As the adoption of smartphones and tablets grows exponentially, one of the biggest challenges facing corporate IT organizations is not the threat of losing the device – likely owned by the employee – but the threat of a targeted attack stealing sensitive corporate data stored on these mobile devices. As a first line of defense, an increasing number of companies rely on Mobile Device Management software and Secure Container solutions to secure and manage corporate data accessed from these mobile devices. However, a recent analysis conducted by Lacoon Mobile Security – presented a few weeks ago at the BlackHat conference in Amsterdam – shows that the leading secure container solution Good Technology can be breached and corporate email stolen from Apple iOS and Android devices.

Lacoon CEO Michael Shaulov, spoke with me about the shocking results of this research and made it clear that no matter what MDM software you deploy, you are in danger. MDM and Secure Containers depend on the integrity of the host system. “Ask yourself: If the host system is uncompromised, what is the added value? If the host system is in-fact compromised, what is the added value? We’ve been through this movie before”, referring to the underlying endpoint management philosophy inherited from the previous PC era.

In their presentation “Practical Attacks against Mobile Device Management (MDM)”, Michael Shaulov and Daniel Brodie, Security Researcher, explain the details of how they penetrated the Good Technology container to exfiltrate sensitive corporate email – Good Technology did not respond to my request for comment:

Android 4.0.4 device – Samsung Galaxy S3:

1. The attacker creates a “two-stage” application which bypasses the market’s malicious app identification measures such as Google Bouncer or other mobile application reputation systems. The app is then published on Google Play or other legit Android appstores. By using the “two-stage” technique, the attacker can publish a seemingly innocent application and, once the victim installs the app, the app itself refers to the malicious code which is then downloaded.

2. The app exploits a mobile OS vulnerability which allows for privilege escalation. For example, the vulnerability in the Exynos5 chipset released in December 2012 that affects the drivers used by camera and multimedia devices.

3. The malware creates a hidden ‘suid’ binary and uses it for privileged operations, such as reading the mobile logs, as discussed in the next step. The file is placed in an execute-only directory (i.e. –x–x–x), which allows it to remain hidden from most MDM root detectors.

4. The malware listens to events in the ‘adb’ logs. These logs, and their corresponding access permissions, differ between Android versions. Note that for Android version 4.0 and higher root permissions are required in order to read the logs.

5. The malware waits for a log event that signifies that the user is reading an email.

6. The malware dumps the heap using /proc//maps and /mem. Accordingly, it can find the email structure, exfiltrate it and send it home – perhaps uploading it to an unsuspected DropBox account.

Apple iOS 5.1 device – iPhone:

Malware targeting iOS based devices needs to first jailbreak the device, and then installs the container-bypassing software.

1. The attacker installs a signed application on the targeted device, through the Enterprise/ Developer certificate. This may require physical access but there are known instances when this has done remotely.

2. The attacker uses a Jailbreak exploit in order to inject code into the secure container. The Lacoon researchers used the standard DYLD_INSERT_LIBRARIES technique to insert modified libraries into the shared memory. In this manner, their (signed) dylib are loaded into memory when the secure container executes.

3. The attacker removes any trace of the Jailbreak.

4. The malware places hooks into the secure container using standard Objective-C hooking mechanisms.

5. The malware is alerted when an email is read and pulls the email from the UI elements of the app.

6. Finally, the malware sends every email displayed on the device to the remote command and control server.

The analysis performed by the Lacoon analysts exposes the security limitation of the secure container approach. Shaulov believes that MDM provides management, not absolute security. It is beneficial to separate between business and personal data in a BYOD scenario. Its main use case is the selective remote wipe of enterprise content and Copy & Paste prevention.

Secure containers rely on different defense mechanisms to protect the corporate data. Generally these include iOS jailbreaking and Android rooting detection, prevention of the installation of applications from third-party markets in order to protect against malware and, most importantly, data encryption. However, these measures can be bypassed. On one hand there is a quite active community involved in jailbreaking/rooting efforts. On the other hand the jailbreaking/rooting detection mechanisms are quite restricted – see for example xCon, a free iOS app to defeat jailbreak detection. Usually, checks are performed only against features that signify a jailbroken/rooted device. For example, the presence of Cydia, a legit iOS app which allows the downloading of third party applications not approved by Apple, or the SU tool used on Android to allow privileged operations. More importantly, there are no detection mechanisms for exploitation. So even if the secure container recognizes a jailbroken/rooted device, there are no techniques to detect the actual privilege escalation.

MDM software and Secure Containers are supposed to detect jailbroken iOS and rooted Android devices but “they are dependent on the underlying operating system sandbox, which can be bypassed”, Shaulov says.

MDM not so secure after all

Sebastien Andrivet, Co-founder and director of ADVTOOLS, took a different approach to auditing the security of MDM products and performed a thorough analysis of the server components, such as the administrative console, and their communications with the mobile devices. I met Andrivet in London at the Mobile and Smart Device Security Conference 2012, where he presented the alarming results of his research. Among other, Andrivet found persistent cross-site scripting and cross-site request forgery vulnerabilities in two leading MDM solutions – he would not publicly disclose the names of these products but I saw the screenshots of the trace logs and spotted some of the leading brands mentioned in the Lacoon report.

