This time around I am going to touch on a subject that I don’t see discussed too often. Bring Your Own Device (BYOD), is a subject that is of valid importance to many companies these days. Not only are there security ramifications, however, there are ethical issues as well. With there being so many different manufacturers and operating systems on phones these days, what is the best route to go? I will first discuss the ethics that will need to be addressed in such a policy, and will then follow it up with the security aspect.
Ethics in BYOD
When considering a BYOD policy for your company you have to take into account that the device in question is not actually your property as you did not purchase it. Now you can make it known and put it on paper that by accessing company information and e-mail from a personal device you leave your device at the mercy of the company to view that data at any time. Though this is done in the government does it really make it right for a company to have access to your devices just because you are viewing your e-mail from them? Another issue that comes into play which will correlate later with security is data privacy. Not only will the policy in place of to work out how your privacy is effected by using a personal device but how the data needs to be maintained on the phone when it comes to other personal data that may belong to different entities and persons. Is the device encrypted and to what standard? Moreover with this device being a personal one are you allowed to connect it to a personal computer wherein you leave whatever information is on the phone vulnerable to whatever may be on your personal system.
Security in BYOD
There are many security issues that come into play with BYOD as well. The first was touched on in ethics and that has to do with privacy and encryption. With the company not being able to truly maintain data integrity due to personal computers and how you utilize your device, you may be opening yourself up to viruses and malware that siphon the data off the phone and/or computer once it is decrypted. Another, major issue to address is what operating systems you are going to allow with BYOD. As any Security Expert knows, once it touches the internet you are vulnerable no matter what you do. Apple iOS may be one of the most secure but that doesn’t mean that they are impenetrable. There have been instances in the past of malicious software making its way into the App Store. Android though open source and with many different flavors thanks to that, is still based on Java with a Linux Kernel. With that as many people already know Android has been attacked and exploited in more ways than even I know. One such vulnerability that was available and am sure variations are still available is the DroidJack software that is based off of the SandroRAT. This particular RAT is used to gain full access to your phone to include data, SMS, phone calls, and many other areas. Other operating systems that you would have to consider are Windows 10, Blackberry, and Ubuntu. With such a variation you can imagine the planning that would need to go into BYOD.
Some of the following solutions could be implemented to alleviate the problems with BYOD. For starters, you could get away from BYOD and manage all devices within the company only allowing those that need to be on call or work from home a device that talks to your corporate network. This can be by utilizing a BES or any other device but keep it to one operating platform and type of phone. This does cost more but will alleviate many of the Ethical concerns as the devices and data belong to the company and not the employee. Another way to alleviate some of the issues are to only allow one type of phone, though the phone belongs to the person and the company is not paying for it, you can eliminate some of the threats by say only allowing iPhone or Android not both. By doing this you can make having certain encryption and security software mandatory prior to the device being able to reach back. Finally education is key, make sure your users are educated on what they can or can’t do on any device that reaches back and touches your corporate network. Put in policy and writing what rights you as a company have to the device and the data on said device.