Just as IT professionals and others responsible for mobile security have come to terms with BYOD
Wait, when did that happen?
Just as IT professionals and others responsible for mobile security have come to terms with BYOD, the problem has moved on, with the lines between business and personal activity blurring even more. Against this background, effective management of mobile risk will increasingly require a user-centric approach. Soothsayers …
Actually, we have been tracking this for about 5 years through research (via The Reg and via other mechanisms). In the early days, the majority of IT professionals were doing whatever they could to actively resist BYOD. But it was hard given than that the 'culprits' were often senior management and other politically strong groups. The process of 'acceptance' has been a gradual one. I would say we saw the lines cross about 18 months ago.
This doesn't of course mean that IT pros are generally happy about BYOD (though some seem to be), and it also doesn't mean that we see a wholesale shift to BYOD across the board (which would make no business sense for most organisations). it's more that the majority have now come to terms with certain types of user being permitted to use use personal devices for business purposes.
Hope that answers your question. There's loads of research on this available on both The Reg and our own site: www.freeformdynamics.com.
Certain types of user ? Let's be clear : upper management.
The kind that has always been setting rules for the peons and giving themselves great leeway in whatever restrictions they endure. Internet access has always been uncontrolled for those kind anyway, so it follows that BYOD is also their reserved domain.
In other words, nothing new under the sun. IT has always had to deal with their "special permissions" - BYOD is just another headache among the vast amount imposed by the technically incompetent, walking security disasters that happen to be the ones evaluating the security-conscious and determining whether or not the useful ones get a raise.
Come to terms? rather, accepted the inevitable reality, covered their backsides with appropriate SLA's, canaries and written conditions...even if nobody ever adheres to protocol, we have to point out the right way to do things regardless of anybody taking this seriously, it's par for the course in IT - as is having zero recourse to correct transgressions on the part of privileged users. We're simply supposed to keep mopping up after them.
My poilicy: "MDMBFURMOJWBOTCN" or simpler "NYET".
"Mobile Device Must be Fully Under Remote Management Or Just Won't Be On the Company Network"
Sadly, I haven't managed to implement this yet. For the moment: bedlam and sweatdrops.
I our org, the company issued phones are locked down to the Exchange server. No POP3/SMTP allowed due to the "risks from email viruses and trojans". But we can install anything we like from the Google Play store, or even enable side loading and install some random APK from the net if we choose.
People using their own BYOD phones have a less restrictive policy imposed on them. They can still use POP3/SMTP. All phones are set to be remotely wiped if someone in power deems it necessary and require a PIN to unlock.
I'm sure someone, somewhere feels all warm and fuzzy for implementing a security protocol, however ineffective it may be.
Biting the hand that feeds IT © 1998–2020