Telecommunications providers have found their next golden goose:  Bring Your Own Device, or BYOD.  In case you’ve been living under a rock, BYOD authorizes employees to use their own personal smartphone devices to access corporate networks.  BYOD saves corporations the expense of providing phones to their employees, while the employees get to use a device that they actually like. That’s the theory anyway.  Some companies, such as IBM, are finding that BYOD can be a can of worms.  The only surprise is that any of this is surprising.

Let’s be clear about something.  When people talk about BYOD, they are talking about iPhones and Android devices.  The one reasonably secure smartphone platform, BlackBerry, appears to be in its death throes.  Other than a curious (to me, anyway) popularity in the U.K., I see very few BlackBerry users anywhere in my travels.  People see my Torch and assume that I am some kind of social outcast.

Meanwhile, iPhones and Droids are notorious for the security that is missing from their platforms.  At least Apple exercises some level of control over iPhone apps, but Droid apps are the Wild, Wild West.  Anything goes.  Nevertheless, CIOs want those devices to access their private corporate networks to save maybe $15 per month lease or depreciation expense.  Sure, multiply that by 10,000 devices and that’s a lot of savings.  Then again, one data breach is now estimated to cost the victim company $5.5 million on average.  Would anybody like to prove to me that BYOD will be limited to a maximum of one data breach per company?

“It’s Our Network.” Anecdotal evidence is not encouraging.  One global company that I know has done an admirable job of locking down its workstations.  No user has administrator rights.  No software can be loaded onto workstations without corporate approval – not even solitaire.  Unfortunately this company uses elephantine Lenovo ThinkPad laptops, which cast grave doubt upon the definition of “portable”.  Executives at this company – tired of lugging the laptop-cum-brick through airports after long flights – have purchased iPads to take on the road.  Corporate email at their fingertips, in a sleek, lightweight device.  And network security shot to pieces.  Will the Chief Security Officer tell the CEO that he can’t have his iPad?

Financial institutions may be a bastion of resistance.  I asked a friend who is Chief Security Officer at a large card processor, “What do you think about employees wanting to use their own devices?”  His response was hard to misinterpret:  “I don’t care what the employees want.  It’s our network, not theirs.  They access our network as part of their jobs, and they will do so with a device that we issue and configure.”  As a fellow paranoid, I understand completely.

Smart grids are not immune to BYOD fallout.  This blog has in the past discussed smartphone applications that can allow unfettered direct access to SCADA devices if not properly controlled.  Unleashing BYOD upon a control network has the potential to wreak unimaginable havoc, given the diversity of devices in a typical control network that may have congealed over several decades.  These are not well-defined and recently built enterprise networks.  BYOD guarantees a lack of architectural preparation.  How is it possible to create a security architecture when the type of endpoints present – thanks to BYOD – cannot be predicted?

BYOD could work if applications have suitable built-in security to protect the crown jewels.  Unfortunately, that built-in security is not always there.  Many applications were built long before any type of smartphone access was envisaged.  Assuming that corporations encourage BYOD to save money, it’s unlikely that they will simultaneously integrate new security into old applications that are otherwise working just fine.  There are some promising approaches, such as Mocana’s application wrapper, Mobile App Protection.  But again that requires additional expense – precisely what BYOD seeks to eliminate.

So – have I managed to derail BYOD with this blog?  I doubt it.  The few that are suitably paranoid realize that we are standing on the tracks in front of an onrushing freight train.  And we’re smart enough to get off the tracks before the train gets here.  Resigned to finding a positive, at least I can conclude that BYOD is likely to generate a further 10 years’ gainful employment for all of us cyber security folk.