Andrivet openly stated that, despite being marketed as security tools, MDM products are not “security products” and in fact not so secure after all. However, he is also a bit skeptical about the significance of the findings of the Lacoon research. “Frankly, it is not so easy to penetrate these products, especially on iOS”, says Andrivet. For example, to break into the Good container in the way described above, you need physical access to the device and the password. With an iPhone 4, it is still possible to break a 4-digit pass code. But it is not currently feasible to do the same with iPhone 4S and iPhone 5. Andrivet also observes that it is true that it is possible to repackage an existing iOS application and sign it with your own enterprise certificate. But to install it on the device, a victim will have to accept explicitly the installation of the certificate and then of the application itself. With social engineering, this might be possible, but definitely not so easy. Andrivet points out that the Lacoon researchers have not broken the secure container encryption. They found the information in clear somewhere else – i.e. in memory. What is important is that they found a way to get the data. How they did it (breaking or not the secure container) is not so important. They “breached” the container, even if they didn’t “break” it.

The truth is that MDM products, as any other piece of software in the world, suffer from actual security vulnerabilities. But the Lacoon research is making headlines based on old versions of these products. “The risk is to provide misleading information”, warns Andrivet. In fact, even military-grade spyphone products like FinFisher cannot infiltrate the most recent versions of mobile devices like iPhone 4S or 5 as it is far easier to attack an Android device than an iOS one.

MDM is no silver bullet

Mobile security is a complex topic, and there is no silver bullet. This is true of security in general and mobile is no different, says Ojas Rege, Vice President Strategy at MobileIron, one of the leading MDM software mentioned in the above researches. The challenge many organizations face is that they compromise user experience in the name of security. For mobile, that’s the kiss of death, because users will not accept a compromised experience.

The key is to divide the problem into two: reducing the risk of data loss from well-intentioned users and reducing the risk of malicious attack, continue Rege. The former is, for example, giving users a compelling but secure way to share files instead of using consumer-grade services such as DropBox. The latter is what these researches are really about. MDM is important as a baseline but a full security program is going to require a great deal of education as well. “Jailbreak/rooting is a cat and mouse game”, according to Rege. The reality is that these devices will always have personal use – no matter who owns them – so the chances of malicious software making its way into device are high. The level of sandbox security built into the core OS is a key determiner of what other protections might be needed and what the resulting risk might actually be.

The point about MDM not offering absolute security is a bit cavalier, according to David Lingenfelter, Information Security Officer at Fiberlink, another leading MDM product mentioned in the Lacoon research. Anybody in the security community who is touting or expecting absolute security has missed the point. Cybercriminals only have to be right once. While targeted attacks are definitely a reality, containers are designed for more than just stopping a targeted attack. They help with data leak prevention, blocking users from “accidentally” distributing corporate information through their personal apps.

For better or worse, corporate IT still has to work in the confines of a world dominated by compliance. Adding controls around corporate information by using containers helps risk and compliance teams show their auditors that they are taking what is in essence a consumer-grade device and adding corporate level processes to those devices, continue Lingenfelter.

Infection is inevitable

The lesson learned from trying to secure traditional endpoints may be applied here. The general consensus among the security community is that controls on endpoints are not sufficient anymore to protect from targeted attacks. We can expect the same in the mobile world.

“Infection is inevitable”, continue Shaulov. As demonstrated by our research, MDM and Secure Containers do not and cannot provide absolute security. These are certainly useful tools to separate between business and personal data. As such, they should be part of a baseline for a multi-layered approach. Quoting an RSA report, Shaulov argues that “mitigating the effects of malware on corporate data, rather than trying to keep malware off a device entirely, may be a better strategy”.

This new approach requires thinking outside of the box and the industry is now starting to wake up to this challenge and looking at the network level for threat mitigation. For example, solutions like FireEye, Damballa, Fidelis and Checkpoint – just to name a few – can look at different network parameters and aberrant behavior to detect a compromised device in the process of exfiltrating data. Parameters may be traffic to well-known C&C servers, heuristic behavioral analysis which signify abnormal behavior, sequences of events and data intrusion detection.

Lingenfelter agrees that approach to security has been, and needs to remain, an approach of layers. However, he warns that while other technologies that are based on heuristic style monitoring and detection of malicious activity have come a long way, they too are far from absolute security. Companies have to realize that most mobile technology has been designed for consumers. It has the security focus of consumer devices and applications, which is to make it as easy for the end user as possible. To say that there is going to be one single technology or approach to change this and make these devices have the security level of corporate devices is reckless.  The true objective with mobile device security and management is to add on as much security, in layers, as possible without a significant impact on end user experience.

Have you deployed MDM to your mobile users? Do you trust mobile secure containers with your corporate data? How confident are you that your CEO’s iPhone is not jailbroken – or that it never was? Can you detect a compromised tablet spying on your company’s next board meeting?

