The Bring Your Own Device (BYOD) Phenomenon

19 February 2013 by Ben Fielding

I wondered recently whether or not the BYOD phenomenon was old news; whether companies were surviving the influx of devices into their businesses and had found ways of addressing the security risks that can result,  or if they have simply acquiesced and allowed it to happen, turning a blind eye to the consequences.  Slightly closer to home for those involved in evidence management, I wondered whether computer forensic experts were keeping up to date with the explosion of devices and managing to extract valuable evidence from  iPads and smartphones.  Here are some of the answers I found as I set out to check on the latest information about BYOD.

A quick look at recent surveys shows that the BYOD trend continues to grow and that the majority of companies  now allow employee owned devices to be used – mine does.  On the question of how many have policies and procedures in place to handle the security and legal risks, the last survey I saw said only 8% of UK companies do and that’s probably because the technical, legal and ethical issues around BYOD are so complex.

The benefits are clear - allowing personally owned software and devices into the workplace can unlock a wealth of potential.  Let’s face it, when we are allowed to use our own devices we can often work more creatively and productively and we can take the office home in our pocket, to the coffee shop or wherever.   At the forefront of companies embracing the change stands a CIO like Oliver Bussman, CIO of SAP who has deployed over 18,000 iPads to SAP's global workforce, and who maintains an app store of authorized apps and IT repair centre modeled on Apples Genius Bars.

Despite all of this, BYOD remains a minefield when it comes to data security. Allowing personally owned devices full access to a secure company network is risky. Any data on these devices can potentially fall into the wrong hands, confidential company information can be stolen or might be extracted after the device is lost, stolen, sold or thrown away.  Employee owned electronic devices often use older versions of systems and software, which may be less secure than modern systems. They may be infected with viruses and spyware that can infect the employer’s systems. If employee-owned devices are allowed full access to a secure network, there’s no guarantee that company data will not be passed on to insecure systems and networks later on.

So how do companies protect their data on these devices?   In short, they are deploying Mobile Device Management software. This software allows the company to manage security policies, content and privileges associated with devices, whether the device is owned by the business or employees.  This ensures that only authorised devices access the network, that the company’s information is secured, and that the device can be wiped clean if it is stolen or lost.  Data can be protected by using a virtual desktop infrastructure (VDI) and a hosted virtual desktop where all the user sees is a virtual image on their mobile device. VDI is used widely in the finance and healthcare sectors because it allows users to access the required data but never stores it on a device.

Unfortunately, as with all technological evolutions, there are people who exploit the changes. As of late 2012, Trend Micro estimated that the number of applications written for Android tablets and smartphones that could be characterized as either high risk or outright malicious at 350,000 with that number expected to triple in the following twelve months.

When it comes to evidence, the ‘lifestyle imprint’ now available on devices and the evidence trail they store and create might be highly relevant in an internal or regulatory investigation or in litigation. Smartphones yield much more evidence than their predecessors and skilled forensic investigators can extract evidence from these devices.  It is also possible now to view all the contents from an iPad by plugging it into specialist software.

The social trends that have made BYOD into common practice show no signs of reversing. Apparently the UK leads the world in terms of mobile data usage and a fairly large chunk of that (40%) is created on social networks.  Clearly, businesses cannot afford to be lackadaisical about BYOD.