Wednesday, April 11, 2012

Information Security vs Senior Manager Fun#1 - on BYOD

6 months a XYZ company far far away..

Senior Manager mate: You security guys put tons of security stuffs on my Windows laptop. It takes 15 minutes just to boot-up. Now you are telling me you want to put another piece of compliance software inside? Damm! I don't want to use this Windows shit anymore. See my Mac there. There is no virus attacking Mac. Mac is safe and in less than 5 minutes, I can already use it.
Information Security lad: Sir, the security software were installed to ensure your laptop is secure.. blah..blah.....
Senior Manager mate: Nah! I'll just use my Mac and iPad. Anyway, I know that BYOD policy has been approved as I'm part of the reviewer.
Information Security lad: In that case, please sign this exception form sir... <* explaining the risk of BYOD etc etc and in his head: well, I've done my job, I told you the risk and you accept it, I'm just gonna move on *> 

3 days ago.... still in that far far away XYZ company...

Information Security lad: Senior Manager sir, our IT Supplier's IPS has detected that you Mac has been infected with malware and is now part of Flashback botnet. We need to you to remove your Mac and give it to us. We will try and see if we can clean that botnet.
Senior Manager mate: What botnet? How come my Mac got infected? It can't be! No virus attack Mac.
Information Security lad: It's all over the news... <* explaining about Flashback Botnet and what was on the news....*> . It's not only your Mac... we detected other Senior Management Team members' Mac are infected as well....
Senior Manager mate: What?? How come our IT Supplier didn't prevent this?
Information Security lad: It's not part of the SLA sir... some more you signed the exception form....
Senior Manager mate: Damm those IT chaps!

1 month in future... again in that far far away XYZ company...

Information Security lad: Sir, have you seen the headline of "The StoryBrooke Post" today?
Senior Manager mate: What headline?
Information Security lad: It says "Secret XYZ company financial data leaked on internet, suspected compromised by Flashblack botnet".
Senior Manager mate: What the heck!!!! <* shivering as he could lost his job now...*>
Information Security lad: <* in his head: I told you so... served you well "mate" *> .  Sir, given the current circumstances, we strongly recommend to put on hold that BYOD thingy and overhaul that BYOD policy.
Senior Manager mate: Yes....... you do that....

Moral of the story?
You should really assess the risk of BYOD to your organization and don't just simply jump on this BYOD bandwagon as well as take things for granted (e.g. no virus every attack Mac). BYOD only make sense if you have good controls in place and your employee are well educated in term of information security risks of BYOD.

BYOD could also mean - Bring Your Own Death ;)

Ain't security fun? ;) 

Acknowledgement: Photo taken from

No comments:

Post a Comment