As bizarre as it may sound, the practice of vandalizing laptops by filling USB ports with glue actually happened. By IT departments. The concept of taking a glue gun to devices worth hundreds of dollars is mockable (the IT media at the time thought so too). This is because as rational individuals we know that stifling technology functionality like this is counter-intuitive, right?
But is physically denying USB really that different from not enabling smart devices to do what smart devices were made to do? The fact is that many IT departments are faced with a similar situation today with the onset of BYOD; do you enable mobility and trust the user, or lock down. You could say, to glue or not to glue?
The prospect of a device containing both company and personal information can lead some people to screw up their faces with worry and ask questions like, “What if someone accidentally emails something personal to a business contact?”
But let’s take a step back for a second; these things can happen on desktop computers too. And, when you think about it rationally, it’s the same issue as putting a letter in the wrong envelope. If I accidentally do that, I’ve only got myself to blame.
Any conversation on BYOD quickly comes around to security, usually in the context of a barrier to adoption. And yet, when you think about it, a lot of the security issues it brings to the fore exist anyway – just in a different form.
Yes, people are bringing in new devices, but what about remote access from home, printing, USB sticks? How many organisations really have a strong way of controlling USB keys? Or have a handle on what gets printed and taken home in people’s briefcases or bags?
We’re all shocked when the high-profile cases come through; police loosing criminal data saved on a misplaced USB, an MP leaving a printed policy draft on the train, or what about a certain England manager dishing out first team decisions on the tube.
As we sigh a collective ‘how could they be so careless?’ the cases just keep on coming. In many, in fact most, cases it’s not malicious. Instead it’s usually down to a lack of understanding or consequence on the part of the perpetrator, coupled with a lack of policies and enforcement by the business.
For mobility and BYOD, the answer lies in giving people an awareness of the applications they use and the context they use them in. A good example is internet banking. When you log in to see your account, it doesn’t take over your entire computer and dictate the way it works – it provides a measured application delivery in a very secure mode on your machine. And with that experience comes a mental context of how you’re using that machine.
Let’s be frank. I don’t think people would have ‘questionable content’ on their machine at the same time that they’re logged in to their bank. And BYOD is about setting similar expectations. It’s about shifting the mind-set of the user and delivering an experience that instills a level of understanding and respect for security in different contexts.
When we start any project involving mobility, we start with what we term ‘approach and architecture’, before looking at any required technology. And part of that evaluation involves the company’s stance on security as it relates to the user.
For example, BYOD may not be right for your organisation if your IT department has been ordered to fill your laptops’ USB ports with glue. Trust me, I’ve seen it first hand! On the other hand, if some of your colleagues have already put work email on their smartphones and there is a desire in the organisation to make it work safely for more people, then that’s obviously a much more realistic starting point.
Bring Your Own Device is not simply a technology problem; it’s an opportunity to think about how you approach security and these wider issues in general. It’s one and the same; solve those existing problems and enable BYOD. So, in case you didn’t get it – I do not recommend or condone the use of glue guns and enterprise technology!