BYOD Is Everywhere: Wear Your Own Device Is Next

Everyone is bringing their own devices to work. But is sensitive data being secured properly on our smartphones and tablets? Soon, new technology will be worn wherever we go. Is your enterprise preparing for WYOD?

by / December 7, 2014

Credit Flickr: Eivind Barstad Waaler (Creative Commons)

“Ready or not, here we come.” 

And the “we” in this case is wearable devices coming into an enterprise near you.

That was one key message for attendees this past week at an all-day event entitled, Bring Your Own Device (BYOD): A Summit for Decision-Makers. The workshop held in Ann Arbor, Michigan, brought together public and private sector technology and security leaders, as well as experts from academia and a wide array of vendor sponsors, to discuss hot trends for employees who are bringing their own devices to work.

Greg Smith, Chief Information Officer at the Missouri University of Science and Technology, set the tone in his opening keynote, entitled, BYOD: We just need to keep up.

“BYOD is here now. It’s happening all around us…. It is the status quo – especially on university campuses….”

Greg emphasized that the real questions are around what is coming next, and the answer to that is Wear Your Own Device (WYOD). It will be huge and coming soon. We need to prepare.

Greg’s main points were around our urgent need to prepare infrastructure, security and mindsets for the new normal which is already trickling into our environments now – with a flood of new devices coming soon.

Greg Smith, opening keynote

Greg Smith, CIO at the Missouri University of Science and Technology

There were numerous breakout sessions offering practical solutions to existing BYOD challenges. It was immediately clear to me that the market to securely support BYOD in enterprises has come a long way in the past few years. I urge readers to take a new look at available options to help secure existing government and private sector BYOD implementations or plan new deployments.

BYOD Is The New WiFi

My lunch keynote presentation addressed the topic: BYOD Is the New Wifi: How Can We Enable Mobile Data Security?

I started out by asking: "How many people purchased personal technology products over the past week (including Black Friday and Cyber Monday) that they intend to bring into work in some form?"

(Not surprisingly, almost half the hands went up.)

Pressing further, I asked how many had a formal BYOD policy that allowed them to do that, and many of those hands dropped. The reality became clear that even leadership staff are often doing what they think is best, regardless of corporate policy. BYOD is, in fact, happening almost everywhere.

I listed seven key questions to ask about your current enterprise environment regarding mobility:

1) Who is really using mobile technology? (Don't just include staff who are formally authorized.)

2) How are they truly using mobile devices?  (Include both company and personally-owned equipment in your fact-finding mission.)

3) What data is being accessed on what devices? (Personal and company)

4) What policies are in place, and are they being followed?

5) What controls and protections are in place for sensitive data?

6) What helpful, relevant, engaging training is provided (and taken)?

7) What’s coming next? Are you prepared for next-generation people, process & technology?

Dan Lohrmann BYOD Lunch Keynote

Dan Lohrmann, lunch keynote on BYOD, photo by Tiziana Galeazzi

I proceeded to explain that the history of WiFi (and later cloud computing) is very similar to the current debates regarding BYOD. Will we learn from the past or not? You can find out more about my point of view on this BYOD topic at this CSO Magazine blog post from 2013.

While I won’t repeat all the details from my 45-minute talk here, an outline of the key solutions included:

-          Develop, and enforce, strong use policies.

-          Require strong password controls.

-          Clearly define user responsibilities.

-          Explain user risks up-front.

-          Establish remote-wipe capability.

-          Classify your data, and know where it is.

-          Track your assets.

-          Implement Mobile Device Management (MDM) to enforce policies and dual personas on personal devices.

While these items may seem rather basic, they are very hard to do effectively. They also tend to be the areas that get enterprises in trouble with BYOD.

Examples Please - Not so fast…

I wanted to provide you with some of the details from one of the breakout sessions, where the State of Michigan (SOM) described their BYOD program using IBM’s MaaS 360 MDM product.

Here’s the session description for BYOD a la SOM, featuring Tiziana Galeazzi, Office of the Director and State CIO, from the Department of Technology, Management & Budget (DTMB) and Paul Groll, Office of the CTO, DTMB.

Tiziana Galeazzi

Tiziana Galeazzi describes BYOD benefits

The DTMB BYOD program described was:

•       Successfully launched October 1, 2014

•       Open to all State Agencies

o   DTMB - first agency to pilot 

o   Smart Phones and IPads were alowed

o   MDM + security container were included

o   Policy and Use Agreement signed by all participants 

o   Taxable Reimbursement provided

o   Feedback on user experience was 100% positive

Some special BYOD program considerations included:

•       Communicating the advantages of implementing a BYOD strategy

1.       Cost savings

2.       Workforce strategy (employee satisfaction, attractive workplace, productivity gains)

•       Self-Service (internal app store)

•       Opt-in with incentives

•       Enforce security requirements

•       Measure and monitor BYOD program with metrics

Paul Groll also described current efforts to tune government acceptable use policies for upcoming wearable devices. Some considerations include:

-          Whitelist - What is allowed?

-          Blacklist - What is not?

-          Using Wi-Fi?  Whose Wi-Fi? 

-          Using Bluetooth/NFC? Issues?

Wrap-up

I ended my lunch keynote session by suggesting that wear your own device (WYOD) is indeed coming next, and it may become a major headache for IT departments. Like WiFi, the BYOD ship has left the dock.

Here are some recent articles on the coming WYOD revolution:

Forget BYOD – What About WYOD?

Vars Urged to Prepare for Wear Your Own Device (UK)

Internet of Things could bring a new economic boom - Computerworld USA

I urge government readers who have been moving slowly in this mobile space to get onboard the trend to securely enable BYOD in your current business situation. Otherwise, end users will just go around management and take these technology matters into their own hands - making the enterprise less secure.  

 

Note: Photos by Dan Lohrmann unless otherwise noted.  

 

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso