Bring Your Own Device (BYOD) – Redux
Just over a year ago, Firestorm published an article on BYOD (Bring Your Own Device), The BYOD Conundrum. On March 25th, Smartbrief on Cyber Security linked to an article published by ARN. That article stated, “mobile malware has become one of the ten most prevalent families attacking A/NZ (Australian/New Zealand) corporate networks.” The mobile malware to which ARN is referring is malware buried in apps for mobile devices – the very devices that BYOD policies address and about which Firestorm posted in the March 2015 issue of Disaster Due Diligence.
Policies authorizing employees to use their preferred, personal mobile devices offers significant benefits to companies, including access to the latest hardware and software without incurring company expense. The obvious drawback is the increasingly security challenges.
The discussion in the Firestorm March 2015 article remains completely accurate and germane; although, it did not include any discussion of hacking techniques that have been deployed since March of ’15.
Those recently deployed techniques include the use of stenography (which “buries” executable code in images) and the increasing availability of “commercial” off-the-shelf hacking tools. These added hacker capabilities have increased the challenges facing corporate IT security professionals and the risk that a company will succumb to a cyber attack and be faced with the subsequent cyber-breach impacts.
Firestorm assumes that every organization deploys the best cyber security tools and processes available. Even operating under that assumption, no company is invulnerable to cyber attack. Cyber security professionals must “win every game.” The cyber-bad-guys only have to win one game. To put that in perspective, the last NFL team to go undefeated for one season was the Miami Dolphins in 1972 (that would be 46 years ago). There has never been an NBA team to go undefeated for a single season – not even the Michael Jordan Bulls, the Bill Russell/Bob Cousey/John Havlicek Celtics or the Kareem Abdul-Jabbar Lakers (note: those three teams have won a total of 42 championships in the 70 years of the NBA’s existence).
Does this mean that companies should not embrace BYOD? No, it does not. It does mean that companies face an even greater imperative to have both a top-notch IT security capability and a cyber-breach response plan.