Even the government acknowledges that it can’t prevent the use of personal devices for work-related functions, reports Marcos Colón.
With more than 60,000 employees, Cisco Systems has embraced the bring-your-own-device (BYOD) phenomenon, defined as the burgeoning penetration of personal smartphones, tablets and laptops into the workplace.
Steve Martino, the company’s vice president of information technology, says almost 60 percent of Cisco employees have at least one mobile device connected to IT services, not including laptops, and more than 15 percent have more than one handheld that they use for job responsibilities. In terms of the benefits of deploying such an environment, the costs saved by Cisco for not issuing the devices itself are last on Martino’s list, which may be surprising to some.
Instead, employee productivity and engagement take the lead, he says. “Users who have the freedom of choice to bring their own device, are seeing about 30 minutes a day [of] greater productivity than those that are using devices they’re not comfortable with,” Martino says. “I think it’s comfort, it’s familiarity and it’s also time and place. Where and when they can use their device. Those are the two drivers.”
Like at Cisco, many enterprises around the world are finally taking note of the advantages that mobility adds to their business. By now, security professionals are quite familiar with the BYOD term, and while the wave of mobile devices flooding the workplace wasn’t initially welcomed with open arms by those charged with protecting enterprise networks, it seems as though organizations at every level believe there’s no choice at this point but to embrace it.
Many concerns revolve around the additional points of entry available for cyber criminals, increasing the likelihood of sensitive data extraction or creating disruptive scenarios that could be extremely costly for enterprises. And, with looming threats and an increasing number of threat vectors, security pros are faced with a big decision: to lock down or not to lock down. There are pros and cons, many say.
Threats are always present no matter which type of environment is deployed, says Lawrence Reusing, general manager for mobile security at Oakdale, Minn.-based data security firm Imation. He says it’s only a matter of time before enterprises have to step up to the BYOD challenge at hand.
“At this point, I’d say that a significant proportion of enterprise and government organizations have accepted that BYOD is here now and is inevitable,” Reusing says. “They assume that it’s necessary for organizations to support employee-owned devices.”
A multilayered approach
BYOD adoption consists of a multilayered security approach that includes protecting the content on the device, ensuring that the applications running on it are trustworthy, and providing strong authentication services directly through it, says Bret Hartman, CTO of Bedford, Mass.-based provider of security, risk and compliance management solutions provider RSA, the security division of EMC.
“Something that’s important to remember is that when we think about securing the mobile devices, there’s always two halves to the equation,” Hartman says. “There’s the client/device side, and then there’s the server side.”
Hartman says a smartphone or tablet could have the proper security attributes in place, but if the right security mechanisms on the server side aren’t able to validate those things, then only one part of the equation has been solved.
While not every enterprise may be fit for a BYOD environment, Hartman says that most believe they don’t really have a choice. Even government institutions, known for their highly sensitive data and lockdown stance, are in search of security solutions for mobile devices.
Further, when it comes to employee-owned devices, one of the major concerns for the enterprise is the apps in use. With apps constantly being released and employees downloading whatever catches their attention, there’s a new obstacle: bring-your-own-software (BYOS), says Domingo Guerra, president and founder of Appthority, a San Francisco-based mobile app risk management company.
“What’s driving the consumption of these devices is not how cool the device is, it’s how many apps the device can play,” he says.
Thus, the security focus should be geared more toward the apps, rather than the device itself, since the apps host a majority of the vulnerabilities, he says.
“[The apps] are what do the violations of privacy or the mismanagement of username and passwords,” Guerra says. “They present the way to break into the corporate server, not the device itself.”
Although mobile device management (MDM) software and mobile app management (MAM) solutions can block any app an administrator deems is unsafe, Guerra says it’s difficult to determine which is benevolent and what is unsafe.
“Companies need the ability to be able to differentiate by job role, then be able to categorize those apps,” he says.
Apprehensions live on
According to IBM’s “2011 X-Force Trend and Risk Report,” mobile threats are at the forefront of criminal trends. The study examined public vulnerability disclosures from more than 4,000 clients last year. Although there is progress being made against cyber threats, according to the study, attackers adapt quickly to the seemingly ubiquitous reliance on mobile devices. As a result, these tools are fast becoming a major target.
For instance, McAfee’s “2012 Threats Predictions” reports that this year is expected to see miscreants all over the world continuing to improve their cyber attacks on mobile devices.
Security professionals are well aware of the rise in mobile malware, says Caleb Barlow, director of application, data and mobile security for IBM. The biggest concern he hears from customers is the lack of visibility of what’s actually going on in a particular employee-owned device.
“I think this will be largely regulated by the speed in which we find ways to secure the applications,” Barlow says. “If we can secure the applications, even if the device is stolen or hacked, then people will have less of an issue with BYOD.”
When it comes to the benefits of BYOD adoption in today’s enterprise, cost savings along with an increase in employee productivity are two of the characteristics most commonly mentioned. However, Barlow says workers who are able to bring in the latest technology can offer the business a real competitive advantage.
“These things foster innovation,” he says. “By having a culture that is heterogeneous, we’re facilitating a whole market here for innovation opportunity.”
[An earlier version of this story incorrectly stated that there were over 100,000 employees at Cisco, when there are actually 65,223].