For those of you who don’t know who Tom Brady is, (go ahead and laugh, but an unscientific poll in my hacker-heaven office to the question of “who is Tom Brady” gets a lot of blank stares) he is an NFL darling and New England Patriots star quarterback caught up in a controversy known as Deflategate <https://en.wikipedia.org/wiki/Deflategate> . And apparently, he decided to destroy a personal phone wanted as part of the investigation rather than turn it in as evidence.
I was curious when I saw the Minneapolis/St. Paul Business Journal’s recent weekly poll asking readers the question related to the Brady news story: “If your employer asked for your personal mobile phone as part of an internal investigation, would you hand it over?” After all, it is very common in today’s business environment for employees to not only use their personal phones to conduct business, but for companies to encourage the use of personal computers over company-supplied ones. It can be cheaper to have employees provide their own device rather than maintaining an arsenal of up-to-date devices; it allows those picky staff (I’m talking to you Mac lovers) to use the device that they are most comfortable with; and, in some cases, it’s born from necessity – this world of on-demand workers means lots of people work part-time at more than one company and having a device for each is not at all practical.
Knowing that in some cases, BYOD (bring-your-own-device) is the norm, and that in most, workers use their personal phones to access company email and other company resources, I was curious about this particular poll. After all, it’s often necessary to gather up impacted devices as part of a breach investigation. So I wanted to know how willing people would be to voluntarily hand over their personal possessions.
Wanna know the results?
If your employer asked for your personal mobile device as part of an internal investigation, would you hand it over?
Total number of responses: 6345
This poll is not a scientific sampling. It offers a quick view of what readers are thinking.
*As of 8.19.15 – see the Business Journal article for up-to-date polling results <http://www.bizjournals.com/twincities/pulse/poll/if-your-employer-asked-for-your-personal-mobile-phone-as-part-of-an-internal-investigation-would-you-hand-it-over/17901872?ana=e_du_poll&u=NAGHyJ775ZoDcRmK+HFnGA07c62518&t=1439904022>
So, wow. There’s that. 79% of respondents said they won’t hand over their phone.
Now, I get where these users are coming from. If you scroll through the comments you’ll see common threads about concerns over employers digging into personal information that isn’t their business and the desire to protect their right to privacy.
But there are real implications to giving access to your corporate network and information resources to staff without having the ability to investigate when something goes wrong. Without a device that may be tied to a breach, you are left without important details, like log files, that could help determine the root cause.
One of the key tenants of information security is to prevent, detect and correct information security issues. By being denied access to phones or workstations that may provide critical information to the cause of a breach, you are taking away your ability to fully identify how the breach occurred and how to prevent it from happening again. It’s very hard to defend what you don’t have control (or at least insight) over. So you have to find a way to maintain control.
To be upfront, I’m not a fan of BYOD. I like the idea of using work resources (and time) for work and using personal resources for personal life. But I do understand the practicality of it in some instances and I realize that the lines between personal and professional for many are much more blurred and not as easy to compartmentalize. However, many commenters in the poll stated that they’d only turn over the device if the employer was paying for it. And in the end, you have to make sure you are protecting your organization’s information and that you can do your due diligence if things go wrong.
You have to consider the risk
I remember when I started down the rabbit hole that is information security. I’d pose a question as to how we should address some particular infosec topic and the reply from whatever expert I was consulting with would say “you have to consider the risk”. I hated that answer. Even today, when I give that same reply with complete belief in it, I sometimes feel that tinge of guilt like I’m giving a non-answer. But it’s the truth.
There is no one-size-fits-all answer to most information security questions, and especially this one. Each company has to weigh the business requirements and the associated risks to determine their own stance on the matter. Let’s consider a couple scenarios:
Company 1 manages a lot of highly confidential information for its clients. If any of the managed data were compromised, it would result in substantial fines, legal woes, loss of reputation and, potentially, put the company out of business. There is a very strong business need to ensure all of the managed data, and all access to it, is tightly controlled and monitored. The risks of allowing employees to use their own personal devices to connect to the network exposes Company 1 to greater risk of loss of control of the data because they don’t have monitoring software, logging or hardening controls in place on the personally managed device. It is in the best interest of Company 1 to not allow BYOD and either enforce a device management solution for external email access or own mobile devices that access company email.
Company 2 develops websites for its clients. The work is very seasonal and during peak periods they bring on contract developers to help manage the workload. All of the code repositories are managed in the cloud and the company has controls in place to manage each users’ access to the data based on whether they are working on a project. In this case, allowing users to use their own devices poses less risk. All of the data is managed in the cloud and no network access is required. Company 2 is best off allowing BYOD and having users sign-off on the ability for the company to access their devices for investigative purposes.
And, in the end, it all leads back to policies and training
My mantra, and not just because it’s what I love to do, is that policy and training – two pieces of infosec gold – can prevent a lot of future harm.
You have to define what is acceptable for mobile/BYOD for your organization (and enforce it). If you are allowing users to use personal devices, make sure you get a signed agreement that in the instance of an event, they are required to hand over their personal devices for an investigation. Better yet, implement an MDM (mobile device management) solution. If they refuse at the onset, you can work out an alternative solution early on (i.e. purchase a company device, remove access to network).
You then have to explain to your users why it’s important to have access to their devices (or have the ability to search their email or their browsing history, etc.). Privacy is still a concern for many and you want to make sure they understand what information you need access to and why. Walk them through potential breach scenarios and show them how information on their devices can help in an investigation. Explain the risks of mobile and BYOD and why the protections you are choosing are necessary.
Take the time to make sure your stance on mobile devices and BYOD isn’t adding unnecessary risk to your organization. Not sure how to start? Contact us!