fbpx Skip to main content

Mixing BYOD with corporate networks

By August 10, 2020August 21st, 2020Infrastructure, Leadership, Managed Services
Mixing BYOD with corporate networks

It has often been the goal of IT staff or IT support to make technology work for customers. No matter the request, if there was a way to make it work, it was a success. However, with the rise of cybersecurity breaches we have had to rethink that approach. While we do want to make technology work, we must now consider the security ramifications of our actions. Just because we can, doesn’t mean we should.

And this leads us to BYOD or “Bring Your Own Device”.

BYOD is the practice of adding unmanaged external or personal devices into a corporate network environment. This commonly takes the form of adding employees’ personal computers, laptops, mobile phones, or tablets to the company’s network. The request to add a personal device is often phrased innocuously: “Can I connect my phone to the office Wi-Fi network? I need the internet.” Or “I’m using my home laptop today and I need to access my work files.”

But there are certainly security ramifications of simply adding these devices. This is why businesses and organizations are urged to have a BYOD policy to deal with these sorts of requests. What will or won’t be allowed to connect to the corporate network? What should connect to the guest network instead?

Let’s talk about OXEN’s philosophy concerning BYOD and what we recommend as a best practice. What are the risks of BYOD?

The Risks of Personal Devices & BYOD

Despite the superficial similarity, personal devices are often very different from company devices. They’re used differently, treated differently, and protected differently.

Personal Use

Personal use computers are typically used differently from work computers. In most cases, these devices are used for a wider range of reasons: from personal email, to social media, to researching a hobby, personal finance use, and entertainment. Because of this wider range of use, and typically more adventurous use, the likelihood of coming across malware, viruses, or exposure to remote control of the machine is higher.

Certainly, this risk depends on the individual using the machine, but generally, more risk is involved in personal use computing. This leads to more risk of an infected/compromised machine impacting your corporate network.

No Enforced Protection

Even if a personal PC is on the latest operating system, personal computers lack the security protection provided by most corporate networks. For example, in OXEN-managed networks, there are standard policies in place, anti-virus and anti-malware installed, and patching updates performed on corporate machines to help protect the environment. These programs and updates are monitored and enforced to ensure that protection is at its best. Personal computers rarely have such security measures in place, or to the level expected in a corporate environment.

What’s the impact if these vulnerabilities are exploited?

Given the vulnerabilities personal devices have, how can they be exploited? What’s the impact if a personal device on your corporate network were to be hacked or infected?

  • Attackers can bypass your protections. Because personal use computers have a greater risk of being compromised, it is important to consider the implications of a compromised personal computer being on the corporate LAN. It is possible that a personal PC could be compromised at home our outside the network. Often hackers will set up remote access capabilities to control a computer. If that computer is brought into the corporate network, that hacker now has access to corporate resources, completely bypassing the firewall used to protect the company from internet attacks.
  • Lack of device management hinders response. Responding to an incident when OXEN does not manage the device is also more difficult. There is no monitoring agent on a personal device. It is essentially a rogue device, likely to remain unknown for a longer amount of time. This delays resolution and can give hackers more time to cause more damage.
  • Contractual obligations become murky. A personal device infecting the corporate network would not be covered under contract. Likewise, even though the corporate network is generally more secure, if a compromise were to happen on a corporate device, and infect a personal computer, that would also not be covered. Regardless, it sets us up for a less than desirable outcome that we would all like to avoid.

How to Make BYOD Exceptions

It is possible to make exceptions and to have a safe BYOD policy in your environment.

Guest Networks

It would be acceptable and even preferred to bring a personal computer to the office if it is isolated on a guest network that does not have access to corporate resources. This is desirable because it could potentially mean less mixing of personal and business use on a corporate machine.

Zero Trust Networks

If you want to implement a BYOD network, you should take a “zero trust” networking approach. This means that you consider every device hostile. Nothing is trusted. This means beefing up security for access to company resources. In most cases if you are on the office network your device is trusted. That makes things easier to “use”, but it also makes it easier for a hacker to “misuse” that trust.

Conclusion

Ultimately, security is best done through uniformity, centralized control, and monitoring. Anything that pushes against those things will create more risk.

While there is no cookie cutter approach to BYOD, it is commonly recognized as bad practice to mix personal and business devices on the same network. There is typically a better solution to be implemented. Identify the reason for wanting to bring a personal machine in, and then let’s talk about how we can achieve that without more risk being added.


Disaster Recovery

Importance of a Reliable Disaster Recovery Plan for Your Business

| Email, Managed Services, Security | No Comments
Running a business is not always a smooth-sailing operation. There are often things that could go wrong regardless of how cautious you are or how hard you abide by the so-called rules. Because of this, you should have a good backup and disaster recovery plan in case a disaster happens, like an accident or a cyberattack. There are plenty of BDR solutions for different businesses. You must find the one that fits your needs and will protect your network and data in the best way possible. Understanding Backup Disaster Recovery All businesses deal with important information, like details about transactions,…
Social Media Phishing

Quiz Time: Can You Handle Social Media Phishing Attacks at work?

| Managed Services, Security | No Comments
Our last three blogs have discussed cybersecurity threats and how they affect a business. We have talked about the dangers that stem from various types of malware. We have warned you about the newest cybersecurity risks expected to wreak havoc on businesses soon. And in the face of the ongoing growing acceptance of remote work setups, we have delved into the threats related to working from home. Now, we will now talk about social media phishing. The common thing in all these topics is that they are all linked to phishing. A strong phishing attack can make a network open…
Risks of Working from Home

Addressing the Cybersecurity Risks of Working from Home

| Business Productivity, Managed Services, Security, Tech Tip | No Comments
A remote workforce has become the norm since the pandemic. Even now that we consider it safe to return to office work, many businesses have maintained the remote work setup because of the advantages. However, the risks of working from home also bring issues that need attention so as not to risk the company’s network and data. What Are the Cybersecurity Risks That Come with Working from Home? There are risks when working from home. Workers lack the usual protective measures used in an office network. Many workers use their home networks and may also use the same device for…