BYOD – Bring you own Databreach

I have worked closely with companies who have quite relaxed policies on BYOD (Bring your own Device).  They liked the idea that if an employee wants an iPhone, this was OK, as long as they paid for it.  Personally; I blame Ryanair. People are always telling me what a clever business Ryanair is.  They even charge their employees for training and uniforms.

I’ll resist the Ryanair tangent for fear of this turning in to a customer service rant and I have strong views on business culture.  My point, however, is a simple one.  A BYOD device is another device on your network.  It’s a MAC address with a set of permissions.  Allowing a BYOD access to a network or allowing access to your corporate email system can be little different from allowing an uncontrolled device to connect up remotely to your business critical data.

Socially it is expected.  It might be small and hugely featured but it’s easily lost and exposes the weak underbelly of your whole business system.  In short; it’s a disaster waiting to happen.  Your BYOD is possibly linked to a cloud service such as Dropbox or iCloud.  It’s a high resolution camera which might be used to photograph that White Board so you can write up the notes later. 

Remember James Bond with his mini cameras in the classic Bond movies?  Well now we all carry one.  Ours are better actually as they don’t need developing and they transmit and sync our images almost instantaneously to the cloud whilst our phone is in our pocket.

Now let’s look at email.  I know of situations where member’s of staff have had both personal and work email accounts on the same BYOD.  This enabled them to forward work email to their home account (with attachments) with no record on the business exchange server other than the email had been read!  This is a security haemorrhage point and nobody really seem that bothered.

Of course you will be thinking that the Cloud services, email policy and even the camera could be controlled in a switched-on company.  You are probably right and of course they should be.  My point is really one of attitude.

We all carry these devices with Gigabytes of data on them in and then out of our business worlds.  They soak up data and information about our habits and movements and they record highly sensitive data. 

BYOD need to be controlled – just like any other business critical device.  Ownership actually complicates the situation.  They need to be controlled, audited and the risk assessed.  Staff need to be trained.  Ownership of the data needs to be considered with great care and attention.  Policies need to be written, implemented and measured.  People need to be trained.  BYOD is not a panacea to cheap technology infrastructure.  BYOD could become your worst nightmare.

Lastly; what happens when the employee leaves? Is the demarcation of personal data and business data a clear one? – probably not.  If their personal iPhone has been linked to their home PC (and it probably will have been) then you don’t just have the challenge of you data being on one device but probably many.  Not only that but you probably have no idea where your business data is.

By its very nature BYOD puts your data in an uncontrolled environment.  Phones and tablets are lost and stolen in huge numbers every day.  On average a London taxi has a phone left it in once every day!  The disposal of data and devices upon leaving the business is an HR minefield and a risk most businesses haven’t even considered. 

Bring you own device? - Bring your own Databreach!

A Fictional Data Breach Scenario

In 20 years in the technology industry, I have yet to find a business who has their data under control.  It’s a really tough challenge!  It slips through your fingers like water due to human nature.  It’s human nature to take a path of least resistance to achieve an objective especially when you add pressure to a circumstance.

I’m going to give a fictional circumstance to a data breach which is in the public domain but a data breach which I commented on at the time.  In May 2009; a disk bought on eBay contained details of test launch routines for the THAAD (Terminal High Altitude Area Defence) ground to air missile defence system. The same disk also held information belonging to the system’s manufacturer, Lockheed Martin, including blueprints of facilities and personal data on workers, including social security numbers.

Based on other information found on the disk it was probable that an employee or supplier or perhaps a consultant took valuable highly confidential data home and worked on his or her home computer.  He (for brevity) might have even deleted local copies although he probably forgot.  He certainly failed to securely erase data which in the wrong hands could be invaluable.

We’re going to call him John in my fictional scenario.  John is under a huge amount of pressure.  He’s consulting for his aerospace client having been bought in to cover the sudden sickness of a key member of a program team.  This is a bit of a stroke of luck for John as he’s been without a contract for a few months.

At home John is a family man but he has pressure from this side of his life too.  Financial pressure has been building up.  His wife has been working longer hours to try to cover the shortfall.  This has meant John has been helping with the kids and the school run.

John’s in that horrible stage of a new contract where he doesn’t know all the team and he needs to build relationships.  He’s completed his induction but the pressure is now on full to catch up for the lost time.  The project didn’t plan for the key man sickness and its John’s job to catch up.

Today John has to get home on time as his wife’s at work but he must also complete an urgent report.  Frustratingly John’s not got his new work laptop yet. He’s getting in to the office as early as he can but today he must leave on time for child care.  His new boss and the person who decides his future needs the report “on his desk at 8am, without fail”.

John can’t win.  He can’t leave his children and he can fail in his new job.  The pressure is unbearable.  His only option is to pull out of his briefcase a USB flash drive.  He plugs it in and tries to copy the files. Frustratingly his aerospace client has disabled the USB ports.  Then he has a brainwave.  He logs on the webmail of his personal consulting business.  Hotmail and Gmail are blocked but his consulting domain works.  He emails his work to himself, presses send and then logs off.  John rushes to collect his kids.

At home John cooks his kids their diner, puts them in front of an x-box and settles down to his evening’s work.  It’s half 12 at night by the time john finishes. He emails the work back to the office and goes to bed.

Two years later his home PC is upgraded and he recycles the old one at a local civil amenities site.  The hard drive along with the memory are scavenged by a temporary employee at the site and are sold on eBay for a few extra dollars.

This scenario is made up but I hope it makes you think just a little.  How waterproof (dataproof?) are your processes and procedures?  Have you tested for leaks?  Do you record and track when data is accessed and copied?  Is your “bring you own device” (BYOD) policy and control in place?

Confidential data is like water.  It finds a way if it’s not contained.