BYOD and the hidden risk of IT security

When employees use personal devices for business purposes, too much security can create more risk than it prevents

Ben Franklin made the point, although with more commas than the AP stylebook would endorse: "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

Over 250 years old, this epigram may still be germane to our ongoing discussion of BYOD (bring your own device): how IT should balance the "liberty" of the BYOD school of thought with the "safety" of needing to minimize corporate exposure to security threats.

[ Find out the 10 business skills every IT pro must master. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld's 29-page "Mobile and BYOD Deep Dive" PDF special report. | For more of Bob Lewis' continuing IT management wisdom, check out his Advice Line blog and newsletter. ]

The difference here is that our challenges are more prosaic than Franklin's. What matters to us isn't the moral aspect of liberty, only how to maximize the effectiveness of the organization and those who do its work. Passwords hold the key to understanding something fundamental about information security: Push any attempt to improve security too far and security will get worse, not better.

Passwords: A lesson in obscuring security

Here's what we know about passwords: To make them more secure, they must be long and contain a mix of uppercase and lowercase letters, plus numbers, plus punctuation marks. If Blwx34$_beItly%(_nzqTB@!_phomc is your password, you've passed the test.

Here's something else we know about passwords: The solitary instance a single password will do is for internal systems, but only if IT has implemented single sign-in technology. Otherwise, to be properly secure, users must have a different password for every system and website that requires one.

We also know that writing down passwords is, from an information security perspective, a serious no-no.

Another piece of hard-won knowledge on the subject: Try to enforce the first two requirements and what you'll get are users who write their passwords on Post-it notes. The more security-conscious among them will put it in their front desk drawer, away from prying eyes. The rest stick them to their computer monitors.

Try to enforce the third requirement too and the help desk will be eaten alive in password reset requests, and that's pretending information security will have anything to say about the passwords users establish for external websites. The broader principle this exemplifies is why I usually don't accept security and compliance requirements as a reason to restrict the availability of potentially useful technologies.

You can try. You might even succeed, and it's even possible doing so will create more benefit than it costs in lost opportunities, but only if your company mostly employs obedient schleps.

1 2 3 Page 1
From CIO: 8 Free Online Courses to Grow Your Tech Skills