14/06/2020
This day in 2012, I was invited by ISACA Sri Lanka Chapter to speak on Bring Your Own Device. The views shared in my presentation still holds good today.
Fast forward to 2020: Employees are concerned about the privacy of their data in Mobile Device (Employee Owned Devices) which they do not want the the organisations to have access. Organisations are concerned about their data, and want to ensure they have control over the data accessed using the employee owned devices.
What do you think? - Sithira Wanniarachchi Tharindhu Amaratunga Samanthi Sudurikku Prasanna Jayamanna Asokan M Rakitha Wickramaratne Kumar Manthri Saman Thilakasiri
More than half of large companies are catering to their employees' desire to use their own smart phones, and as a result, the market for "mobile-device management" tools is booming. IBM Adopted a "bring your own device" policy, meaning that employees who want to work outside the office don't have to use a smart phone provided by the company. IBM still gives BlackBerrys to about 40,000 of its 400,000 employees, 80,000 other workers now reach internal IBM networks using other smart phones and tablets, including ones they purchased for themselves.
Lessons:
The trend toward employee-owned devices hasn't saved any money. Instead, it has created new challenges because employees' devices are full of software that IBM doesn't control. Several employees using mobile devices were "blissfully unaware" of what popular apps could be security risks. Employees were found to be violating protocol by automatically forwarding their IBM e-mail to public Web mail services or using their smart phones to create open Wi-Fi hotspots, which make data vulnerable to snoops. Configuration of devices all happens remotely and the updates are beamed to the phones over the air—it is still cumbersome. It also faces new complexities as it manages a growing number of devices that don't come with as much security as BlackBerry phones.There is a tremendous lack of awareness as to what constitutes a risk.
Actions
IBM has established guidelines about which apps IBM employees can use and which they should avoid. On the list of banned apps are public file-transfer services such as Dropbox; could allow confidential information to get loose. Educate workers about computer security to make people aware by also enforcing better security. Before an employee's own device can be used to access IBM networks, the IT department configures it so that its memory can be erased remotely if it is lost or stolen. The IT crew also disables public file-transfer programs like Apple's iCloud; instead, employees use an IBM-hosted version called MyMobileHub. IBM even turns off Siri, the voice-activated personal assistant, on employees' iPhones. The company worries that the spoken queries, which are uploaded to Apple servers, could ultimately reveal sensitive information. Each employee's device is treated differently, depending on what model it is and what the person's job responsibilities are. Some people are only permitted to receive IBM e-mail, calendars, and contacts on their portable devices, while others can access internal IBM applications and files. The have equiped phones with additional software, such as programs that encrypt information as it travels to and from corporate networks. The options vary even further; the IT department can match an employee with one of about 12 different "personas" that dictate what he or she is allowed to do on a mobile device,
Conclusion:
Device management will get even more complex in the coming years, but perhaps less restrictive, too. For instance, instead of making employees avoid apps like iCloud entirely, employers someday might be able to turn off just the two or three functions that worry them. Whatever happens, fewer and fewer IT departments will own their employees' equipment. IBM is being just extraordinarily conservative. It's the nature of their business. Shouldn't they be?
My take would be to continously to assess the risk by creating user awareness, security policies to reviewed peridically to keep pace with the technological advancement and organizational change, implement appropriate security controls. Finally, these must provide appropriate audit evidence to prove that the controls are effective and efficient!
What is your take?
Source: Technology Review Published by MIT
