back to article Will security concerns scupper your BYOD policy?

Almost everyone involved in IT fears BYOD to some extent. That’s largely because they are terrified of careless colleagues costing the business a shed load of money. But small to medium sized businesses who lack the budget and resources to do security well fear BYOD more than most. Just this week, Hugh Boyes from the …

  1. jake Silver badge

    "Indeed, BYOD is for life, not just for Christmas."

    Actually, YOD isn't allowed access to any network belonging to any corporation with any concept of corporate security.

    Choose your retirement portfolio well, don't disappoint your spouse & kids :-)

    1. Peter2 Silver badge

      Re: "Indeed, BYOD is for life, not just for Christmas."

      Exactly.

      Security concerns aren't going to scupper my BYOD policy, because the policy in question reads "BYOD is never going to happen".

  2. Cipher
    FAIL

    Fail of epic proportions...

    BYOD is a disaster waiting to happen, a question of when not if. Every security practice you have is negated at a fell swoop. Windows machines with UAC set to admin facing the internet all over your network, managed by end users with no clue.

    What's to stop a ramsomware package from detecting network shares and then sitting dormant until the share is accessed?

  3. The_Timelord

    BYOD , Bring Your Own Disaster.

    The reason ?

    When push comes to shove :

    The accused individual cannot prove in Court that he/she did .NOT. 'leaked or abused' the company Information but it was due to a power failure of the company server.

    Explanation :

    From my discussion

    Who can guarantee that a fully trusted employee ( scale 6.6, fig.#1 Gartner Index *** ) unwittingly links his BYOD to a public WiFi of his private ISP?

    There are only a few security settings, which change his device to BYOD.

    Besides that , which company has internal knowledge to do it according to QS ?

    Example:

    The local supplier for BYOD (in company cloud) gets a brownout c.q.blackout.

    In that instance ( µ sec's) the Device searches for any transmitter.

    Company cloud is offline , public cloud confirms.

    All Data , in RAM or Redundant, are synchronised with the public cloud.

    Folders are auto installed , all available company data is copied to outside ISP

    ALL sensitive data is paralleled.

    And that is what they call Safety and Security !

    Never according to our global QS standard.

    Policy : check own device at the gate, Company issued only.

    ======

    Why ? Who gets the blame ?

    The employee CANNOT prove this techno_failure in any court !!....Ergo?

  4. Dodgy Geezer Silver badge

    Why do journalists write about this?

    ... Workers should be made fully aware of the consequences to their personal data should the company decide to carry out a forensic examination of the device or perform a remote wipe, Honan adds. Guidelines to avoid shoulder surfing and eavesdropping should be handed to employees,...

    Er... It's MY device. That MEANS that the company can't fiddle with it or tell me how to use it.

    Quite how you do security in that situation beats me - this proponent seems to think that the way you do it is by giving your device to the company. Why can't someone point out that they're trying to square the circle?

    1. Cipher
      FAIL

      Re: Why do journalists write about this?

      And when your device infects the entire network, what then? When you plug your device into the company network, some of your privacy/rights are given up. By you...

      BYOD is a disaster waiting to happen. One disgruntled employee away from a meltdown...

  5. Mycho Silver badge

    My workplace's BYOD policy is one word long.

    Yes, grammar obsessives, "Don't" is one word.

  6. jaycee331

    Give it up

    BYOD is an epic fail on so many levels. TCO, security, management and as yet never tested in a court of law - legal liabilities.

    The only folk I see pushing it are tin and software shifters as a way to shift more tin and software, and the market "consultants" on their payroll to tell the world what a great idea it is.

    What started off as :

    1] it saves money - no more expensive business smartphones

    ended as, as well, you need 3 software layers to make it safe and manage it, it's only £xx per device to license. Plus the support costs of losing all economies of scale in needing a support a multitude of handsets and OS's.

    2] it empowers the work force being able to able to use their own favourite devices

    ended as, after we've enforced group security policies onto your daily personal use handset, adding on extra apps for sand boxing, threaten you with remote wipe, force all web traffic through a corporate filter and proxy, insist you connect via VPN, the real proposition is to destroy the usability of your favourite personal device

    It doesn't need more debate, study, policy discussion. It just needs flushing back down the shit filled toilet that the idea came from in the first place. And we all know what really prompted this BYOD concept. The VIPs who bought their shiny first gen iPads on expenses then moaned their tits off that they couldn't use it in the workplace. Diddums.

    1. Paul

      Re: Give it up

      totally agree, I have often felt BYOD is really BYOM - bring your own Mac.

      BYOM was pushed by people who don't like having a locked-down windows box which can only do what the company permits deciding they want a shiny Mac to use because it makes them look cool.

  7. gerdesj Silver badge

    What about ...

    A possible BYOD policy might include the requirement:

    "if you have compiled it yourself from scratch - it's more than welcome".

    "It will still only be allowed internet access" is an optional afterthought.

    Cheers

    Jon

    PS I do - compile my own OS n apps.

    PPS I get to set the policy at my workplace

    PPPS Sometimes people notice the policy and give a shit - oh well I have other layers to the security onion

  8. Anonymous Coward
    Anonymous Coward

    Misses point of BYOD

    One of the reasons BYOD is becoming popular is because it eases the use of consultants. They do work for a host of companies and the last thing a consultant is interested in is the IT devices they own becoming a battlefield for competing AUPs.

    "Remote-wipe" is a nuclear scenario for a consultant -- who may very well be working with another organisation of another task months later when some idiot sysadmin at a former task presses that button. So a "AUP" requiring that to be allowed is going to get short shrift from consultants (and even from those who have contracted them. My firm bills out all "overhead" like inductions and reading policies at the consulting rate. I've had a number of customers internally on-bill the reading time for IT policies to the IT Department, in order to make a point).

    When talking about BYOD the focus should really be on the *data*. Simply using a wiki in place of, say, Word for document authoring goes a long way to keeping the firm's data off the BYOD laptop. There's also no reason not to "close out" a consultancy with a member of staff being shown that all customer data has been removed from the laptop (with a short checklist about files, web browser caches, etc).

  9. Shannon Jacobs
    Holmes

    BYOD versus Quality of Life

    My working opinion on this topic is that BYOD for work purposes should essentially be banned. Not because of the security threats (and they are quite real and substantial), but mostly because of the deep conflict with work/life balance. As far as I have heard, EVERY company is at least paying lip service to the quality of their employees' lives, and explicitly admitting their needs to be a balance between work and non-work, but what part of 24/7/365 is a balance?

    From another perspective, if ANY employee is actually that essential to the survival of the company that 24/7/365 availability is required, then the 2nd thing the companhy needs to do is to FIRE that employee. Of course 1st was creating the infrastructure (probably of other employees) to replace that employee, but the employee still needs to be fired to prevent it from happening again. Either that, or wait for the indispensable employee to get hit by a bus, at which time the company will have no option but bankruptcy.

    It's always better to view things in terms of constructive solutions. The mobile devices are actually good, but they are now inexpensive enough that companies should provide them to their employees solely for work-related purposes. At the end of the working day, the employees should be strongly encouraged to turn them off, or even leave them in the office. That's what BALANCE means.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019