BYOD 'explosion' but security caveats exist for CYOD too

The Bring Your Own Device (BYOD) trend is already entrenched in many businesses, but some IT departments are trying to regain control - and security - by opting for Choose Your Own Device (CYOD) instead.

SC Congress London: BYOD issues remain in post-Blackberry era
SC Congress London: BYOD issues remain in post-Blackberry era

Speaking at this week's Infosecurity Europe exhibition in London, ESET senior research fellow Righard Zwienenberg talked through the advantages and disadvantages of CYOD, and was quick to state that it may not be for everyone.


For in addition to the difficulty of IT departments issuing corporate devices to workers already happy using their iPhones and iPads, he noted that employees may not like the corporate device, while IT workers themselves will be tasked with staying on top of exploits, firmware updates and the latest device features. 

 

What's more, he suggested that employee policies could be difficult to apply.


“You really have to be careful,” said Zwienenberg , further adding that there are decisions to be made on employing MDM (Mobile Device Management) control and enforcing controversial features, like remote wipe.


But he's adamant that - should businesses be able to get their heads around all this, and even smaller security difficulties like fending off the threats associated with USB attachments and interchangeable SD cards, CYOD represents a more secure alternative to BYOD, even if the latter is expected to represent a billion devices globally by 2018.


“Anyone thinking that BYOD is probably for the near future is wrong - we're already there and it's more and more of an obstacle. Sooner or later, it will be explode,” he said at the conference.


SCMagazineUK.com caught up with Webroot's security intelligence director Grayson Millbourne shortly after the talk, and he too believes that CYOD is potentially an enabler of mobile devices in the enterprise environment.


“When a corporate provides its own devices, it's much more secure,” he said.


That said, he stressed that companies' ‘employee bill of rights' will ‘go out of the window', with IT reclaiming control potentially having a knock-on effect on privacy and access.


What's more, he - like Zwienenberg -  suggested that it could be difficult for companies to get people to swerve their personal devices for CYOD, citing Webroot's own data which shows that almost 50 percent of BYOD users would stop using their devices for work purposes if data-heavy security applications were bolted on by corporate IT managers.


From the employer's side, Millbourne also suggested that some firms may be unwilling to make the switch away from BYOD when it's driving big financial gains, and instant productivity boosts. As a result, Millbourne believes that companies going down the CYOD route will perhaps embrace it for sensitive IP, something other commentators recommended recently, but said that this in itself was no guarantee that enterprise mobile users won't be targeted.


He cited malicious apps downloaded from third-party app stores, bogus in-app ads, social engineering and spoofed mobile websites (done at the web server level so that companies see their desktop version if OK and so perform no further checks) as common mobile attacks, and believes that the web - and the user - are the biggest vulnerabilities.


“The WebKit exploits we see on Apple also exist on Android...so the underlying technology, at least on browsers, is very similar.”