I recently noticed this piece on Forbes about a suggested change for all iOS Wi-Fi settings and it prompted a potentially controversial question.
Why don't all IT/security admins issue a list of setting/configuration changes related to iOS and Android devices for all enterprise users? (If your people are still using BlackBerry — and I just received an email from a U.S. Department of Homeland Security worker who is, which is quite frightening — we need to talk ASAP.)
Some companies, of course, have these configuration settings written down and released. But why do many CIOs/CISOs not bother? And while I am diving deeper into troublesome waters, let me plunge ahead: Why not make such lists mandatory — a requirement for any company allowing personal devices to access sensitive data and sensitive systems? Almost all mandate the use of a downloadable company-approved VPN, so why not also dictate all manner of other settings that pose cybersecurity risks?
The requirements would vary from enterprise to enterprise and most likely from user to user. But surely the basics can be set, such as turning off Wi-Fi when away from the home office (which, today, might literally be a home) or keeping Bluetooth disabled until it’s needed.
Don’t be surprised if these suggestions get a lot of pushback, as remote workers have gotten used to conveniences that are fine at home but ultra-dangerous while walking around an airport, train station, or hotel lobby. For that matter, they can be dangerous when strolling down the streets of Manhattan or San Francisco.
Consider Bluetooth. It's a very convenient means of attack, as long as the bad guy can get very close to the intended user victim. Depending on security software installed, a Bluetooth attack can bypass many traditional defenses. So why not keep it off at all times, except when it's necessary?
Users are likely today to be using Bluetooth mechanisms in their ears while talking in that airport, so they can answer a hear a phone call at any time. Would such a rule force everyone to keep their Bluetooth headphones/earbuds at home and only travel with wired ones? That wouldn't be such a bad idea. But will wired earbuds be around much longer?
The Forbes story that got me started on this issue suggests that users be prevented from connecting to unknown networks by default — a very sensible precaution. It further argued that if a user thinks an unknown network absolutely must be used, turn on a reliable mobile VPN first.
Let's start there. How many IT shops even specify an approved mobile VPN, let alone mandate one? It’s important to remember that a VPN doesn’t provide the protection many users think it does. If the user interacts with a sensitive email or logs into a bank account, an attacker watching via Bluetooth might still see quite a bit. What if they downloaded a keystroke-capture? In that case, the bad actors likely have your credentials.
Admins could (and should) do the same thing with rules around Wi-Fi, or passwords, or app installations — anything that can help lock down mobile devices and keep corporate data safe. And then, of course, the onus becomes making sure every single person in the organization knows what to do and does so. And if not, there would need to be consequences for leaving corporate vulnerable to attack or theft.
In a BYOD environment, IT and security have obligations to protect all enterprise assets. Given that the percentage of those assets that travel through mobile devices is soaring, isn't it time to set some strict rules? None of these rules would meaningfully hurt employees and they won't prevent workers from engaging with consumer apps and data. The worst-case scenario is mild inconvenience.
If a user wants to pull back from BYOD and insist that the company provide them a mobile device, they certainly have the right to make that request. (Whether it's approved is a very different matter.)
But if it were approved, those users can feel free to treat their personal devices as recklessly as they want. As long as they are using those devices to access and create employer-owned data assets, rules about settings seems perfectly reasonable. It might not make IT and Security especially popular with users (but be candid: they never were popular and that’s not likely to change).
But it's the right thing, the smart thing, to do.