Studies* show that an increasing number of organizations allow their employees to use personal devices to connect to corporate networks and data for work related activities – the so called Bring Your Own Device phenomenon. However, a recent study conducted by Forrester Reserach reveals that only a few companies measure the actual financial impact of this new IT model and that even fewer have a clear sense of whether Consumerization actually makes good business sense.

To help C-level executives articulate the business case for Consumerization, Trend Micro has partnered with Forrester Research to develop the first industry study on the financial impact of consumer technology in the enterprise. The research was conducted in January 2012 in the U.S. and Europe and includes 200 organizations that offer formal BYOD programs to their employees. Respondents include CXOs and senior IT managers with an understanding of the impact of the program on their business unit or organization.

According to the study, the key factors driving the majority of the firms to define BYOD programs are increased worker productivity (70%) and providing access to corporate information for employees who are away from the office (63%). Contrary to common misconception, only a minority of companies look at device (40%), voice (20%) and data (23%) costs reduction when considering BYOD.

Most enterprises measure the impact of a wide variety of BYOD related items. However, approximately only half of them measure the specific impact achieved by BYOD separately from other types of business processes. Among the most scrutinized items are bottom line revenues (59%), software license costs (60%), corporate reimbursements for employee devices (53%), voice (58%), data (52%) and device replacement costs (51%).

In terms of overall business impact, respondents point out that BYOD mainly benefits worker productivity (66%) and flexible work environment (66%) while negatively affects mobile device management cost (41%), helpdesk support calls (36%) and helpdesk costs (33%).

The actual financial impact of BYOD varies widely across the sample. For the first time however, this study offers an aggregate estimate of the most relevant items quantified in terms of weighted averages***.

Here are some revealing pros and cons:

12% increase in worker productivity (n=27)
15% decrease in device replacement costs (n=17)
8% decrease in reimbursement for employee data expenses (n=21)
5% decrease in training and education costs (n=11)
3% increase in bottom line revenues (n=22)

8% increase in the number of help desk calls (n=20)
7% increase in mobile device management costs (n=17)
3% increase in corporate liable data costs (n=20)
3% increase in server costs (n=15)
2% increase in regulatory compliance expenses (n=14)

To answer the key question whether BYOD is in fact saving or costing money to a specific organization, the cost benefit analysis above needs to be applied to the specific business model of the company. Generally speaking, service oriented verticals with higher administrative personnel costs are poised to gain most from BYOD – due the sizable increase in worker productivity – while manufacturing and capital intensive verticals may see less of an impact on the bottom line.

Organizations may therefore look at BYOD as an opportunity to gain competitive advantage or as mere cost of doing business. Regardless from any financial consideration however, one thing is certain: Consumerization is real and here to stay. The lack of a strategic approach to Consumerization creates security risks, financial exposure and a management nightmare for IT. Rather than resist it, organizations should embrace Consumerization to unlock its business potential. This requires a strategic approach, flexible policies and appropriate security and management tools.


PREVIOUS: New independent research uncovers the hidden costs of Consumerization


* “IT Executive and CEO Survey”, Decisive Analytics for Trend Micro, January 2012

** “The Value Of Consumerization”, Forrester Research for Trend Micro, March 2012

*** Conservative estimates, range capped at ± 50%, details available upon request



The latest jailbreak for iOS 6.1, released on 4 February, was downloaded by a whopping 5 million users in the first 48 hours alone, according to the website stats posted by Cyril (a.k.a. pod2g), the developer of the latest hack published on evasi0n.com. During these first two days, the websites served 40 million page views of which a good 50 per cent to 2.5 million unique visitors from the U.S.

This is consistent with the figures I learned from Jay Freeman (a.k.a. Saurik) who I met a few months ago at the JailbreakCon 2012 in San Francisco, 2nd edition of the jailbreak community world congress – yes, they do have one. Jay Freeman is the owner of Cydia, the – perfectly legitimate – independent app store catering to those who’ve liberated their Apple device. Jay explained to me that, based on his website stats, at any given time 5 to 10 per cent of the overall Apple iOS installed base is jailbroken.

Why should it bother you? Well, it shows these devices are vulnerable. That the security measures Apple is so famous for can be broken and bypassed in a matter of days – iOS 6.1 was officially released on 28 January: it took Cyril and friends less than a week to inflict Apple this very latest humiliation. Even though the jailbreaking community is doing this for non-monetary reasons, you can bet the bad guys (i.e. organized crime and commercial spyware vendors) are plotting ways of exploiting this – in fact they may have even done so already.

In essence, jailbreaking is a classic example of what happens when you push users too far and force them into a corner. They rebel. We have seen the very same pattern in many other consumer electronic segments, from game consoles through digital TV set-top boxes. Apple’s problem is that it wants total control over every aspect of the ecosystem, from printers and peripherals through to which apps users can download. These users love their Apple devices but they are treated like children. With Android, users are treated like adults: they are allowed to download any apps they please from any sources they trust. The Andorid OS security features a permissions model, admittedly less than perfect, whereby users are asked via a pop-up box if they agree to an app accessing the user’s calendar, phone book and so on. Apple pre-vets all apps beforehand and allows no such pop-ups, which as we will see later on, can backfire in the world of jailbroken devices.

