fbpx Skip to main content

Mixing BYOD with corporate networks

By August 10, 2020August 21st, 2020Infrastructure, Leadership, Managed Services
Mixing BYOD with corporate networks

It has often been the goal of IT staff or IT support to make technology work for customers. No matter the request, if there was a way to make it work, it was a success. However, with the rise of cybersecurity breaches we have had to rethink that approach. While we do want to make technology work, we must now consider the security ramifications of our actions. Just because we can, doesn’t mean we should.

And this leads us to BYOD or “Bring Your Own Device”.

BYOD is the practice of adding unmanaged external or personal devices into a corporate network environment. This commonly takes the form of adding employees’ personal computers, laptops, mobile phones, or tablets to the company’s network. The request to add a personal device is often phrased innocuously: “Can I connect my phone to the office Wi-Fi network? I need the internet.” Or “I’m using my home laptop today and I need to access my work files.”

But there are certainly security ramifications of simply adding these devices. This is why businesses and organizations are urged to have a BYOD policy to deal with these sorts of requests. What will or won’t be allowed to connect to the corporate network? What should connect to the guest network instead?

Let’s talk about OXEN’s philosophy concerning BYOD and what we recommend as a best practice. What are the risks of BYOD?

The Risks of Personal Devices & BYOD

Despite the superficial similarity, personal devices are often very different from company devices. They’re used differently, treated differently, and protected differently.

Personal Use

Personal use computers are typically used differently from work computers. In most cases, these devices are used for a wider range of reasons: from personal email, to social media, to researching a hobby, personal finance use, and entertainment. Because of this wider range of use, and typically more adventurous use, the likelihood of coming across malware, viruses, or exposure to remote control of the machine is higher.

Certainly, this risk depends on the individual using the machine, but generally, more risk is involved in personal use computing. This leads to more risk of an infected/compromised machine impacting your corporate network.

No Enforced Protection

Even if a personal PC is on the latest operating system, personal computers lack the security protection provided by most corporate networks. For example, in OXEN-managed networks, there are standard policies in place, anti-virus and anti-malware installed, and patching updates performed on corporate machines to help protect the environment. These programs and updates are monitored and enforced to ensure that protection is at its best. Personal computers rarely have such security measures in place, or to the level expected in a corporate environment.

What’s the impact if these vulnerabilities are exploited?

Given the vulnerabilities personal devices have, how can they be exploited? What’s the impact if a personal device on your corporate network were to be hacked or infected?

  • Attackers can bypass your protections. Because personal use computers have a greater risk of being compromised, it is important to consider the implications of a compromised personal computer being on the corporate LAN. It is possible that a personal PC could be compromised at home our outside the network. Often hackers will set up remote access capabilities to control a computer. If that computer is brought into the corporate network, that hacker now has access to corporate resources, completely bypassing the firewall used to protect the company from internet attacks.
  • Lack of device management hinders response. Responding to an incident when OXEN does not manage the device is also more difficult. There is no monitoring agent on a personal device. It is essentially a rogue device, likely to remain unknown for a longer amount of time. This delays resolution and can give hackers more time to cause more damage.
  • Contractual obligations become murky. A personal device infecting the corporate network would not be covered under contract. Likewise, even though the corporate network is generally more secure, if a compromise were to happen on a corporate device, and infect a personal computer, that would also not be covered. Regardless, it sets us up for a less than desirable outcome that we would all like to avoid.

How to Make BYOD Exceptions

It is possible to make exceptions and to have a safe BYOD policy in your environment.

Guest Networks

It would be acceptable and even preferred to bring a personal computer to the office if it is isolated on a guest network that does not have access to corporate resources. This is desirable because it could potentially mean less mixing of personal and business use on a corporate machine.

Zero Trust Networks

If you want to implement a BYOD network, you should take a “zero trust” networking approach. This means that you consider every device hostile. Nothing is trusted. This means beefing up security for access to company resources. In most cases if you are on the office network your device is trusted. That makes things easier to “use”, but it also makes it easier for a hacker to “misuse” that trust.

Conclusion

Ultimately, security is best done through uniformity, centralized control, and monitoring. Anything that pushes against those things will create more risk.

While there is no cookie cutter approach to BYOD, it is commonly recognized as bad practice to mix personal and business devices on the same network. There is typically a better solution to be implemented. Identify the reason for wanting to bring a personal machine in, and then let’s talk about how we can achieve that without more risk being added.


MSP Services

Boost Your Business Performance with MSP Services

| Business Productivity, Managed Services | No Comments
Every business owner wants to achieve continued success for their business. Several processes and tasks need to be taken care of in creating and maintaining a successful business. Most owners cannot handle these because there is too much to do and not enough time. For this reason, many business owners rely on the services of IT managed service providers, or MSP's. If you're a regular reader of our blogs, you'll remember that we have covered some of the most valuable services MSPs can provide for your business. Here is a quick look back at those services and how they can…
Technology

Understanding the Technology That Runs Your Business

| Business Productivity, Uncategorized | No Comments
No matter what kind of business you run or what industry you are in, we all know that technology is crucial to our success. Using the right technology can put your business on the path toward growth and success. And a lack of proper IT tools and strategies could make you fall behind your rivals and lose considerable profits. Practical Applications of Technology for the Modern Business Most business owners understand that a reliable IT system is necessary for network security. Internal and external communications, database management, and other high-priority areas. But IT is also valuable in improving practically all…
IT Provider

The Right IT Provider Is Crucial for Your Success

| Business Productivity, Uncategorized | No Comments
In the digital era that we live in, we cannot overemphasize the significance of an IT provider for the different aspects of your business. It is impossible to start or operate a business without relying partly on IT services and support. It is a challenge to stay competitive in your industry if you do not have a trusted IT person or managed services provider by your side. Ways of Getting IT Support There are different ways to get the IT support you need for your business. Each method has its pros and cons, and the choice will depend on your…