The British have joined the United States in recommending against allowing government employees to bring their own devices to work. While the bring-your-own-device (BYOD) movement increasingly gains traction in private businesses, government workplaces haven’t been as quick to adapt. The British policy makes an outright recommendation against allowing employees to bring their own devices, and while some U.S. agencies have attempted pilot BYOD programs, most actively dissuade it.
You don't need to look very far to understand why government workplaces are wary of BYOD. The recent Snowden leaks show how personal devices in the workplace can result in lasting damage. A few errant USB drives and some security clearance are all someone needs to create a huge security breach. With the sheer amount of information that contains varying levels of security sensitivities, it is understandable why governments are particularly cautious about introducing BYOD for their employees. Governments are, in a way, tasked with handling all of our data, and both governments and the people should be wary of putting that data on a government employee's personal device.
While we can debate the morality of Snowden's actions, it is easy to see how BYOD can be used for purposes that are more clearly nefarious. Mobile devices are security risks for precisely the same reasons employees want to bring them into the workplace: their mobility. Devices that individuals routinely carry on their persons are especially vulnerable to security breaches because they are easily lost or stolen.
And if the information that's held on those devices may have national security implications, it makes sense to be a tad (or possibly tads) more cautious.
The trouble with restricting BYOD in government workplaces is that it is only a temporary measure. BYOD is the future. BYOD improves employee satisfaction and productivity. It is becoming the standard and not the exception. Limiting BYOD gives governments more time to implement a viable BYOD policy for the future. Governments need to implement policies that address the particularly unique challenges they face.
Security Clearance Required
The complex layers of clearances make administrating security within government agencies difficult. Multiple roles with a variety of clearances combine to create confusing webs of security needs. Whatever security software is implemented to complement an agency's BYOD policy will need to be flexible enough to incorporate these clearances.
Kings to the Kingdom
Sensitive data is everywhere. It’s on servers, on computers, on phones, tablets and yes, in the cloud. Government must act under the assumption that these repositories are always vulnerable to a cunning criminal, security-insensitive employee or an insider with nefarious intent. Then what? Mechanisms to control access to the data must be controlled even after (read: especially after) the device is compromised or after the break-in has occurred.
The primary danger of BYOD, as I've already noted, is that devices can be transported easily and, as such, are easily liberated. One way to mitigate the damage from situations wherein devices are lost or stolen is to introduce remote data destruction mechanisms in devices that are allowed to come in contact with sensitive data. When those devices end up in unauthorized hands, the data can be wiped before any lasting damage can be incurred.
Where in the World...
While some of the value of BYOD is in its ability to allow employees the flexibility to work anywhere, geography can sometimes be an important layer of security. If access to certain, particularly sensitive, data is location-restricted, then the mobility of devices is no longer an issue. This policy is particularly useful for those employees who merely want to collapse the number of devices in their lives.
The Man, the Plan
These features can be used to successfully integrate BYOD into government workplaces, but they are still only tools. The real work of bringing government workplaces into the future is in the planning. While all these features are useful ways of improving security so that we are all more comfortable with the idea of sensitive data on the personal devices of government employees, it is ultimately in policy that the real work of insuring that government data is as secure as it needs to be for governments to function properly.
Nefarious forces will always try to find security loopholes, and employees will continue to make mistakes and sometimes lapse in their adherence to security policy. So agencies’ security policy shouldn’t just be a rote protocol that employees are expected to follow and that employers naively trust employees to always adhere to. Instead, planning should be a means of incorporating all these different security features – encryption, remote handling, location-restrictions, whatever – to protect against those moments of malicious intent and human fallacy when vigilance fails.
Cam Roberson is the Director of the Reseller Channel for Beachhead Solutions, a company that designs cloud-managed mobile device security tools.