Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

The Risks and Benefits of Allowing Employee-Owned Devices

Joe Mont | June 5, 2012

Fueled by the popularity of the iPhone and iPad—and aided by the uncertain future of Research in Motion, maker of that longtime business staple the BlackBerry—companies are increasingly embracing a “bring-your-own-device” workplace.

No longer content with just a company-issued desktop or laptop, employees are looking to thumb their way through e-mail and what is often sensitive company data whenever, and wherever, they choose on devices they purchase themselves. The trend has forced companies to weigh the benefits of a happy, productive workforce with security issues and regulatory requirements.

“I think the BYOD discussion is going to come down to how much you can get away with before you introduce harm,” says Davi Ottenheimer, president of information security firm Flyingpenguin. “If you give employees a workspace that they are able to own, and run with, they will be productive. But on the flipside you are also introducing so much more risk,” adds Ottenheimer, co-author of "Securing the Virtual Environment: How to Defend the Enterprise Against Attack.”

While some companies are embracing the BYOD approach—happy to let employees bear the cost of hand-held devices—others are clamping down on the practice out of security concerns. For example, IBM recently evicted Siri from its workplace and banned employees from using their own devices, like iPhones, to view company data. IBM cited concern over the way Apple's data pipeline between users and the voice-activated “personal assistant” could compromise security. “IBM has a lot to lose if Siri is actually leaking data out,” Ottenheimer says.

IBM also bans cloud-based services, like Dropbox, that are more consumer focused and don't offer robust, enterprise-level security.

Mobile computing has “dramatically changed how we exchange data,” says Rick Dakin, CEO and co-founder of Coalfire, an information technology governance, risk, and compliance firm. “Unfortunately the developers of mobile applications and the cloud services that support them did not bake compliance and security into the solutions,” he says. “I think the rapid change caught developers and enterprise IT off guard. In a way, it is more than bringing your own device to work, it is managing compliance in the post firewall era.”

Dakin recalls sitting on a flight recently beside a fellow passenger who was frantically pounding out an executive briefing filled with sensitive sales data on a brand new iPad, using the airplane's insecure WiFi—a scenario he says is far too common. “The IT department of that enterprise has no idea what he is doing, has no idea what the access controls are, has no idea what data is being addressed, no idea how that data is being transported,  and has no ability or access to wipe that iPad should he lose it,” he says.

According to Dakin, most companies don't even realize the security risks they are taking when they allow employees to use their own electronic devices. “Can you imagine being the internal auditor and going to your board of directors and saying, ‘Well, I can provide evidence that we have compliance on these rigorous data protections and intellectual property protection policies that you set on 60 percent of our devices. The other 40 percent? We have no clue,'” he says.

Some IT security experts say that companies can allow a BYOD approach and still maintain some security standards. “Companies have to find a way, from a political standpoint to use compliance to say, ‘You can bring your device, but we will hold you responsible and we will take action, in self defense, to protect our assets, and to make sure the devices that are brought in meet our compliance guidelines,” Ottenheimer says.

Embracing BYOD

A study of 600 U.S. IT and business leaders conducted last month by Cisco finds that more companies are embracing BYOD.  “IT is accepting, and in some cases embracing, BYOD as a reality in the enterprise,” the study's authors wrote.

“I think the BYOD discussion is going to come down to how much can you get away with before you introduce harm.”

—David Ottenheimer,
President of Information Security,

According to the study, 95 percent say their organizations permit employee-owned devices in some form in the workplace.  Eighty-four percent of IT departments not only allow employee-owned devices, but also provide some level of support and 36 percent of those surveyed say enterprises provide full support for employee-owned devices.

The trend toward BYOD has both helped and hurt Cisco. Last month the company announced that while the trend has led to “tremendous interest” in its Jabber and WebEx collaboration software, these same “market transitions” led to a decision to cease development of its Cius tablet.” Launched in 2010, the enterprise-focused tablet found itself struggling to draw market share away from the consumer-level devices being integrated into the workplace.

The same trends haven't been kind to BlackBerry. “In the old days, not that many people really bought a BlackBerry themselves,” says Ojas Rege, vice president of strategy for MobileIron, a company that provides enterprise management and security for mobile devices and apps. “The BlackBerry was a business instrument that maybe you did some personal stuff on. What's changed now is that every individual wants a smartphone or a tablet and it is a personal instrument that they are also going to do business on. The role has reversed.”

Companies have already looked at issues like encryption and password protections, Rege says. What they haven't done as well is to bridge the gap between implementation and policy, particularly when it comes to privacy issues.

 “[In the past] they have been able to put policies in place without really having to consider the impact of privacy. In a BYOD setting, with a personal device that is being used for business, suddenly, privacy becomes relevant,” he says. “Security is an enterprise worried about losing its data. Privacy is a user worried about losing his or her data. It is exactly the same problem, but from two very different perspectives.”

Protecting Data

The first step for companies looking to adapt to BYOD demands, Rege says, is to identify the baseline for corporate data protection. They then need to assess what could happen to a mobile device that might pose a threat to corporate data, such as a lost phone or a user who removes password protection.

Similar to how companies deploy data classification programs, users can have privileges reined in based on their mobile devices' trust level.


The following graph from Cisco shows what is trending now for mobile devices.

Source: Cisco.

“You can say that a highly trusted device, which has defined characteristics, gets access to all my enterprise resources,” Rege says. “If the trust level of that device drops, you only get access to e-mail and not an application with financial data. If the trust level drops even more, you don't get access to anything.” He says the trust level of a particular device can be changed through the day depending on its characteristics, such as its location or behavior pattern.

“The mind shift compliance and security teams need to have is that the user experience is fundamental, so anything they do on the security side that breaks user experience will just lead that well-intentioned user to go rogue,” Rege says. “They will just go around it. User experience will actually trump your security policy.”

Updating security policies to adapt to mobile devices is another important step, says Dakin. “Most companies have not,” he says. Internal audit requirements also have to be updated to account for mobile computing. “It is a question of raising the awareness, because the solutions are there, they don't need to fear migration to mobile, they just need to plan for it and execute for it,” Dakin says.

“Unfortunately, many of the business decision makers, the ones who allocate the capital, don't understand the technology,” he adds. “The early wave of security was all about firewalls and intrusion prevention because the bad guys lived in Russia and they were going to attack us over the Internet.  That's really where their education stopped, with that firewall mentality of a hard candy outer shell with a soft, gooey inside.”

Beyond users, companies also need to navigate regulatory hurdles.

 “There are a lot of companies that are worried about moving forward with next-generation mobile apps because they are not sure how to handle their compliance teams and regulators in a way that gets everyone to a place where they need to be,” Rege says. “I think there are going to be some new models for how a compliance team is structured and how the relationship with whatever regulatory body is managed on a daily basis.”

Ottenheimer predicts that these issues will gain more focus as younger people, raised on technology, enter government. “We are transitioning into the era of the tech-aware regulator,” he says.