Wednesday, March 13, 2013

BYOD – The chaos unauthorized devices bring to an organization

A new study1 by Spyglass Consulting group says that more than 2/3rd of nurses are using unauthorized devices for clinical communications. The report is based on in-depth phone interviews with 100 nurses in a variety of healthcare organizations in 33 states, focusing on the information requirements of nursing and the use of mobile and wireless technology to meet those requirements.

Cisco sponsored survey2 of 512 security professionals across five countries, including the U.S., found that use of unauthorized devices on corporate networks is proving to be a hassle and, in some cases, a significant security issue for IT. Similar findings go with the usage of unauthorized apps too. Today, the report says that ITSDMs (IT Security Decision Makers) wants to know what security applications employees are running (63% of them wanted) and what OS (56% of them wanted). More than half (56 percent) of ITSDMs said they determined their employees use unsupported applications, with the U.S., China and Japan leading the way. About 30 percent of ITSDMs (54 percent in Germany, the highest level) said unauthorized users pose the greatest risk to their organization. When it comes to unauthorized network devices, such as smartphones, the risk has proven to be very real. About 40 percent of the ITSDMs surveyed said they'd experienced a breach or loss of information due to an unsupported network device.

Gartner analyst Ken Dulaney said the growing use of unsupported devices is becoming a real headache for IT. "About five times a week I hear from enterprise clients that are freaking out about the use of unauthorized mobile devices," says Dulaney. "Employees are getting really good at getting around whatever the company policy is." Dulaney said many vendors can help with mobile management and audit solutions that get this new generation of devices "on the table instead of under the table," so IT can see what's out there. "These smartphones and other devices that are being used, aren't behind the firewall and they're not encrypted so that's a real problem for IT," he added.
One employee with a $30 access point purchased at Wal-Mart or Fry’s can open up the entire corporate network, allowing anyone with mobile device to connect to it and open up company’s internal network.
Once these unauthorized (or rouge) devices are connected to corporate network, the vulnerabilities on these devices exposes the organization's confidential data and critical assets, including intellectual property, to the outside world. Also these devices can introduce malware unintentionally into corporate network.
The biggest issue of using unauthorized devices are that, first of all IT has not verified the security aspects of those devices and can carry a lot of vulnerabilities and malwares which can get access to these critical clinical data and if leaked to outside creating huge legal risks attracting many legal cases as well as loss of brand value for the organization.

Another issue is enterprises being lax about these devices and turning a bling eye to the security threats they might pose. Problem is that many enterprises are reluctant to strictly forbid or enforce bans on unapproved apps and unauthorized devices because they appeal to younger generation of workers these firms want to attract and retain. Nevertheless they like to know what are those devices and apps that are running and like to know how vulnerable they are and how much threat they can be to the corporate network.

If these are one kind of issues, there are issues w.r.t availability of tools which discovers all these devcies and apps and bring them to the management of the IT and provide that safety-net.

"There are two interesting problems: one is that the consumer is taking control of IT and the other is that the IT guy is resource-constrained," said Nokia Vice President Purnima Kochikar.  She added that traditional, behind-the-firewall security solutions aren't enough in increasingly mobile enterprises. "Everything you thought was secure inside the firewall can be left behind in a taxi," warned Kochikar.

"There's no denying the end-user or organizational value of smart devices. But, we face technical challenges when managing them for performance and security, especially when they're not authorized," said Rich Green, lead wireless engineer at Community Health Systems.

Thankfully today we have access to new generation of tools that can detect all these rouge devices and get them to the safety net of IT. These tools non-intrusively and routinely analyze your company's network, look for any ambiguous traffic and detect all such devices and bring then to the IT safety net leaving IT to take further action. (in fact i7’s peregrineguard does this).

With such measures & tools in place, businesses can actually encourage employees and authorized guests to bring their favorite wireless devices and smart phones/tablets to work. Rather than putting a blanket ban and saying “No to BYOD”, which in now way enhances security let alone sapping out the morale of employees, enterprises can allow all their employees, field force and even temporary workers/contractors to get those devices that are comfortable with, enabling maximum productivity, highest satisfaction among workforce and while still feeling very safe that there are no unauthorized devices or apps on the network, and the network is safe from attacks from these unauthorized/insecure devices.

Manjunath M Gowda
CEO, i7 Networks,  “Agentless BYOD Discovery & Control”, @i7networks,

(Reproduced from i7 networks ( blogs with permission)

No comments:

Post a Comment