BYOD Is Neat But Tough On Your Company IT Folks
“That’s the second biggest… I’ve ever seen.” – Maxwell Smart, “Get Smart,” Talent Assoc., (1965 – 1970)
Anonymous and LulzSec made themselves infamous by hacking highly visible organizations. They thought it was cool to disclose information from private/protected databases. They outed millions of people’s very personal/private data, making them prime identity theft targets. You know, the really bad guys (and gals) who make their living tapping into and “borrowing” your information to supplement their income. For most folks, they were simply huge pains in the behind. But for a few… huge financial problems. Little SOBs! Of course, they got bolder and bolder and took their attacks to government data sites around the globe. In the U.S., the FBI, NSA, DOD; in the U.K., Scotland Yard, Defence Ministry, Parliament; in Germany the Federal Network Agency, Chancellery, Cabinet; in Russia the ministries of defense, justice, internal affairs. You get the picture…all of ’em. Cyberattacks on government assets aren’t anything new. Heck, every government has hundreds of folks dedicated to tapping into the other guys’ stuff all the time.
Government Attention
The rash of recent high-profile break-ins has led governments to take a hard stance and draw a line in the sand. They made it official…no more of this crap will be tolerated! The Chief made it official when he said, “How can we believe a man who would sell out his friends?” Sure, you can mess over Sony, BofA, Citi, MS, Google, you name ’em, that’s OK; but mess with the stuff we’ve been gathering on everyone else and that is just aahh…humiliating. Now they know what enterprise IT and security folks feel like every time they log in and check their systems. Company, government organizations are busy hardening their exterior network security to guard against APTs (advanced persistent threats). The problem is the bad guys simply try harder…gawd, they love a challenge. Art Coviello, president of RSA (producers of the SecureID technology that was also hacked) pointed out that the bad guys have the same technologies and tools the good guys do. The real bad black hatters are not only smart, they’re dedicated and have no conscience about who or what they damage. As if that weren’t depressing enough, he has said publicly, “I think that, over time, the bad guys are going to win.” That doesn’t mean the good guys are going to simply roll over; but with the latest employee trend, organizations have made it easier for them.
BYOD Leaks
The employee convenience trend is BYOD (bring your own device) – personal notebook, tablet, smartphone – so people can be more productive, more mobile, more in touch.
Mine, All Mine – Now that people have the freedom to use their own favorite devices for “work,” they’re also free to handle all of the things that need to be handled like all of their social networking at work. The problem is it also opens the company and the individual to a whole new level of security problems. All of this new freedom and power hasn’t made us any smarter. Max recognized what was going on and said, “Ah, it’s the old… trick.”
Spearphishing – very targeted attacks – is a super easy way for a cybercriminal to take control of the individual’s device and make his/her way into the guts of the organization where all the good stuff is kept.
Sure, there are some cases of seemingly harmless middlepersons; but most of the time, ordinary folks let them in because some message looks too good to be true – financial, lust, ego, whatever.
Of Course We’ll Help – Hackers and cybercriminals just love the fact that people now use their own personal devices at work. Few people know enough to provide the ultra- basic security solutions for their many devices, making them extremely vulnerable to access to the entire enterprise. Portable devices have some real risk management issues that IT people focus on as they work to balance enterprise, personal information, corporate data, and personal online access. This includes:
– Stolen passwords – mobile web browsers can expose sensitive information like usernames and passwords as they communicate with sites.
– Weak data protection – device makers fence off core software and data from third-party apps, but they’re weaker than you might think providing access to browser history, saved/deleted text messages, device IDs.
– Denial of Service (DoS) attacks – software design can make the device vulnerable to attacks by overloading the memory
As Max said, “Sorry about that, Chief.” As the digital natives enter the workforce, the industry is offering them a limitless array of affordable products/services that are simple, easy to use and hard not to do without.
The “must have” fashionable products are ideal for our faster network connectivity and impossible to resist apps/content.
Rich Opportunities
It’s all there for working folks to use:
– Social Networks – FourSquare, Face Book, Twitter
– Email — Gmail, HotMail, Yahoo
– Voice over IP — Skype, Fring, TruPhone
– Cloud Apps – Google/MS/iCloud apps, SaleForce.com
– Wi-Fi — Linksys, Netgear, Fon, Boingo, The Cloud
– File Transfer/Sharing — YOUSENDit, Dropbox
– Videoconference — FaceTime, NetMeeting
So many choices, so little time.
Who were these premiere blackhatters (different sites have different listings):
– Kevin Mitnick is the poster child of hacking and was memorialized in a book by NYTimes reporter John Markoff.
– Steve Jobs and Steve Wozniak made the list because of their blue box phreaking devices that enabled folks to make long distance calls without being charged.
– Russian Vladimir Levin ripped off Citibank for $10 M (he was caught, sent to prison, they recovered all but $400K).
– Dark Dante or Kevin Poulsen specialized in hacking radio station phone systems to win stuff like a Porsche and $20K. He was doing okay until he hacked federal computers and got thrown in jail for 51 months.
– Jonathan James was the first juvenile (16) to pull jail time for hacking high-profile government systems, stealing software worth around $2M
These folks – and the others – would have had a freakin ball in today’s environment; or maybe not, because IT organizations are just too open. Siegfried looked around and said, “This is Kaos. We don’t *shush* here!”
Walls Become Sieves – Employees increasingly need (and have) ready access to protected and “secure” databases in the office and on the road to handle work in real-time. Now there are so many devices – storage, work processing, communications – used that protected data can move almost everywhere without proper mobile security processes/procedures. Source – Forrester
At the same time, IT departments have an increasing spectrum of what they need to protect.
Securing More – While companies have relaxed the range of devices that can access data, the legal reporting and protection requirements continue to expand. Because these “demands” change continuously, the general philosophy is…save it all. Source – IDC
It may feel big brotherish but if you are too casual, too “that’s too much work” ish, then IT usually has to step in to help you help yourself.
Security Guidelines
That’s why they have dumb rules like:
– Prohibiting files stored on the personal device from being redirected to a NAS (network storage device) – actually a good practice for personal data
– Keeping sensitive data off personal devices in protected data warehouses or allowing access only in/out
– Encrypting sensitive data on mobile devices
– Monitoring/alerting IT when sensitive data is moved to/stored in less secure areas
– Setting/educating/enforcing policies governing the use of any mobile device in the company
No IT person wants to repeat what Max used to say, “Missed it by that much.” If you’re not hot for all those rules, regs and red tape for the company’s stuff, you may want to consider using it for your mobile device and the real important stuff…yours. Identity theft is on the rise around the globe and adding the best possible security for each and every device you and family members have is just good common sense.
Rough, Tough – Today’s array of mobile devices – notebooks, netbooks, tablets, smartphones – are usually wide-open opportunities for hackers and cybercriminals to use as gateways to the enterprise’s data. Maybe all of security steps you have to go through are a pain, but if not for the company, remember your personal/financial data is probably also on the device, ready for inspection. Last year, over 8.1 million identities were stolen in the U.S. according to Javelin Strategy & research. They estimate you can probably triple that number around the globe, so it’s a big business…and profitable. Javelin reported that businesses lost almost $1.7 million per billion dollars in sales worldwide because of data and identity theft. You may not care too much about someone dipping into the company coffers, but do you have your bank info on your phone? PayPal account? Personal/family records? Do the right thing and your partner will repeat Agent 99, “Good thinking, Max.” While you’re thinking about your personal security, let me take a call.