At the Virus Bulletin conference this past September in Dallas, Righard Zwienenberg from ESET gave a presentation entitled BYOD. BYOD stands for Bring Your Own Device, but he reframed the acronym to “Bring Your Own Destruction”, that is, he alluded to the security implications of bringing your own device.
BYOD is the latest trend sweeping business and schools. More and more people are bringing their own personal devices from home and using them for business. Rather than companies issuing people laptops, they let people use their personal machines from home – machines such as tablets and smart phones. They then use their devices to access the corporate network and access corporate data. But while more and more people are using their own devices in the workplace, only 25% are aware of the security risks. And it is this lack of awareness that spells potential destruction for the enterprise.
Bring your own device from home has many advantages:
However, it’s not all fun and games with BYOD. There are some serious drawbacks as well:
Given all this, what can we do? Should we allow BYOD on the work floor, or any professional environment for that matter? The first part of that question is whether or not we can actually stop it. Secondly, even if you could, would you even want to? Banning these things is unrealistic;the USB drive is ubiquitous and difficult to police even if you do warn employees of the security risks. There is simply too much foreign media and too many options.
No, trying to stop the tidal wave of BYOD is not a winning strategy.
It’s impossible for a corporate security team to know about all the features of new OS’es, new firmware upgrades, security patches, and so forth. But software companies are coming up with ways improve security. For example, Windows 8 includes “Windows To Go” that allows a corporation to create a full corporate environment by booting from a USB drive. All of the corporate standards can be on that USB key. Furthermore, it can have security extras like preventing the USB key from being removed otherwise the device freezes in 60 seconds. Furthermore, it can be protected with BitLocker.
So what should you do?
And that’s what I learned about BYOD(evice|estruction) at Virus Bulletin 2012.