Paul Hyland is group information security officer with the Ardagh Group, an international packaging business. Mobile devices are important for an internationally mobile executive force; and company-wide BYOD is just an extension.
Robert Cockerill is head of IT infrastructure and security at Thames River Capital, an asset capital company. "BYOD was more or less forced on us from above, when the Board bought itself iPads," he said.
Tony Doyle is head of ICT services for Blackpool Council. His route to BYOD was the most unusual. "Blackpool," he said, "is going through massive regeneration. We're particularly keen to consolidate our position as a twenty-first century conference center. That means updating everything – and that includes public WiFi. But if we're offering WiFi to the public, we should also provide it in-house. A staff BYOD policy becomes a natural extension of our public WiFi."
The facilitator was Nigel Stanley from Bloor Research, who has a particular interest in the subject.
This keynote session, perhaps more than any other at Infosecurity Europe 2012, provoked a lively interaction with the audience, reflecting the current importance and concern over BYOD. One common theme apparent from all of the panel members was the extent to which they try to facilitate the wishes of their users by not being too restrictive. All said they would provide company facilities if a personal device malfunctioned; and Cockerill would go so far as to try to help solve the user's difficulties (within reason, he added).
The two private organizations have no restrictions on the number of different devices their users employ. "We provide access. How many devices use that access is not important," said Hyland. Only the public organization dissented. "It's a hot topic for us," said Doyle. "We're encouraging the use of just one device per user. It's a license issue. Since we operate on public funds, we need to keep all costs as low as possible."
Nor do they try to impose technical restrictions on mixing home and business use on the same mobile device. "We can't monitor everything all of the time," said Hyland. "We like to think that users will use common sense." Continuous education is the main weapon. Although, "It's part of the policy," added Hyland, "so our users have agreed to behave sensibly."
But none of them are happy with connecting jail-broken devices. "We block them," said Cockerill. "We're looking at it," said Doyle. "We don't allow them," said Hyland. And "You have to ask yourself," said facilitator Nigel Stanley, "what type of person wants to do that anyway? What else might that type of person want to do?"
Asked about the threatscape specific to BYOD, Doyle suggested that it's basically ignorance. "Think of the years it's taken us to educate users about PC security – and now we have to start again. Users tend to automatically accept the default device settings, and that's not usually good enough."
"The app stores are a big problem," said Cockerill. "Trusting other people's trust models... We need to educate our users."
"Education is the answer," agreed Hyland. He aslo implied there was little time to do so. "Malware is still young on mobile devices; but this will change."
Attitudes to mobile device authentication were a little surprising, with nobody requiring more than two factors. Biometrics were neither queried by the audience nor mentioned by the panel. Instead, access control was exerted primarily within the network, controlling who could do what rather than just who could connect.
Interestingly, none of the panelists had experienced any fraud, either of identity or money, that could be attributed specifically to BYOD. But Doyle did raise one potential issue. In the current economic climate, especially within the public sector, there are many ex-employees around – and not all of them are happy ex-employees. "This could be a problem," he said. "I can see people using the camera facilities in their mobile devices to photograph sensitive documents or flip charts and then posting them on the internet." Rapid deprovisioning is perhaps even more important in the BYOD environment than in the traditional IT environment.
| See Infosecurity magazine interview Nigel Stanley outside the keynote theater at Infosecurity Europe 2012 |