BYOD– Bring Your Own Device or Breach Your Own Data |Network Security

Posted by Ronan Kavanagh on Wed, Feb 20th, 2013

In the last number of years, laptops, smartphones, tablets and other mobile devices have become prominent features in the workplace.  The Bring Your Own Device (BYOD) phenomenon is now one of the most pronounced incarnations of the wave of consumerisation surging through IT and the business environment.  Along with the reported gains in productivity, efficiency and collaboration, new security risks and information governance concerns have arisen as a result of this paradigm.  One of the major issues that reared its head is the sense of entitlement amongst many workers that using their own devices at work is now more important than the security of corporate data. 

Entitlement more important than corporate data

Why would workers in some situations knowingly risk the security of corporate data and feel that they are entitled to use their own devices at work regardless if there is a restriction or policy in place?  The answer is quite simple, in a recent survey conducted on behalf of Fortinet on 3,800 employees, 74% of the respondents regularly engaged in the practice while over half view BYOD as a ‘right’ rather than a ‘privilege’.  What all these respondents had in common was they are all in their early twenties and just entering the workforce. 

Belonging to Generation Y (also known as Millennials) these people make up the fastest growing segment of today’s workforce.  The main defining traits of this generation and the answer to our question above is that generation Y are innately tech-savvy, growing up with a reliance on technology, they now rely on these skills to perform more effectively and efficiently at work.  This generation are plugged in 24/7 and prefer to communicate through online and mobile mediums rather than face to face contact.  However, this Gen Y obsession to connection can be exploited and utilised by businesses worldwide considering that they will be the next group in line to become senior executives and leaders.  As many of the millennials understand the intricate nature of digital networks and activities better than their older colleagues, they can see the potential of utilising these digital activities to provide opportunities for increased expansion and profitability while tapping into new markets and improving current customer relations.

The Cost of Corporate Data & Network Security

Putting aside all the potential benefits of BYOD, let’s look at the negatives, how much does it cost a business when this phenomenon turns from bringing your own device into breaching your own data? In a recent report from the Ponemon institute revealed that while for the first time in seven years the organizational cost of a data breach and the cost per lost or stolen record have declined.   The findings revealed the average cost per affected record declined from $214 to $194 while the organizational cost declined from $7.2 million to $5.5 million.  However this is no time to celebrate. Active hacktivists such as anonymous in the past have tested the network security measures of the top online companies such as Sony, Microsoft, Twitter and Facebook and are now starting to focus their sights on smaller companies.  As past trends have shown, smaller companies try to adopt corporate best practices to try and stimulate the similar type of benefits achieved by their larger counterparts.  The major flaw when it comes to smaller companies implementing a BYOD policy is that unlike the larger corporations smaller companies simply lack the security resources and infrastructure to fully deal with a full on scale attack, this is the main reason why they are currently being lined up as primary targets. 

Ultimately who’s responsible for the email & web security? – User Centric Organisation

The Fortinet research also discovered another interesting attribute of Gen Y - they may break the rules to suit personal preferences, but 66 percent would consider themselves and not the company to be responsible for personal devices they use for work purposes, whereas only 22 percent believe the corporation should be held responsible.  By now proactive organisations have realised that users power the BYOD movement and not the devices.  These ‘smart’ organisations have adopted and are reaping the rewards from implementing a ‘User Centric Organisation’ – that is, an approach that focuses on the management of the user, their roles, responsibilities and requirements rather than focusing on the device.   Those organisations found taking the opposite approach by focusing management efforts on the device are fighting an uphill battle and are likely to face more setbacks and challenges such as an abuse of policies and unauthorized data distribution from BYOD device.

Will it take several major data breaches before these stubborn to change companies finally wake up to the realisation that BYOD is here to stay?  At this point it may be too late.  All these companies need to address this elephant in the room and implement an effective per user policy to make sure they don’t become another statistic in a data breach report before it’s too late.