By the way, jailbreaking is not to be confused with unlocking, which is the process by which a mobile device bought on a contract with a particular operator can be altered so that it is usable with other operators’ networks. Jailbreaking, on the other hand, involves the deliberate breaking or bypassing of the iOS device’s security measures. It is as easy as a simple download and it is happening in ever greater numbers today, with a dedicated jailbreaking community working collaboratively on cracking the latest iOS version as soon as it comes out.

So, users are reacting to being treated like a child, to being told what apps they can and can’t download, in an extreme way, but what’s the harm? Well, legally, thanks to some exemptions to the Digital Millennium Copyright Act, it is perfectly OK to jailbreak a smartphone – the Android version of jailbreaking is called ‘rooting’ – but to do so on a tablet is illegal. Apple is obviously strongly opposed to users – and to developers – breaking free of its control in this way and warns of shortened battery life, unreliable data and other bad things happening. The only area it is 100 per cent correct on is the unacceptable security risks that jailbreaking introduces.

Because the Cupertino firm treats its users like children in offering them pre-vetted applications it says are clean and secure, when they decide to break out of that ecosystem and access apps from third party stores, which may be infected with malware, there are no protections and no pop-up permissions boxes. The children have effectively wandered into the jungle, with bad stuff all around and nothing to defend themselves with. Apple is still in denial and doesn’t allow security vendors to develop commercial solutions to mitigate these embarrassingly recurring security issues – look, for example, at the exploit currently targeting Mac users of the Safari browser included in Apple’s OS X, vulnerability cataloged as CVE-2013-0634.

This is obviously bad news for an IT manager. Especially in an increasingly consumerized IT world where the BYOD trend is a reality for the vast majority of organizations. Jailbroken iOS devices are simply a risk they cannot take in the enterprise – there are mobile device management tools which will detect any such device trying to access the corporate network and quarantine until it has been dealt with. Consider another scenario, however, of covert jailbreaking done without the user’s knowledge. Device jailbreaking can be done remotely and without the need for a user password, perhaps via one of the many vulnerabilities discovered – and regularly exploited – in popular cross-platform components like Adobe Reader or Java. In this context it could be the perfect gateway for a cyber criminal to covertly install spy tools or malware onto the device. Such espionage applications are no longer the preserve of James Bond. FinFisher International’s FinSpy Mobile, just to name one targeting Apple iOS, can monitor user location, contact list, phone calls, web history, text messages and even turn on the iPhone’s mic in specific locations to eavesdrop. How do you know your CEO hasn’t had his iPhone hacked in this way? How do you know how many “silent auditors” attended your last Board meeting? In the last few days alone the U.S. Energy Department – that design and build nuclear weapons, the U.S. Federal Reserve and The Wall Street Journal have all been hacked. What does it make you think your Executives haven’t received the same kind of attention – perhaps via their mobile devices?

Users put so much faith in Apple they think their iOS devices don’t need any additional security software, but it’s a false sense of security, just as it was on the Mac platform which is now being readily exploited by attackers. With between 5-10 per cent of the iOS installed user base accessing jailbreak app store Cydia, this is no longer an underground movement. IT managers need to be aware and they need to take suitable precautions.


Do you know how many jailbroken iPhones and iPads have access to your company’s email server? Is your IT security infrastructure able to detect and quarantine these jailbroken devices? Is jailbreaking contemplated by your company’s BYOD policy?


I just returned from a tour in the Nordic countries where I presented to the local press the results of the latest BYOD survey* conducted by YouGov on behalf of Trend Micro. The data collected from 3,012 interviews across Norway, Sweden, and Denmark highlights many details of this controversial IT Trend. Most importantly, the research confirms an undeniable truth: Companies around the world are exposed to increasing security risks due to a variety of consumer-grade technology brought into the enterprise by the employees and inevitably used for work-related activities.

Consumerization and BYOD have become mainstream in the Nordics. The majority (56%) of the respondents admit using one or more personal devices for work related activities. Laptops are the single most common personal devices that are also used for work (42%) in addition to newer form factors such as smartphones (33%) and tablets (11%).

Consistently, most employers (56%) have embraced consumerization and BYOD and, in fact, allow their employees to use their own personal computer (44%), smartphones (36%), and tablets (15%) for work related activities. However, while many users (66%) seem to follow diligently corporate policies, almost one third (29%) admit to bypassing corporate permissions — this alone exposes companies to unacceptable security risks. This also confirms that corporate IT is losing control and that BYOD and Consumerization are happening whether companies like it or not.

Security of those personal devices accessing corporate networks and data is definitely a top concern. In fact, a good number of respondents (63%) are aware of the risks and have security software in some of their personal devices. However, despite the exponentially growing number of malware detected on newer mobile platforms – Android in particular – only a tiny fraction of these users have security software installed in their smartphones (16%) and even fewer on their tablets (7%).

Transparency and full disclosure are key for the success of any corporate BYOD programs. However, only a fraction of the users (8%) have been informed by their employers that their personal files and their privacy may be compromised as a result of connecting their personal devices to corporate networks.

