As mobile devices proliferate and new “clouds” come online, workers and employers – in corporate America and in government -- are grappling with the best ways to leverage the advantages of personal communications devices while understanding and mitigating risk.
How the Private and Public Sectors are Addressing “Bring Your Own Device (BYOD)” to Work
Both companies and government organizations are actively exploring ways to increase productivity by using personal mobile devices to cut cost and improve employee satisfaction. Fortune 500 CISCO showed a 17 to 22 percent savings derived from employees using their own personal devices.[i] In government , Nuclear Regulatory Commission’s Chief Information Officer (CIO) Darren Ash is driving his agency’s mobility strategy by issuing a BYOD policy focused on tying personal preference and greater employee satisfaction with increased productivity.[ii]
The “Rest of the Story” on BYOD: Risks and Concerns
A recent Deloitte study showed that 87 percent of executives felt at risk from a “cyber-attack” that would originate from a mobile-security lapse.[iii] Mobile devices are subject to greater risk from physical loss or compromise through remote network access, supply chain or other insider threat. Security professionals are worried about these threats, but have no good way to detect them, according to a new survey from Tenable Network Security. [iv]
The mobile device risks noted above are especially concerning for the public sector where government leaders and employees need to often ensure higher levels of information integrity, confidentiality and availability due to national security and/or public safety. Recent high profile, malicious cyber intrusions that resulted in the loss of valuable intellectual property and Personally Identifiable Information (PII) have caused greater concern about the introduction of personal mobile devices into the federal marketplace.[v] Another sticking point is whether government agencies have the right to examine or download PII from employee devices. [vi] As federal agencies migrate to cloud-based services, an additional concern in the public sector “… revolves around how to secure and mediate services, and provide authentication between on-premises and cloud-hosted applications.”
So where do we go from here?
Clearly, we are not going to see technology innovation in mobility and cloud implementations slow down. Mobile device demand, as see in the recent iPad3 sales, will continue to scale rapidly.[vii] In fact, we do not want this innovation to stop for all of the advantages noted previously. How then do we continue to innovate and field new technology while mitigating the growing risks we see inside of this new technology. I believe we need to focus in three areas:
- Enhanced policy and enforcement especially in the areas of privacy and security. Both companies and government have begun to address the security issue with policy. For example, Unisys employees who want to use personal mobile devices need to sign an Acceptable Use Agreement (AUA.) The agreement enables Unisys to install a public key infrastructure (PKI) device certificate on the devices for authentication whenever they’re used to access the network. Through the AUA, users acknowledge that they understand that the device can be seized for an indeterminate amount of time if it—or the data on it—is part of a legal dispute.[viii] At the General Services Administration (GSA,) the AUA also includes remote wiping of the device under certain conditions.[ix] Importantly, at the federal level, agencies are aligning proposed BYOD policies with a new national mobility strategy, helping to close seams and ensuring consistency in policy enforcement.[x]
- Advancement of continuous learning in personal device use. According to Ken Vander Wal, ISACA's international president. “I suggest it all start with fostering some sort of culture of security awareness. It's been true forever in that people are the weakest link in a security chain. But having said that, [people] can also be significant assets to good security, so embedding security awareness into the regular communications and to training and performance evaluations will clearly help foster that security culture that's so critical.” Organizations can also promote continuous learning by installing apps on personal devices that play and test cyber security awareness and skills.
- Implementation of greater technology for protection. The third pillar of an effective focuses on security technology enhancements to mitigate inherent vulnerabilities in the device, when information is transmitted and when information exchange takes place in the cloud apps store. In this context, both commercial and government CIOs are keen on securing the data, rather than the device. Persistent distribution control for “hardening” information, secure operating systems, encrypted memory, robust chain-of-trust solutions and high end commercial encryption all need to considered and appropriately aggregated to supplement stronger policy and continuous learning. For example, at DoD, mobile devices must be technology-enabled across four security standards: FIPS 140-2; data at rest; CAD/PKI authentication; and enterprise management.[xi]
In sum, as personal communications devices in the workplace rise, we must be vigilant to see both opportunity and risk, and continuously find ways to enhance one while reducing the other.
Bob Butler is a Senior Advisor to The Chertoff Group and previously served as the first Deputy Assistant Secretary of Defense for Cyber Policy.