are in writing. It cites a case in its report in which an employee sued — and won — against an employer who decided to wipe a lost device that was brimming with company data.
“Despite having signed a company policy agreement, the employee won the case because the court decided that too much time had passed between the affirmation of the policy and that data wiping,” Wisegate researchers wrote.
Fortunately, there is some solace in “Shiny Toy Syndrome.” Apparently, employees are so enthralled with their own smartphones, 48% are currently more than happy to pay the entire cost to bring that phone to work, as long as they can choose the exact model they want, according to Forrester. And an additional 9% are willing to pay at least some of the phone’s cost for the same privilege.
Moreover, the same holds true for employees picking up the tab on voice and data plans. Forrester said 40% of “I-want-my-own-phone” users are willing to pay the entire monthly bill in exchange for personal choice. And another 14% are willing to contribute to at least some of the cost.
For security, the hard fact is
that many of these unauthorized devices can slash gaping holes in
a parking business’ security system in a nanosecond.
Bottom line: With the torrent of employee-owned phones in the workplace – both authorized and unauthorized — showing no signs of abating, security IT consultants said it’s imperative for any company caught in the current to establish a crystal-clear Bring Your Own Device Policy.
Keys to that policy, according to Wisegate, include:
• Invite Everyone to the Policy Bake: Parking businesses will get easier buy-in if everyone to be impacted by the policy participates in its creation. For BYOD, that includes IT people, human resources, legal and staff department heads.
• Shop Security Solutions Thoroughly: The good news is that security solutions providers are well aware of the BYOD security threat, and have been busy coming up with solutions.
• Allow Only Email That Resides on the Network: Be sure employees can only access – but not physically download — company mail with their smartphones and similar devices when they sync with your company server. Under that scenario, if they lose their phone, their email will still be safe and secure on your company mail server.
• Define Sensitive Data: You’d think this would be a no-brainer. But then again, if you don’t define what’s meant by sensitive company data, the first line you’re likely to hear from a hapless employee is, “I didn’t know.”
• Get Explicit About Photos: With cameras on virtually every smartphone, companies need to clearly define what workers can and can’t snap. Essentially, you don’t want pretty images on Facebook of products that are in development, company whiteboards, trade-secret work areas and the like.
• Be Careful Where You Wipe: Dealing with lost/misplaced smartphones and other devices may be easier if you buy software that allows you to wipe business data only, while preserving personal data. Of course, that approach could also create its own headache, because many people mix their personal and business data within the same application, and sometimes even within the same folder or file.
• Insist on Timely Notification of a Loss: You’d think that an employee would be smart enough to quickly report a lost smartphone or tablet. But then again, you’d expect that employee not to lose the device in the first place. Be sure to secure the promise of timely notification of a loss in writing.
• Encourage Employees to Vote Early, and Often: To protect against employees who “sign-and-forget” BYOD agreements, require employees to re-sign such agreements every six months. Such precautions could insulate your firm against “I-forgot-I-signed-that” laments and lawsuits.
Joe Dysart, a veteran Journalist, Speaker on IT and Website Design, and a Business Consultant based in Manhattan, can be contacted at firstname.lastname@example.org.