To make the matter worse, the majority of the users (54%) admit sharing – rightly – their personal devices with others. Personal computers are the most likely to be used also by family and friends (40%) followed by smartphones (20%) and tablets (10%). This is a major concern as corporate data may be exposed to 3rd parties who may not be aware of corporate BYOD policies. In addition, remote lock & wipe initiated by the employer may affect 3rd party personal files further exposing the company to liability and litigation.

And the influx of consumer-grade technology in the enterprise is not limited to mobile devices. While the majority of the users (79%) seem to limit their use of personal devices to accessing corporate email and calendar, a concerning 19% admit to rely on consumer-grade cloud services to store potentially sensitive corporate data. This is often in contrast with corporate policy (21%) and cause for great security concerns.

And for the most conservative IT managers among you, who believe that the corporate-liable device is still the way to go – sometime referred as Choose Your Own Device, here is a final interesting finding: Even when the device is owned by the company, and therefore bound to a traditional Acceptable Use Policy, half of the users (49%) admit using it for personal purposes such as access to social media websites and to download potentially malicious applications and games.

To recap: over and over again, data shows that BYOD is like a huge iceberg on a collision path with the slow-moving corporate IT ship. From a distance, we all see the tip of this iceberg: those personal mobile devices brought in by the employees. However, most IT professionals fail to realize the full destructive potential of its underwater volume: that 90% or so of those personally owned devices that have no security software, that are likely shared with friends and family and that the employees are going to proudly use with or without company’s approval.

P.S. In case you are wondering: the metaphor of the iceberg occurred to me when I first walked out of my hotel in Oslo to meet the press. High temperature that day was -20°C (-4°F)!


Is your business heading towards a BYOD iceberg? How would the employees in your organization respond to the types of questions asked in this survey?


* Survey results are available upon request.

That’s why Trend Micro recently decided to take the bull by the horns and commission Forrester Consulting to conduct a rigorous, scientific study – interviewing over 200 IT leaders in the US, UK, France, and Germany. With the results we have begun to build an accurate picture for the first time of what organizations are measuring in their BYOD programs and the cost impacts, in order that IT leaders can go away and begin to formulate for themselves an effective cost benefit analysis.

One of the most interesting effects of the research has been its ability to dispel some common myths around BYOD and prove empirically that, at least for the respondents questioned, IT consumerization leads to cost increases in various key areas. These include: helpdesk, software licensing, mobile security, mobile device management and regulatory compliance.

Helpdesk is an area where some may expect costs to fall, given that employees are using their own devices, but T1 and T2/3 call costs increased for 60% and 50% of respondents respectively. The reality, as articulated by these stats, is that consumer tech companies and mobile operators cannot simply deal with the kind of helpdesk inquiries that most corporate staff will need answering, so the problems boomerang back to the corporate helpdesk, except this time the number of devices and operating systems they have to deal with has snowballed.

Similarly, licensing costs for employee-owned laptops or home desktops could be expected to fall. However, the research showed costs increased for more people (48%) than it decreased. The key here is to understand that companies are effectively complicit in fraud if they allow their staff to use software applications licensed for home-use for work related purposes – another important note for risk adverse IT managers.

Nor can IT wash its hands of expenses associated with compliance, security and mobile device management, the research found. Security in particular was singled out by respondents as the biggest challenge of BYOD, with 63% saying associated costs increased.

The caveat to the research of course is that not all respondents have been adept at measuring the impacts of consumerization effectively, as I discussed in a previous blog, but this is the first report of its kind and hopefully things will improve. Nonetheless it’s a start, and the research should give IT leaders some valuable actionable information and recommendations to help them begin measuring and improving programs.

At the same time, the research unequivocally points out that Consumerization does bring in real business value. My advice for organizations facing an increasingly consumerized IT world is to realize that Consumerization is happening and they can’t stop it – and in fact they shouldn’t. Embrace consumerization is the optimal approach: create a plan that spans the whole organization, say yes but not for everything to everyone and put the right new infrastructure in place to secure and manage consumer-grade technology in the enterprise.

Rather than resist it, organizations should embrace Consumerization to unlock its business potential.

COMING SOON Is your company’s BYOD program in the money?

PREVIOUS  It’s official: BYOD boosts productivity – but not for all.

That is until now. Thanks to comprehensive research commissioned by Trend Micro and recently carried out by analyst Forrester Consulting, we have for the first time collated an invaluable set of rigorous scientific data on the subject. So what does it tell us? Well, as discussed in the last post, it clearly shows that not enough businesses measure BYOD programs in the correct way. But what it also highlights is that an overwhelming number of enterprises find that allowing staff to use their own technology for work increases productivity – in fact quite a lot.

In total, 82% of respondents said they thought BYOD programs increased staff productivity, with the largest group (52%) claiming it increased by 10-20%. In many ways this seems like a no-brainer. Consumer technology is widely accepted to be more exciting, user-friendly, innovative and just easier to use than its enterprise equivalent. Employees want to use their mobile devices, laptops and home PCs for work, and are also likely to get more out of the technology because they’ll be more familiar with it. The employee will usually be multi-tasking in front of the TV on their iPhone long after the corporate BlackBerry has been switched off, for example.

