In an office somewhere in Sydney, a mobile phone beeps and is checked. It’s a tech support email for an HR manager with a request to change her corporate password. She clicks irritably.
Meanwhile in Melbourne, a co-worker downloads software from the internet to his new laptop while copying sales forecasts from the corporate servers. One of his free video players offers an Adobe Flash update, and he clicks the flashing text.
These security incidents may be fictitious, however, this kind of do-your-best policy is live at a very real Australian company. This is no small business: it is one of the country’s biggest insurance agencies, which has, astonishingly, granted 25,000 staff full administration rights to install any software they like on their work machines and to connect all of their personal devices to the corporate network.
With little collective will for change in tech support, the company’s IT decision makers responded to the bring your own device (BYOD) trend by telling staff they could do as they wish – at the risk of being unsupported.
At another Australian insurer, employees batter away on their well-used devices, blending personal with corporate data in an anarchic information soup spread across more than 500 applications installed at a user’s whim. This is bring your own application (BYOA) in full swing. Each of these apps may or may not have access to the corporate network and could ferry both sensitive and benign data to clouds located all over the world.
These are gigantean security risks – which CRN has agreed to keep anonymous – because every staff member, every device, and scores more personal apps represent holes in the corporate network. It is a dramatic but by no-means isolated indicator of the challenges that BYOD or BYOA – or BYOx, to combine the two – can bring.
Driven by the consumerisation of IT, BYOx is inevitable for almost all organisations other than spy agencies – although even the National Security Agency has its own fleet of custom-hardened Android phones it calls Fishbowl.
Yet BYOx introduces security risks because uncontrolled and non-standard devices brought onto the corporate network can bypass perimeter security. Attackers need only compromise a staffer to get onto the network, avoiding any need to find and exploit vulnerabilities in enterprise technology.
Breaching the corporate network through personal devices could be as simple as compromising a staff member’s home computer. This could be done while they browse popular news sites, which may inadvertently be serving up trojans slipped into paid advertisements.
Condensing the number of standard operating systems and devices makes sense in terms of cost of management and security defence, says Sydney-based consultant and veteran former security chief Marcel Sorouni. But he says too few organisations have a hold on essential IT security and the infrastructure running on their networks, let alone those brought in by staff.
“The fewer standard operating environments you have, the better it is for IT in terms of administration and patching because it means you can push out updates and patches all at once,” Sorouni says. “Each app is a potential entry point into the organisation and if you don’t know what apps are running, it means those apps are unsupported and patching is left up to the user.”
He finds many corporate IT shops are run by staff who lack strong knowledge in security and have mostly practical experience. When it comes to new initiatives like BYOx, security is an afterthought. The policy may be left only to paper and not enforced.
“Think about a travel policy. What if an employee ignored the policy and decided to book first class, eat caviar and sip French champagne, then submitted their expenses? Why is it that you cannot get away with that but you can when it comes to security policy? You can because it’s not enforced.”
Ken Pang, security strategist and chief technology officer at Sydney managed service provider Content Security, identified two predominant risks of BYOx: the loss of a device and the loss of corporate data to cloud services. “Big events like the recent nude leaks from iCloud should have been a wake-up call to all CIOs and CISOs,” Pang says.
“It’s a trivial task to harvest email addresses from your company and use them to try to brute force Google Drive, Dropbox and iCloud accounts. And unlike nude celebrity pictures, stolen data is unlikely to be publicly distributed – it’d be sold on the black market without you knowing.” Identification of cloud components within apps is key, he says.
Beyond security, BYOx presents issues of support and collaboration when users demand different devices and apps and comfortable homogeneity becomes grating heterogeneity. “Support and collaboration are two problems that IT managers are facing. When the IT environment becomes fragmented because every user wants to use a different application or device, it can become difficult to support.
"It can also be a challenge when half the company wants to use Facetime because it’s the preferred Apple video conferencing application, and the other half can’t because they’re on Android or Windows mobile.”
While restricting or banning BYOA can impact productivity and end user satisfaction with IT services, allowing a free-for-all can do the same thing – and cause security issues to boot. The happy medium lies in vetting applications that end users have indicated they want to use and either refusing to support or allow any other applications that haven’t been vetted.
NEXT: One Federal agency's BYOx approach