BYOD: A Leap Of Faith For Enterprise Users?

This post is based in part on my remarks at the upcoming Direction 2012 conference in Tokyo on August 7.

I’ve been talking about Consumerization and BYOD – bring-your-own-device – for quite a while now. What has changed in that past year since my presentation at the CIO Summit in Singapore?

What has changed is that more and more organizations are adopting BYOD. Executives and IT managers are learning about the benefits and the perils of BYOD first-hand.

Trend Micro has been working with industry analysts like Decisive Analytics and Forrester Research to take the pulse of IT decision-makers, to help us understand their challenges and what solutions we can offer. They also give us great insights into the state of the union of BYOD.

So, let’s start with the most obvious question: how widespread is BYOD? Last year, as part of our Consumerization Report, we found that just over half – 56% of those surveyed – said their companies allowed BYOD. Our new studies in 2012 found that this number had gone up quite significantly: the Forrester study found that this figure was now above 76%. What’s most interesting is that you have countries which were relatively resistant to BYOD becoming more accepting today.

What devices are being used in BYOD? Mostly, what you’d expect: laptops, smartphones, and tablets. It’s the latter two that can cause organizations the most problems. Corporate IT knows how to secure and manage laptops running traditional operating systems; many organizations may not know yet how to properly deal with new mobile platforms stemming from unconventional IT vendors such as Apple (iOS) and Google (Android).

Even as enterprises adapt BYOD, they’re facing risks and real world consequences. The biggest worries – by far – are data security, compliance, and employee privacy. Not only that, around half of the companies surveyed have admitted that because of BYOD, they’ve lost data.

What are companies already doing to ensure that BYOD does not turn into a security nightmare? For starters, in almost all cases IT administrators are installing security and remote management software into user devices. They’re also making it easier for IT to wipe personal devices if corporate data is put at risk.

Both of these are good places to begin, but to properly secure BYOD administrators have to understand two things: what they are securing, and what the threats are.

IT administrators generally regard the top mobile OSes as being fundamentally identical to one another when it comes to security and manageability. However, that’s not completely accurate.

As part of the Consumerization Report, we also looked at the inherent security features of four mobile platforms: Blackberry, iOS, Windows Phone, and Android. That’s also the order we scored the four OSes: from most secure to least secure.

If you’re an IT administrator, that’s quite a problem: the most secure OS is also one that is dying; meanwhile the most popular mobile OS is the most exploited! IT managers have to understand the threat landscape for each mobile platform is subtly different, and protect against these accordingly.

Let’s look at the two biggest mobile OSes to understand what the risks are. First: the Apple iOS platform.

The perception is that Apple is a closed, secure platform. However, it’s not immune to risks: if you look at the number of vulnerabilities that are disclosed publicly, the numbers for iOS are far higher in 2012. There’s also jailbreaking, which breaks the Apple “walled garden”, thus lowering security. So iOS has its share of risks, too.

Android, however, is where the real action is as far as threats are concerned. Consider the chart below:

Android malware is growing at a rate that’s even exceeding our forecasts.

Another problem with Android is how many versions are out there in use. Consider the chart below:

More than 80% of Android devices out there are on rather old versions of Android. That means that vulnerabilities may not be fixed. New security features may not be available.

Fundamentally, where iOS is a closed platform, Android is an open one. This allows all sorts of threats to proliferate, even within the official Android app store. Let’s just look at the following incidents, which all took place just this year:

February 2012: a fake version of Temple Run
February 2012: developer pretended to be Rovio, known for the Angry Birds franchise
May 2012: 17 malicious apps totaled more than 700,000 downloads; these included a spying app
May 2012: another spytool app

So, in short, the threats in mobile platforms do exist. However, BYOD is going to happen to your organization – whether you like it or not. What IT managers should do is find a way to make it safe for enterprises so it’s not a blind leap of faith, but a reasoned move towards the future.

The three things I want you to take away from this talk are:

1. Embrace Consumerization.

It’s going to happen; it also brings about a more productive and engaged workforce. IT administrators should realize this and work to make BYOD a success within their organization.

2. Understand the risk profile of the various mobile platforms.

Each mobile platform has different capabilities available to it, as well as risks facing it. Understanding these is key to making BYOD secure.

3. Deploy new security and management tools

Once you have an understanding of the threats and dangers facing your users, you can now deploy the appropriate tools and technologies to guard against these problems.

Resources