But it’s important for IT managers reading this to understand that these results need to be viewed in the context of their particular industry vertical or individual organization. It’s certainly not the case that all firms will see such a potentially dramatic impact on their bottom line. Yes, if your organization is a service-oriented business with a large number of white collar personnel then there are likely to be big gains to be made from allowing staff to use their own technology for work. However, if you work in manufacturing, for example, there is likely to be limited impact on staff productivity. The assembly line worker will gain little productivity-wise from being able to check work emails from their own smartphone, for example.

The lesson here is that although productivity gains may offset many of the costs and risks associated with BYOD programs, as with most things in life, there’s no one-size-fits-all approach. IT leaders would do well to think very carefully about their own circumstances when reading the research and building an ROI framework specific to their organization.

Companies that are questioning whether or not to allow workers to bring personal devices into the workplace should just stop asking. Thanks to this authoritative independent study, it is now scientifically demonstrated that you can get a competitive edge when you put the right precautions in place. The BYOD phenomenon gives companies that allow it a competitive advantage as it enhances innovation and creativity in the workplace while reducing overall costs for the entire organization. The key to not being overwhelmed by this trend is that all these consumer-grade technologies need to be secured by implementing the proper BYOD policies and procedures.

NEXT New independent research finally uncovers the hidden costs of Consumerization

PREVIOUS  You can’t manage what you don’t measure

Interestingly enough for Trend Micro – the company that has made the “Journey to the Cloud” its corporate mantra – Raimund’s top two predictions are not related to the cloud but rather to the inevitable impact of consumer mobile platforms on corporate IT – a topic particularly relevant to the Consumerization blog and to the Enterprise Mobility professionals among us:

#1 The volume of malicious and high-risk Android apps will hit 1 million in 2013.

#2 Windows 8 offers improved security—but only to consumers.

I find quite intriguing that Raimund put mobile at the very top of his list. As my readers know well, I have been preaching for a while that corporate IT needs to change mindset with regard to consumer mobile technology to better support the business. Talking regularly about the consumerization of IT can often make one sound like a broken record, but the economic, security, and management challenges it brings up for enterprises are too important to ignore.

The problems boil down to a lack of control, which can be described in two key ways. IT departments of course are built on processes, planning and predictability, but the introduction of technology from the consumer sphere, even when centrally procured by IT teams for use in the enterprise, creates its own problems. Consumer technology is sexy and easy-to-use but it’s certainly not built with security and manageability in mind and will usually fall short of IT’s typical expectations with respect to security and manageability. Products from the likes of Google and Apple, for example, whose respective mobile platforms iOS and Android now account for the lion’s share of the market, are great at serving the needs of consumers but have been extremely slow at embracing enterprise requirements. There is no enterprise sales or support culture with these vendors and there is little or no transparency with product roadmaps, which takes corporate IT managers completely out of their comfort zone.

The second problem with the explosion of these new mobile platforms is that, whether consumer-focused tech or not, applications and devices are being brought into the corporate world via the individual employee rather than being mandated from IT, which is the complete opposite of what normally happens. Most IT departments simply aren’t set up to work in this way, and it will require a fundamental change of thinking to ensure consumerization is handled properly.

Moving into 2013, rather than adopt the classic head-in-the-sand approach of old, CIOs and IT bosses need to embrace consumerization and take a proactive, strategic approach built around flexible policies and the right security and management tools.

Firstly, BYOD policies can’t be created in a vacuum – IT leaders need to sit down with line of business managers in all parts of the organization to figure out what their employees would like to use and how to make that possible. Thus IT is taking the initiative and reaching out in an inclusive, proactive manner.

Secondly, policies must be drawn up to be more flexible and fluid. In a world where everyone in the organization from the CEO down needs to be managed, there can’t be a one-size-fits-all approach to policy making. IT needs to think carefully and map technology and policies to the various user groups.

Finally, they need the right infrastructure technologies to help enable all of this. Of course, this is an area where established enterprise vendors such as Trend Micro can help – to enable the secure management of consumer devices and services so that employees are happy and more productive, risks are managed and the business flourishes.

My prediction for 2013 is that this will be remembered as the year when Enterprise Mobility finally embraces consumer mobile technology for good – and with it, the many business benefits of Consumerization.

“Prediction is very difficult, especially about the future.” Niels Bohr Danish physicist (1885 – 1962)

Security Threats to Business, the Digital Lifestyle, and the Cloud: Trend Micro Predictions for 2013 and Beyond.

For many IT managers, unfortunately, the prevailing attitude is still “why should I allow it?”. They are clinging on to the old paradigm whereby IT controlled and dictated the purchasing and ongoing management of technology used by employees. This attitude just will not stand any longer – consumerization is happening, and it needs to be managed in as financially efficient a manner as possible.

The problem with this is that, up until now there has been virtually no data with which IT leaders could start constructing their ROI frameworks. Not only did they not know for sure what the biggest cost impacts on BYOD programs and IT consumerization were, but they had little idea on how to start measuring them.

