|BYOD has limits|
I was speaking on a panel at the SecureCloud 2012 conference in Frankfurt last week and the inevitable question about 'bring your own device' (BYOD) was posed.
The main theme of the conference seemed to be regulatory compliance. Don't stop reading. I'm not going to dig into that can of worms. Suffice to say that compliance is largely about rules and regulations. These may need to be in place for legal reasons but, as we'll see, they are certainly not a panacea.
So, given the question and the tone of the event, and the fact that plenty of people already connect their devices to their employer's network, my answer was along these lines:
- Yes, employees should be able to connect their devices (in most normal cases).
- Yes, employers should be able to prevent them from doing so (in certain cases, if there is a good reason).
- This prevention does not have to be a technical solution.
The third point caused a stir. Really? Surely to meet with the rules and regulations the computers and networks need to be controlled with a fist of iron? What about application controls? Website blocking? Network monitoring? Surely these are the answers?
These are all useful ways to find out what's happening but, if you lock things down too much, the following will happen:
- Regular users, who are doing nothing wrong, will be hampered in their work.
- Malicious users, who are trying to steal information, will still find a way.
The answer is not to impose strong technical measures but to let the users know that they are being watched and that any infractions will be dealt with.
While sat in front of the audience considering these issues I compared the situation to parents attempting to ensure that their children's internet access was a safe and pleasant experience. Should they install parental controls? Limit access using an automatic schedule? Block certain types of websites and applications? (Read more on this).
By all means, if you want to make work for yourself and increase the chances of your kids missing homework deadlines, lock the systems down. Alternatively, have conversations about risk and discuss safe and sensible online behaviour.
Children and unwise employees will always find a way around technical controls. I know of one occasion in which an employee didn't just bring in their own computer. They installed a wireless router on the company network. They did so even after the IT department sent out a message banning the use of personal network equipment.
Naturally the idiots involved (the users, not the IT dept.) failed to implement any security, such as a password. They created an instant and easily-accessible backdoor to the network.
The solution? HR.