Recently I wrote on smart meter implementation, now on BYOD, or Bring Your Own device, a topic that has regularly drawn attention to itself over the past six months. In articles organisations are warned of security implications surrounding BYOD. It appears that employees bring their brand new ICT devices to the office and expect to be able to work with them as off the moment they walk into the office with them.
This as such is nothing new and usually it is people in management functions that are trend setting in this. The main difference is that there are ever more devices, whether smart phones, tablets, iPods, thumb drives or digital cameras and from more different companies using different operating systems, then say five years ago. Obviously this has consequences for the security of an organisation.
A (cyber) security policy
A security policy is normal in all companies. At the end of the work day lights are switched off, doors closed, fences locked and alarm systems switched on and sometimes there is even a night watch. But how is this in the digital realm?
It appears that often a security policy beyond a back-up plan is missing within organisations and the persons responsible for ICT are, within most organisations, not a member of the (higher ranking) management team. So when this person gets an assignment reading “connect my new device”, he interprets this order, and correctly, as ‘do it now’, regardless of consequences. His job depends on it.
In how many organisations has the question been raised what connecting new ICT devices does to the cyber security of the organisation’s network and reached board rooms?
The Dutch government in 2012
So here we are in 2012, after several very embarrassing moments hacking wise. Several messages should have been hit home by now, I’d expect. This website on government security has regularly posted on risks around BYOD.
And then I ran into this web article, “A secure government is an illusion”, by Dutch award winning journalist Brenno de Winter. In this article two chief civil servants sing the praises of what has been achieved recently. Here’s a quote (in Dutch, followed by my translation):
“Hillenaar kijkt liever vooruit naar wat er allemaal mogelijk is. Zo wijst hij op de Rijkscloud en het principe van ‘bring your own device’ (BYOD), waarbij werknemers eigen apparatuur meenemen naar hun werk. “Mensen gebruiken verschillende apparaten om hun werk te doen. Het gaat niet meer om de keuze voor of een pc, of een iPad, of een slimme telefoon. We gebruiken die apparaten in combinatie om ons werk te doen: het gaat erom dat je op een eenvoudige manier bij de informatie en functionaliteit kunt die je nodig hebt”, meent de topambtenaar.”
(Hillenaar, (CIO of the Dutch government, addition WdN), rather looks ahead at what possibilities are out there. He points to the Government cloud and the principle of ‘bring your own device’, employees bringing their own devices to their job. “People use different devices to do their job with. It is no longer about a choice in favour or against a desk top or an iPad or smart phone. We use these devices in any combination to do our jobs: it’s about being able to access the information and functionality you need in a simple way”, says Hillenaar.)
Translating this very optimistic choice of words by a high ranking civil servant, responsible for all the Government’s information, ‘we are doing this because we can’ and presumably because of the pressure put on all Hillenaar’s ICT colleagues to implement asap. I’m not implying that no one looked at the security angle, but it seems to me like an incident waiting to happen. Has Mr. Hillenaar ever spoken to his colleague, the CSO? Is there a Dutch government CSO?
At the Ministers level
At the general debate between Parliament and the responsible ministers on cyber security, 10 April 2012, both the minister of Security and Justice and the minister of Internal Affairs quoted the headline of the above article. They did this to assure parliament, and thus us, that everything is under control. Maybe they would want to check the context of their quote and start worrying. My best guess is, that there are thousands of back doors opened right now straight into the heart of government. Just one question. Do you know what happens with the devices off and on work and what the implication of this use is for cyber security?
And then some more optimism…
To add to all the digital possibilities for user and criminal alike, this article was published on the website bc.nl today. It is explaining to small and medium sized businesses how great M2M, machine to machine, communication is going to be. Mind, I add, all invented to save money on personal service. When was the first time I heard that a company was hacked through the printer? (And just pace makers?) So all the trouble BYOD is causing, is added to by company ICT devices that are not even recognized as such by all except the most proficient.
The cost of cyber crime
With ICT possibilities seemingly ever more endless, it’s time to look at security with the same urgency. Think tank TNO estimates that €10 to € 30 billion for the Netherlands is siphoned out of the economy, per annum! This seems like an amount worthy of some concern and is likely to rise when hackers and criminals are left to their own devices.
Again I state that investing in cyber security will save money in the end. Yes, the two ministers are right stating that 100% security is unobtainable, but not if they used it coming from the quote above. As in everything, the main question should be, what needs real protection, what less and how do we get to and maintain those levels?
Somewhere in the coming week the website of Goija events is opening, focussing on cyber awareness and the most basic cyber security lessons and training. If you’re in the Netherlands you may want to take a look there.
Wout de Natris, De Natris Consult
Leiderdorp, 12 April 2012