27 October 2016
4 min read
Bring Your Own Device (BYOD) is a double edged sword. Some see it as a chance to save on tech – why buy laptops and phones when your staff prefer to use their own? But an increasingly number are worried about the security risks that come with adopting a BYOD.
Commercial devices are often preferred by a growing millennial audience because of the perception that business devices are lacking and harder to use: “…business devices [are struggling] to catch up with technologies designed for consumers… Usability is a big factor around the consumerisation of IT,” Forrester analyst Dr. Thomas Mendel, “But style and fashion are also becoming decision factors [for business users].”
“Business devices are struggling to catch up with technologies designed
for consumers”Dr. Thomas Mendel, Forrester
Mendel has also warned that devices such as iPhone and services like Skype have quickly established user bases. After all, consumer devices aren’t just pieces of hardware – they’re intrinsically linked to services, both business and consumer (i.e. iTunes and Skype for Business). CIOs should view the services model when reviewing how consumer technology fits into business, particularly with how that translates to security and the ability to scale with business demands.
By 2018, 40% of large enterprises will have formal plans in place to deal with aggressive cybersecurity attacksGartner
74% of organisations are already allowing or planning to allow a BYOB policy, so the impact of consumer devices on security can’t be ignored. Gartner says that by 2018, 40% of large enterprises will have formal plans in place to deal with aggressive cybersecurity attacks. The increasing number of large-scale attacks over recent years means CIOs in particular are required to make these contingency plans a priority.
“Gartner defines aggressive business disruption attacks as targeted attacks that reach deeply into internal digital business operations with the express purpose of widespread business damage,” said Paul Proctor, VP and analyst at Gartner. ”Servers may be taken down completely, data may be wiped and digital intellectual property may be released on the Internet by attackers. Victim organizations could be hounded by media inquiries for response and status, and government reaction and statements may increase the visibility and chaos of the attack… These attacks may expose embarrassing internal data via social media channels — and could have a longer media cycle than a breach of credit card or personal data.”
While the impact both public perception of a company, customer relationships and data integrity can be huge, it doesn’t end there. Depending on the scale of the attack, employees may not be able to get back to normal in the workplace for many months.
“Entirely avoiding a compromise in a large complex enterprise is just not possible”Paul Proctor, Gartner
It’s for this reason that most are switching their focus from blocking and detecting attacks, to detecting and responding to attacks.
“Entirely avoiding a compromise in a large complex enterprise is just not possible, so a new emphasis toward detect and respond approaches has been building for several years, as attack patterns and overwhelming evidence support that a compromise will occur,” said Proctor. “Preventive controls, such as firewalls, antivirus and vulnerability management, should not be the only focus of a mature security program. Balancing investment in detection and response capabilities acknowledges this new reality.”
The Internet of Things (IoT) is getting bigger and better with every new product that gets released. Because of this, it’s not only attracting larger budgets but also attracting more attention from CIOs and cyber criminals alike. Technology like this is easily adopted due to the ease of use and convenience that it brings to users’ lives. Unfortunately, consumer devices often don’t have the same levels of security – either on board or manually configured. When combined with lack of users’ security knowledge, it can make for a dangerous combination.
The future of device security
Gartner predicts that the standard to which security programs are held will intensify, with more attention being paid to risk and business change. It’s also thought that Executive boards will provide more support and guidance, since the onslaught of hacking scandals that have rocked a large number of businesses, from Sony Entertainment to Ashley Madison and T-Mobile.
“Security is not a technical problem, handled by technical people, buried somewhere in the IT department”Paul Proctor, Gartner
As disruptive as these attacks have been, they have been something of a wakeup call for businesses all over the world, and key to building the business case for proactive thinking about cybersecurity risk and investment into more robust systems.
“CISOs and chief risk officers (CROs) can and should persuade executives to shift their thinking from traditional approaches toward risk, security and business continuity management. Security is not a technical problem, handled by technical people, buried somewhere in the IT department,” said Proctor. “Organizations need to start solving tomorrow's problems now.”
Dr. Mendel commented that moving forward to rely more heavily on standardised technology is one of the ways to combine security with consumer style ease of adoption. Mendel suggests that an increasing number of businesses will benefit from this cheaper and more reliable way of doing this than regular purchasing models.