This is why Trend Micro commissioned analyst house Forrester Consulting to carry out a comprehensive study into the financial impact of consumerization. Forrester surveyed 202 IT decision-makers in enterprises in the US, the UK, France, and Germany, and conducted eight in-depth interviews lasting 45 minutes each. All participants in this study were C-level execs or IT leaders who’ve worked on BYOD programs and understood the financial impact of such trend on their organizations.

Make no mistake, this is an industry first – a rigorous scientific study designed to discover at last the financial impact of IT consumerization. And guess what we found? Most companies just aren’t measuring. In virtually all categories – from mobile security, to helpdesk, to legal fees, to staff training – around 40% of respondents said they currently weren’t measuring the cost/benefit impact. How can they improve their programs, or even build a business case, if there is no measurement? The answer is they can’t.

All IT leaders should be clear that consumerization is unlike any other IT technology ‘investment’ in that in cannot be easily tracked and accounted for. CRM, ERP, and office productivity software, servers and desktops, routers and switches can all be very clearly audited and the return on investment calculated in a relatively straightforward manner, but not for example with BYOD – the enterprise mobility incarnation of the consumerization trend. The devices are not owned by IT, the trend is not driven by IT and the tech vendors are from the consumer sphere – no product release roadmaps or volume license deals here.

In this new world, IT leaders should learn to create a dual accounting ledger whereby traditional investments are accounted for alongside separate costs relating to the technologies owned by staff. It’s the only way to gain meaningful insight into the true cost of IT consumerization. IT bosses, for example, need to be able to measure the real cost of helpdesk calls related to employee-owned mobile devices, software OS licensing costs for employee-owned laptops, and VDI investments needed so staff can use their own desktops at home. This will require a new way of thinking about budgeting, but that’s vital if IT is to ensure all technology is used and managed in the most efficient way possible – even if it is owned by the staff.

Consumerization is disruptive and inevitable. But many IT leaders are slow to realize it – and apparently unable to fully identify its business potential. Like dinosaurs of a previous IT era, they are likely headed for extinction.

NEXT It’s official: BYOD boosts productivity – but not for all. (Coming soon)

Companies that don’t protect themselves through policies place themselves at risk.

Post based on my interview* with Mikael Ricknas of Computerworld.

Allowing employees to bring their own devices to work is causing new challenges, including what happens when a device needs to be wiped or employees want to sell their smartphone or tablet.

Mobile security and BYOD (bring your own device) are main themes at the European edition of RSA’s security conference, which takes place this week in London.

Letting employees use their own smartphones or tablets for work represents a loss of control for IT departments. Also, if personal data isn’t handled correctly, the company may end up being sued, said Cesare Garlati, vice president of mobile security at Trend Micro and the moderator of a conference session called “The Dark Side of BYOD“.

“If companies don’t protect themselves through policies they are really exposed,” said Garlati.

For example, using Microsoft’s ActiveSync technology to remotely wipe a device becomes more complicated because when data is deleted from the device everything is removed, including the user’s personal photos, videos, songs and so on, according to Garlati.

“The question is who is responsible for that,” said Garlati.

So, initiating a remote wipe when a user has entered the wrong password too many times, when an employee has been let go, or simply by mistake could have serious repercussions.

There are both technical and legal ways for an organization to address this.

More advanced mobile device management products allow enterprises to create containers that separate personal and enterprise information and can delete just the latter, according to Garlati.

However, for that to work, information has to be tagged correctly or stored in the right place and some enterprises feel they can’t trust that is the case, according to Leif-Olof Wallin, research vice president at Gartner.

“For example, on an iPad there is a good chance that the employee has stored notes from a sensitive meeting outside the container. So to be on the safe side, they wipe the whole device,” said Wallin in a separate interview.

The solution is to put in place an acceptable-use policy that clearly states employees can connect to the enterprise network, but if something goes wrong, the IT department can initiate a remote wipe that also deletes personal information, according to Garlati. The rules of the policy then have to be reiterated on a regular basis, he said.

Part of that is also telling users to back up personal data if they don’t want to lose it, Wallin said.

People and their devices can also be affected if their employer gets involved in litigation.

“The other party can go to the judge and say that to preserve and discover evidence, I require all the devices involved in the litigation to be seized and sent to a forensics expert for analysis,” said Garlati.

The user loses their device and will again want some form of compensation, according to Garlati.

The technical solution here is to use desktop virtualization, which means all of the corporate information is stored on servers. Doing the same with at least tablets would be good, but the technology isn’t there yet, Garlati said.

When handing over information relevant to a legal case is enough, the IT department needs to have a process in place for gathering the data from PCs, smartphones and tablets, according to Wallin. Allowing the IT department to do that also needs to be part of the policy workers agree to, he said.

Enterprises also have to plan for what happens when a user wants to upgrade to a new device and get rid of the old one. Doing that is mandatory for any BYOD program, according to Wallin.

One way to ensure corporate data doesn’t end up in the wrong hands is for enterprises to outright buy old devices. Another alternative is to discount the cost of a new smartphone, according to Garlati.

