Interesting article in Wired Magazine, about how the New York Times network was infiltrated by Chinese Hackers looking for information about Chinese dissidents that reporters may have interviewed. This ties back into the discussion we had in class about security.
I believe that the decision to implement a Bring Your Own Device policy boils down to what kind of organization you are:
On one side of the spectrum, your organization may exist in a corporate environment where network security is a major consideration for management. The Helpdesk would have to fully support every Tom Dick and Harry’s iPhone, Blackberry, iPad, Nexus 7, Lenovo ThinkPad, Android OS, OS X, Windows Vista through Windows 8, etc, and the risks would outweigh any benefits. In this case, BYOD would not be an ideal solution.
At the other end of the spectrum, an organization could exist in an academic environment where users have to register their mobile devices with a Network Access Control solution or they can’t access the internet, Helpdesk policy is that students support their own personal computers or mobile devices, the network is subnetted, and the students use Google Docs instead of a shared drive on a local public server located somewhere on campus. After a Risk Assessment and Cost/Benefit analysis, the Administration may decide that it makes more sense to give students the ability to access the internet from their personal devices than to continue supporting computer labs that need to be maintained and whose computers have to be replaced every three to five years.
In the end, it comes down to whether an organization can decide whether or not the risk is acceptable and they can maintain an acceptable level of support for their users. BYOD is certainly not an appropriate solution for every organization, but it could work very well in certain environments.
It’s not just new, untested social media applications that we need to be worried about. People who are otherwise technically savvy use “legacy” sites such as Facebook and LinkedIn without fully understanding the way privacy settings are implemented; they don’t understand who can see their posts and who can’t.
For example, a friend of mine just got married, and proudly put a picture of his wife’s visa online to show off her new married name. For a brief period of time her full legal name, address, visa number, etc were online and available to everyone on the internet. Fortunately, my wife read his post shortly after he posted it, and he took it down.
I think part of the problem is people tend to be lax about who they think should be able to see their posts. But I also think that sites like Facebook and LinkedIn make security obtuse and difficult to figure out. We need to do a better job of educating users, and we also need to push back against these companies to make configuring security easier.