Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Rise of 'shadow IT,' not BYOD, should be a concern for organisations: IBRS

Patrick Budmar | Feb. 28, 2013
Security analyst shares his view on MDM and how it fits in with BYOD

The entire MDM space is dead when it comes to the bring-your-own-device (BYOD) trend, according to IBRS security analyst, James Turner.

He made the claim during the launch of Kaspersky Endpoint Security for Business in Sydney, explaining that one can not claim to control something that one does not own.

"You have two ways of controlling the data, either by presenting it to the device via HTML5 or by having an encrypted container on the device," Turner said.

"Either way, you don't own the device."

Instead, Turner said MDM is applicable for devices issued by the organisation.

To highlight this disparity, Turner referenced two organisation he dealt with recent, with 10,000 employees between the two of them.

Over the last 12 months, one organisation gave their employees a choice of Blackberry or iPhone.

After that time, Blackberry now only represents 40 per cent of their corporate fleet.

"The second one has been doing it for two years and did the same thing, though also gave the choice of Android," Turner said.

"In this case, Blackberry represented only 10 per cent."

Turner highlighted these two cases to show the massive appeal of the non-Blackberry devices among employees.

People who have been interested in these devices are already using them, a trend that Turner refers to as "shadow IT."

"It is already happening, so organisations are not trying to reclaim control, they are catching up with what users are doing and then provide guard rails around that," he said.

Field work

When data loss prevention (DLP) was a trend a few years ago, one of the scenarios Turner discussed with clients was how to stop someone from looking at their iPhone, taking a photo and sending it via their Gmail account, essentially passing the IT system.

In terms of gauging what IBRS' client base is doing in terms of BYOD, Turner said it is already there.

"We talk about BYOD in the same sense of being hacked," he said.

"Either you've been hacked or you've been hacked and don't know it."

Instead of BYOD, Turner prefers to call it bring-your-own-other-device (BYOOD), because there is a distinction between the gear the company has provided to an employee, and the actual tools used to get the job done.

Turner came to this conclusion after going out and talking to line managers across the field, conducting dozens of interviews with organisations spanning thousands of people, and talking to the staff about how they use the device.

As an example, Turned mentioned one organisation that received a call in the office from someone in the field, who then asked the employee for the information to be sent.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.