Do You Have a BYOF Policy?

Here’s a cute but telling article on the privacy and security threats posed by wearable technology – things like smart watches and personal health monitors.

It’s a useful reminder that interconnected devices (Internet of Things stuff) are often lacking basic security or have only basic security, and they are often not updatable either. So they may be infected by security attacks that then get walked into an otherwise protected work environment and spring loose behind the firewalls.

Thus the suggestion of a Bring Your Own Fitbit policy. It’s not just the phones any more.

Views? Do you deal with such matters in your policies?


  1. I’m all for BYO[X] policies where there is a need to deal with issues like security. A well written policy will deal with these issues generically as much as possible so they don’t have to be re-written every time something new comes out.

    On the other hand, many people overreact to new things, so sober reflection is needed to decide if there really are new risks, whether they are different than what is already there, and whether they are already covered. If we start doing policies around things like BYOP (bring your own pen), then we risk looking like an Onion article.

  2. For decades we have lived with, and grown accustomed to, the threat or possibility of hacker attacks at the most obvious level — the desktop. And to a large extent, we have had a fairly easy time scaling up those fears/threats/precautions to accommodate more and various computing devices—we now own several computers, plus tablets and a smartphone.
    But how shall we fare as our everyday objects are threatened? How will we scale our familiarity (perhaps over-confidence) with the threat of being “hacked” when the threat applies to not only computer devices, but things we perceive and trust as physical objects?
    I sadly expect that many things that feel like an Onion article (or Ray Bradbury short) today could be the headlines of tomorrow.
    Case in point, how do you feel about this article describing how some guys used a zero-day exploit in Jeep’s entertainment system to control (entirely over the internet) dashboard functions, brakes, steering and transmission of a target vehicle?
    I doubt many of us are thinking that a BYOD applies to what kind of automobile we drive into the secure lot.

  3. David, I agree that businesses should not be trying to develop a suite of policies directed at different kinds of interconnected devices. A comprehensive Bring-Your-Own-Whatever policy would be best.

    The point of the note, besides the entertainment value of the linked story, was to point out that there are a lot more threats coming into the average workplace than just smart phones, and many of them will not be obvious and often not be very secure. So the terms of the still-a-bit-new BYOD policy may not work very well for them and may need some rethinking.

    Nate, there is some debate about how far the Jeep exploit really went – and how subject to tampering brakes are, considering how they work. But the idea of hacking into the multiple computers on cars is real enough. I led off my column on legal issues presented by the Internet of Things with that example – citing Richard and Cheryl Balough’s presentation, ‘The Day the Cars Stood Still“.

    So food for thought – or better security. The folks building all these interconnected devices are not used to thinking about security, the way that folks in the more traditional Internet industry are – and how are they doing with that, by the way?

  4. Hi John, thanks for the link to your 2013 post. Great read.
    Curious when you say there is some debate about whether Miller and Valasek could really tamper with the Jeep brakes. Are you saying that their recent demonstration left doubt?

  5. Nate, there was a note to an ABA list last week pointing out that brakes are basically mechanical. They will respond to pumping to restore their pressure, regardless of the electrical system, though they might lose their power assist or be momentarily affected by remote interference.

    Other parts of the car could be more gravely affected – and if one were in a driverless car whose steering was hijacked, one had better be wearing a seatbelt…