I have been thinking about the Bring Your own Device ( BYod) issue for quite some time now, indeed I am even speaking at a conference in the near future on this very topic. The same question keeps popping up in my mind but seems to be ignored by most of the infosec media, is BYoD an infosec issue ? Certainly of you read the media they will tell you that it is with big fines being leveled ( maybe) for lost or stolen devices and huge security issues if your employees are are allowed to used their own kit.

However I beg to differ, sure BYoD has a security angle but if we examine all the stake holders it is clear that security is not the main one.  Another issue is that most of the BYoD stories that you read are either from the USA or from small companies based mainly in the UK. Companies that trade across the EMEA region are often forgotten in the rush for “shiny things”. The issues that can occur when you start to deploy such a policy across multiple jurisdictions especially with the local implementations of employment law, works councils etc  we have in Europe. Please note that I am not going to link to each an every piece of employment law that I mention below. Most of it is in local languages and to link to each place would make this a magnum opus just use this as reference material.

Lets look at the stake holders one by one

1. Information Security – have responsibility for the data and access
2. ICT – have responsibility for the device its self and supporting software
3. Human Resources – have responsibility for the usage of the phone and any personnel related legal conditions
4. Legal – Have responsibility for compliance with legislation
5. Finance – Have to make sure that some one pays the bills

Of the stakeholders above it is really 3, 4 and 5 who have the most to loose from an improperly implemented BYoD policy. Lets examine them in more detail one by one

HR, dependent on how your organisation is set up they probably are responsible for remuneration, benefits and compliance with employment law. Allowing employees to bring their own device opens up a whole host of issues. In some EU countries the law is such that you must provide all tools that an employee needs to do their job, you could therefore end up with a bill for smart phones if you allow them and the employee can then claim they are needed. Additionally, imagine you do not provide smart phones to some levels but allow them if an employee wants to bring their own. A certain employee discovers that they can be more efficient ( or are perceived as more efficient) due to their smart-phone. This is not all that far fetched if you have service personnel who get jobs from a central system, imagine one employee has to login and get the jobs one by one where as one with the latest device can see more than 1 job and schedule better ? you could easily end up in a situation where you can not reward the employee who was more efficient as the tool they were efficient with was not an official tool.

Another area that come up on the HR plate surrounds “essential users”, that is users who need a mobile device as pert of their job. Think again back to service engineers, they typically have a set vehicle if they need certain aspects of the vehicle for their job ( car ring capacity for example), they also have a dependence on their device such that if there is an issue they can not work. Will these users be allowed to bring their own devices ? will you have a pool of them to hand out if a personal device breaks and can not be replaced ?

HR is probably the largest area of issue but your exposure to it will vary dependent on how your work fore is made up, the countries you operate in and many other factors.

Legal, apart from the cross over issues stated above, there are many potential pitfalls. One of the largest will surround ownership particularly around the data. Unless you have a solutions that can enforce encryption and other security settings ( and you could be crazy to deploy without one), there are massive issues if an unencrypted device was lost and was found to contain senstive data. There are also issues around  data ownership, monitoring and interception. All of these will need to be resolved for all territories you intend to roll this out to.

Lastly, finance or whom ever will be picking up the bills. Some companies roll out BYoD but stating here’s 50 Eur a month ( or what ever the  if your bill is higher it is your own problem. This  works if employees do not travel and make predictable use of their phone. Imagine however an employee who travels around between countries. Now the data and call cost can vary quite a lot. Will you allow employees to put in their own SIM’s  will you enforce that they can bring their won device but will use a company SIM ? If you allow ( or force them ) to take their own mobile contract how will you perform cost control ? will 10,000 individual contracts really be cheaper than 1 contract with 10,000 numbers allocated ?

I started this post bu stating that BYoD is not an infosec issue, and I stand by that premise. Sure there are data security issues, but products can easily resolve these issues. Go get the Gartner Magic quadrant and choose your poison, the real issues lie else where.

By the way you might have noticed that I have written this post about BYoD and then focused on mobiles… well laptop’s and desktops will be included as well ( eventually) and they have a whole host of issues as well. Stay tuned for a blog on that extension.

The mobile phone update issue is one that has been bugging me for a while and whilst I am a great fan of android ( I have owned 3 of them ) it does have an achilles heel compared to mono culture phone OSes such as IOS from Apple.

Not since the early 90′s when windows updates were just a dream has there been such an issue. I know that history often repeats its self however the repetition that is occurring on the android platform with respect to the pitiful state of OS updates need to be discussed and brought out into the open. If you go to your local mobile phone shop and have a look at the android phones on offer you might be shocked to see that many of them, far from being on the latest version of Android are on truly ancient versions. A brief look around even turned up some that are on Android 1.6 which was released in 2009 some 3 years ago. Please remember the phone OS’s unlike desktop OS’s do not generally have backported patches. ie it is not the same as comparing Windows Vista to Windows 7, in the case of the Microsoft OS’s both can be patched to the latest version despite one being far far older than the other ie both can be perfectly safe ( or a safe as Microsoft OS’s can be.) On the current generation of smart phones to patch one replaces the whole OS with the new version.

The issue of a lack of security patches v’s whole OS releases can be handled, for example Apple due to their mono culture and Darth Vader like grip of the phone hardware manage it quite well. When they release an update all Iphones they have decreed as supported can download it. With Android this is not the case, one must wait for both the handset manufacturer and the carrier ( assuming carrier locked phone) to accept the OS as suitable for their handset and network respectively. A comparison of the process looks like this

Note those decision boxes on the Android side ? well at each point either the mobile phone operator or the handset manufacturer could decide to stop backporting / customising and unless one had the wherewithal to be able to flash a default OS ( Like the superb Cyanogen Mod) onto their phone they are now stuck with a non updating phone.

In the past this was not an issue, phones were used for making calls or sending SMSes. Now with the rise in smart phones your phone is just a computer like your laptop or desktop. Would you run for example a PC that hasn’t been patched for the last 3 years connected to the Internet ? would you put sensitive login details on that PC ? would you use that PC for online banking ?

I thought not..

However phone manufacturers have been getting away with this for the last few years because apart from your address book or logins to facebook / twitter etc there wasn’t a lot of sensitive data on there so the criminals ( by and large) stayed away. With the meteoric rise in banking and other sensitive data now on your smart phone how long do you think that this is going to go on for ?