Hooyah! The Challenge of BYOD Policy Enforcement in the Navy and In Your Organization

I have been off the boat (former submariner) for a few years now, but every now and again I find myself browsing the U.S. Navy’s public website to see who got promoted and to check out the new policies heading to the fleet. Last week, I saw a NAVADMIN, (a formal Navy Administration Memo for those not in the service), with the subject, USE OF UNCLASSIFIED NAVY AND MARINE CORPS INTRANET LAPTOPS WITH EMBEDDED  WIRELESS (NAVADMIN 290/15). The message goes on to present a new formal policy to a problem facing many organizations – protecting critical data and systems from the ever-growing swarms of wireless devices.

With a tradition of tech heroes like Grace Hopper and Hyman Rickover, the U.S. Navy has a proud history of being an innovator and early adopter of technology (Hooyah!). From the early days of software, through nuclear propulsion reactors and advanced weapons systems and satellites, the Navy has tackled the most challenging of technical problems. This history makes it particularly interesting to see how such a large and structured organization is tackling the proliferation of web-enabled devices.

In short, the policy states that devices issued for use on UNCLASSIFIED systems, when used in areas with sensitive networks and operations, must have the WiFi turned off by the operator. The onus is on the device owner to remember that they must disable wireless capabilities prior to entering these areas (of which the Navy has many), and re-enable when they are in an appropriate area.

But here’s the thing, relying on humans to remember to turn off WiFi will be challenging. It’s even a significant challenge when you have well trained and loyal sailors legally bound to follow your orders. So the question must be asked, how do you enforce this type of policy? The memo goes on to tease some additional measures for “detection/jamming” on the horizon so that the policy can be properly enforced, though specifics aren’t offered at this time

Sound familiar? It should, because, this is not just a problem for the military. Every organization has sensitive data and critical infrastructure that needs to be protected – and your “sailors” are not legally bound to follow orders. You might even have something similar in your enterprise where you have a BYOD or IoT policy that states WiFi should be disabled or even certain devices not allowed onto the WiFi network. Two stats are telling: While 74% of organizations permit or plan to permit BYOD, 30% of those with a BYOD policy in place have no way to enforce it or simply rely on the honor system.
Now, ask yourself, how will your organizations develop and enforce policies to mitigate risk and protect your important assets in 2016? Let us know below.