Is BYOD (Bring Your Own Device) worth the risk?

December 172012
Is BYOD (Bring Your Own Device) worth the risk?
December 2012
By Bill Lydon, Editor
BYOD (Bring Your Own Device) refers to the growing trend of letting employees use their own devices as operator Interfaces for business and automation systems in the workplace. But is it worth the risk? The use of cell phones or tablet computers to monitor and control automation systems provides a great deal of value to improve productivity and responsiveness. This is the result of the evolving consumerization of information technology that is introduced and adopted first in the consumer market and then spread into business and government organizations.
The emergence of consumer markets as the primary driver of information technology innovation is seen as a major computing industry shift. This evolution started with introduction of the personal computer and now smartphones and tablet computers (examples: iPad; Android) have kicked the trend into overdrive. Employees routinely report to work with more computing power in the palm of their hand than their desktop machines held just a decade ago. Flush with these mobile capabilities, employees have begun to add the applications that give them access and control of automation and business systems.
Bring your own device (BYOD) is a business policy allowing employees to bring personally owned mobile devices to their place of work. BYOD enables employees to use their devices to access privileged company resources such as email, file servers, automation systems, and databases as well as their personal applications and data. This is also referred to as bring your own technology (BYOT) or bring your own behavior (BYOB) because they express a broader phenomenon of individual preferences for particular hardware and software used on the device (e.g. web browser, media player, antivirus; etc.).
Employee Privacy Concerns
In a recent Harris survey commissioned by Fiberlink of enterprise workers, many employees worry that BYOD is an excuse to invade their privacy. Many BYOD policies require workers to accept a client MDM (Mobile Device Management) app or agent on their personal device, setting up a connection with the MDM server. That tradeoff also often gives employers the right and the power to delete personal files and content, along with corporate data, in a remote wipe if the device is lost or stolen.   The survey found that users are overwhelmingly concerned, and would not allow employers to have this access into their personal lives as reflected in key results of the survey:
  • 82 percent of respondents consider the ability to be "tracked" an invasion of their privacy. Tracking is easily accomplished through a number of technologies built into most of the popular smartphones. Tracking with an MDM solution can be accomplished using GPS and triangulation, which provides a company with a way to locate where a device is physically located and identify the apps that users install on their smartphones and tablets.
  • 76 percent of respondents would not give their employer access to view what applications are installed on their personal device.
  • 75 percent of respondents would not allow their employer to install an app on their personal phone which gives the company the ability to locate them during work and non-work hours in exchange for receiving corporate email and gaining access to other corporate resources.
  • 82 percent are “concerned” to “extremely concerned” about their employers tracking websites they browse on personal devices during non-work time.
  • 86 percent are “concerned” to “extremely concerned” about the unauthorized deletion of their personal pictures, music, and email profiles.
  • Only 15 percent are not at all concerned about employers tracking their location during non-work time.
  • Only 15 percent are not at all concerned about employers tracking personal apps installed on their devices.
BYOD left un-managed can lead to data breaches and provides an entry point for unauthorized access to automation systems. For example: If an employee uses a smartphone to access the company network and then loses that phone, the confidential data stored on the phone could be retrieved by untrusted parties. One of the biggest issues with managing devices is tracking and controlling access to corporate and private networks. Unlike guest access, which frequently uses an open, unsecured wireless network, the potential sensitivity of BYOD requires a secure wireless protocol, most commonly WPA2-Enterprise. WPA2-Enterprise is the only level of wireless security that provides all three forms of wireless security: (1) over-the-air encryption, to ensure traffic is protected in transit, (2) user authentication, to ensure an authorized user is accessing the network, and (3) network authentication, to ensure the user is connecting to the real network (and not an evil twin network).
Security is a growing threat to operations as noted in a recent article, Cyber Attacks on Industrial Systems Increasing Rapidly, I think cyber security attacks are going to become far more aggressive. BYOD introduces another hard to manage element.
System Integrity
Security is not the only issue that comes with BYOD.  Maintaining system availability and troubleshooting problems could become challenging in an environment where users are bringing in a multitude of different technologies. Also, there is an expanded burden of software configuration control to manage versions, patches, and network configurations.
As the Bring Your Own Device (BYOD) trend sweeps across the business world, it raises significant management challenges and operational implications for companies. The implications and investments required to support BYOD should be thought through before setting policy.