How much of a threat to IT is the bring your own device (BYOD) trend? What should IT managers be concerned about?
The short answer is that the issue isn't the device per se. IT departments have become very adept at creating secured application environments and developing support capabilities for a wide range of personally owned devices. In fact, the reduction of hardware inventory control is actually very beneficial to IT departments that generally hate doing hardware inventories anyway.
The real question ought to be, "How much of a security threat is BYOD to the business?" When looked at from this perspective, it is clear that employee-owned devices complicate security tremendously. Even with an appropriately-walled application space, where employees must authenticate to get in and where transferring data from the secured space to the unsecured employee space is rendered difficult, bring your own device security isn't fool-proof; there are still ways to leak sensitive data to the outside world.
This is especially true when employees are not only using their own devices, but also their own applications. As an example, many people have become exceptionally creative in conducting work on social-networking sites. When teams collaborate in the social realm, keeping critical intellectual property secure can be problematic.
Convenience may not be compatible with BYOD.
So what should IT do? It seems that BYOD is here to stay, and bring your own device security will be a very important challenge for some time to come.
One solution is to physically secure certain company functions to specific access devices. It may seem strange in the era of the Internet to talk about dedicated computer networks, but it is entirely possible to build access points where an employee must log in to recognized machines where company critical data and applications are available. This approach to security has been used in highly classified government functions since the beginning of the computer age and, with certain notable exceptions, has proven to be very secure and manageable. Not convenient perhaps, but then convenience may not be compatible with BYOD security.
In fact, the basic premise of such disconnected computing environments is based on the notion that the organization can tell the difference between sensitive and nonsensitive information. The implication is that there ought to be a way to identify the difference and segregate data on that basis. This, of course, is bigger than IT, but ultimately a company will need to decide what to secure and what to make available for general access. If the default is that everything must be secured, then BYOD is probably a bad idea in any case.
This was first published in June 2013