The pros and cons of BYOD were laid out in a panel discussion at Infosecurity 2013 yesterday, with the CISOs of Commerzbank, law firm Field Fisher Waterhouse (FFW) and National Rail all giving their views on one of the most talked about topics in business IT over the past few years.
Mobile and BYOD strategies
Andrew Yeomans, CISO at Commerzbank and a member of the Jericho Forum, said that the German bank had explored the concept of BYOD and carried out some experiments.
"It is a lot harder in a regulated environment. In financial services you're supposed to keep a log of everything and it can constrain you. One of the things we have explored is using [products from security vendor] Good Technology on devices and the other is using devices with purely a VPN connection," he said.
Yeomans said that not many employees use email in an offline mode, so if users were using it in a browser setting then many of the security issues normally connected with enterprise mobile use would no longer be there.
"As long as the user is secure in using the passwords it becomes much simpler than protecting the device that is not in your hands," he said.
Tracy Andrew, CISO at Field Fisher Waterhouse, said that the law firm would not go ahead with BYOD; instead it is trialling a corporate iPad scheme.
"100 people are trialling it and there has been a positive response, to the extent that tech-savvy lawyers in the firm have set up their own iPad user group and are looking at which apps best suit the law firm and best suit their needs. Then they set up a meeting with the IT directors and myself to discuss which of the apps we would go live on," he said.
Peter Gibbons, CISO at National Rail, said that the company has a mobile technology strategy that focuses on tablets and smartphones.
"We are aggressively using it to bring them across the rail industry; it's no secret that we are trying to save costs. The strategy will mean we'll have 8,000 to 10,000 iOS devices in the field helping us with things like inspection. At the moment, we have 100 to 150 users on a BYOD trial, using both Android and iOS devices," he said.
The mobile device management (MDM) solution
While Commerzbank has not adopted a mobile device management solution as yet, Field Fisher Waterhouse (FFW) has switched from Good Technology to MobileIron.
"We had a trial with Good Technology but it failed because of the double log-in feature, which as a security professional, I liked, but lawyers want easier access, so we then opted for MobileIron," Andrew said.
But the firm has since encountered problems with the MDM solution.
"MobileIron has been positive for iOS but bad for Android. We initially had a problem with the email client, which we resolved with [ActiveSync-based enterprise solution] TouchDown," said Andrew.
National Rail, meanwhile, has implemented MaaS360 by Fibrelink.
"We have Fibrelink for our corporate line of devices and that is fully tendered. We integrate this through the back-end and that is where we join it in with BYOD as well," Gibbons said.
Commerzbank's Yeomans added that enterprise management of devices can also hamper the security on the device.
"The latest iPad devices are significantly more secure out of the box than a provisional personal Windows XP system. As soon as people buy [their own device] from the store, have control of it and get someone else to do the management and the ability to zap things remotely, it has been proven to be a bad experience, it actually locks down the devices," he said.
"The FBI in their papers have expressed concern as to whether they can do any forensic examination on these devices and whether they can get any information out of them at all," he added.
FFW does not maintain a log of applications on personal devices but it can wipe data from a device and it uses encryption. With corporate devices it maintains a log of applications and other mobile services, Andrew said.
But the key to effective security for Andrew is staff training.
"I can spend £30,000 on training or on implementing security controls and I'd rather spend it on training," he said.
According to Gibbons, security awareness among users is improving.
"I do see consumers placing a greater emphasis on security, I think they see that as a bonus. That probably wasn't the case before," he said.
Andrew argued that with BYOD, the need for users to be vigilant is even greater.
"Few people let other users use their corporate laptops at home, but if with BYOD you had corporate accounts on personal devices that are being shared, problems can arise," he said.
Value of mobile devices
Andrew said that the concept of BYOD is attractive to him because of the additional responsibility an employee has over their own device.
"If the enterprise loses BlackBerrys or laptops, people get a replacement, but how many people lose their own phone? They don't tend to lose it because it's of tangible value to them," he said.
But Network Rail's Gibbons believes that BYOD has not yet proven that it is worth the cost and effort of implementing it.
"With mobile I see the benefits significantly outweigh the costs but with BYOD I'm yet to be convinced. If the employees didn't have them would they not do the work?" he asked.
Another issue is roaming charges, said Andrew.
"Who picks up the cost for roaming is an ongoing debate. If it's a corporate device, it's easy: it gets billed to us. But with BYOD we would have to find a compromise," he said.
