Bring on Bring Your Own: security that’s smarter than ever

Stuart Constable

Tuesday 16 July 2019

Bring-your-own-device is rapidly becoming standard practice, even in highly regulated environments. It’s a business imperative, from the agility and productivity it enables to the employee experience it creates. As business mobility becomes a key source of competitive advantage, we look at the implications for security and the shift in culture that is needed in a mobile-first world.

People are so tricky. The more rules you apply, the more loopholes they find.

The rise of Bring Your Own Device (BYOD) is a classic example. More significantly, the response from organizations to this employee-driven tech transformation is an education in effective people management.

BYOD presents the classic risk decision. How does the security risk of people using personal devices for work compare with the material business risk of restricting mobility?

Mobility seems to be tipping the balance, mainly because the benefits to the business of higher productivity and competitive advantage are now well established. At the same time, security technologies have broadly managed to keep pace with the need to extend policies to the most remote and mobile endpoints, so the security risk is reduced.

And yet people are so tricky. As with all security deployments, it’s the people that are the source of risk, rather than the devices. Phones and laptops don’t cause breaches, people do.

This is why your company culture is as important as your security deployment in preventing and mitigating the impact of cyber attacks. You can impose security measures on devices, but carelessness is a state of mind.

Kai Roer, co-founder and CEO of research firm CLTRe, defines security culture as “the feelings and beliefs that employees have toward the security protocols and issues.” But the culture has to extend beyond the question of security to encompass attitudes towards the organization and the workplace in general. Why would anyone bother to help protect an organization that has not won their loyalty?

BYOD helps to build that loyalty, because it gives employees more agency over their working lives. They can make active choices about the devices they use and if they are working with devices and apps they like then they will be more productive. They will also be more inclined to make sure the device is secure and to appreciate the workplace experience in general.

Nevertheless, people are only human. Which is why new approaches to security technology are encompassing wider factors than ever before.

For example, Lenovo’s approach to device security extends beyond the final assembly of hardware to incorporate every stage of the supply chain. The rogue trade in computer parts means that devices may arrive with non-proprietary components, any of which may represent a back door for hackers. By securing the supply chain from end-to-end, we are engineering the risk of compromise out of the manufacturing process.

This does not reduce the risk posed by personal devices, but it does demonstrate how approaches to security need a broader understanding of the threat landscape.

One way that organizations are dealing with the threat from BYOD is to adopt COPE policies for mobile devices: corporately owned, personally enabled. Employees are given a choice of devices on which corporate services are containerized, so that any personal use presents no risk to the business. COPE demonstrates a degree of mutual trust between employer and employee that contributes to a more rewarding employee experience, with less of the risk that BYOD can create.

With BYOD, your mobile management solution needs a greater degree of sophistication because it requires a direct intrusion into the user’s personal world. Again, a separation of the corporate and personal environment is required, to reassure users that their personal data will not be lost if their employer suffers a breach and to allow organizations to apply fully compliant security measures to every connected device.

All of these human factors of trust and loyalty can be incorporated into a tangible security policy, so that security actually creates a better experience, rather than hampering productivity. This is the approach that underpins Lenovo’s ThinkShield solution, which considers every stage of the device lifecycle, from development, through the supply chain and the working life of the unit all the way to secure disposal.

It’s a philosophy that has informed the design and manufacture of the latest ThinkBook laptops, which feature discrete Trusted Platform Module (dTPM) encryption, a physical camera cover and a fingerprint reader built in to the power button.

The eternal conflict between malicious hackers and IT teams intensifies with every innovation, and developments such as the IoT and artificial intelligence are creating new battlegrounds. But if you can use enlightened, human-friendly security policies to help win the battle for hearts and minds within your organisation, you’ll have the strongest possible defence against any attack.

Building the next-gen data centre

Where traditional and web-scale apps co-exist