“My company actually gives me a discount on the AT&T price of a device if I buy through them, but there is a catch because I have to return the old device,” said Garlati.

Purchasing phones from employees isn’t a very feasible option, since enterprises are adopting BYOD to get away from buying hardware, according to Wallin. His alternative is to rely on the mobile device management solution or getting users to wipe their phone.

“Users have to be told that if they are let go, retire, leave or buy a new device, all corporate information has to be deleted, including potential physical or cloud-based back-ups … Some organizations want to verify the information has been deleted, while others check a sample or trust the employee,” said Wallin.

*Original article http://www.computerworld.com/s/article/9232296/Legal_and_technical_BYOD_pitfalls_highlighted_at_RSA_conference

Post based on my interview with Jeanne Friedman, content manager for  RSA Conference.

In the mobile space the BYOD trend is becoming a minefield for IT administrators. Many companies have experienced a data breach as a result of an employee owned device accessing the corporate network. When the stakes are this high, corporate IT needs to know which platforms to allow and which to refuse.

Android is the most popular mobile platform in the world. It is also the most vulnerable to attack and in fact the most exploited. Contrary to common perception, Apple mobile devices are not immune to security flaws. And in fact less secure than Android if users “jail break” their devices – to escape Apple’s control.

As the Vice President of Mobile Security at Trend Micro, I wanted to get a thorough understanding of how secure and manageable these new mobile platforms are. This has been a recurring question, because the traditional mobile platforms, namely Nokia Symbian and RIM Blackberry, were actually designed for the enterprise. These days, the new mobile platforms – Windows Phone, Android and Apple iOS – are in fact quite different in terms of design criteria. The security and manageability requirements that the enterprise expects are still not key design factors.

So, what I wanted to do was to poll a group of independent mobile security experts and ask them to rank each mobile platform with regard to security and manageability. Sounds interesting? Can’t wait to know what mobile brands are the winners and losers?

Well, I don’t want to spoil the surprise for the people who will join my session at the RSA Conference 2012 in London. What I can tell you is that while I was running this study with the mobility experts, I also asked our marketing department to run a parallel survey to ask the very same question to the IT manager out there. Essentially, we wanted to compare perception (IT managers) versus reality (mobility experts). What I can tell you right now is that the answers we received from the experts are in fact quite different than the common perception among IT professionals. So, for the people who are interested in joining my session: you might think that some of the platforms out there are secure while the mobile security experts think quite differently. According to the experts, the new mobile platforms still have a long way to go in terms of manageability and security: as a group, consumer mobile platforms are not as secure and manageable as you may expect them to be.

But how about Android in particular? Are there any Android exploits that make organizations with BYOD policies the most vulnerable?

Let me start by sharing a key mobile security fact. Android is the number one platform in the world. It is also the most vulnerable to attack and in fact the most exploited. Whether you are an IT manager in charge of defining BYOD policies for your organizations or simple Android user, you need to be aware that the OS itself has been designed with strong security criteria and that there are some built-in security features that really make Android one of the most solid platforms in the market. However, the overall ecosystem around Android is quite different than the Apple iOS’ one. The main key difference is that Android is a truly open system. As such the Android Market – now Google Play – and the many websites where Android apps can be bought and download is open. This somehow removes some of the filters and some of the scrutiny that Apple excise on iOS.

Consumers – and IT managers in particular- need to understand that when you download an Android app, no one really checks what the application is actually going to do with your personal data, with the financial information you stored in your device and with the privacy of your communications and your text messages. I think this is really the key message really with regard to Android: very well designed in terms of built in security, but the ecosystem is probably too open to really grant the level of security and trust that consumers and IT professionals would expect.

On the other hand, there are vulnerabilities related to Apple jailbroken devices that also make companies vulnerable. Apple iOS is a wonderful piece of software, but it is no magic. As any software in the world, it has its own vulnerabilities. As proved release after release, there have always been some security flaws. Now, the good thing with iOS is that these security flaws haven’t been really exploited in a major way because of the additional scrutiny that Apple exercises on the ecosystem through the Apple App Store.

Now, jailbreaking is something quite different. I want to make this clear distinction. Not many people jailbreak their Apple devices and therefore the security of iOS as a platform, as a whole, is definitely very high. But many people do feel like the strict control that Apple exercises on the platform somehow constrains their choice. I respect that. Consumers value choice. Therefore they jailbreak, or if you want, “open up” the iOS system so that they can download and install whatever applications they want perhaps to personalize look and feel and the overall user experience.

By doing this, by opening up an alternative channel for the apps to get into the device, they skip the control that Apple otherwise exercises on the App Store. And they do get exposed. And we do have examples of malware, trojans and other exploits that specifically targeted Apple iOS jailbroken devices.

My message to Apple users out there is: Really think twice before you jailbreak your device because jailbreaking per se does not compromise the security of the system, but the end result is that you as an end user will be much more exposed to bad things. To the IT managers struggling with the Consumerization of IT, my message is quite different: Do not take the risk. Do not tolerate jailbroken devices on your network. That’s a risk that makes no sense to your organizations.