It has often been the goal of IT staff or IT support to make technology work for customers. No matter the request, if there was a way to make it work, it was a success. However, with the rise of cybersecurity breaches we have had to rethink that approach. While we do want to make technology work, we must now consider the security ramifications of our actions. Just because we can, doesn’t mean we should.
And this leads us to BYOD or “Bring Your Own Device”.
BYOD is the practice of adding unmanaged external or personal devices into a corporate network environment. This commonly takes the form of adding employees’ personal computers, laptops, mobile phones, or tablets to the company’s network. The request to add a personal device is often phrased innocuously: “Can I connect my phone to the office Wi-Fi network? I need the internet.” Or “I’m using my home laptop today and I need to access my work files.”
But there are certainly security ramifications of simply adding these devices. This is why businesses and organizations are urged to have a BYOD policy to deal with these sorts of requests. What will or won’t be allowed to connect to the corporate network? What should connect to the guest network instead?
Let’s talk about OXEN’s philosophy concerning BYOD and what we recommend as a best practice. What are the risks of BYOD?
The Risks of Personal Devices & BYOD
Despite the superficial similarity, personal devices are often very different from company devices. They’re used differently, treated differently, and protected differently.
Personal use computers are typically used differently from work computers. In most cases, these devices are used for a wider range of reasons: from personal email, to social media, to researching a hobby, personal finance use, and entertainment. Because of this wider range of use, and typically more adventurous use, the likelihood of coming across malware, viruses, or exposure to remote control of the machine is higher.
Certainly, this risk depends on the individual using the machine, but generally, more risk is involved in personal use computing. This leads to more risk of an infected/compromised machine impacting your corporate network.
No Enforced Protection
Even if a personal PC is on the latest operating system, personal computers lack the security protection provided by most corporate networks. For example, in OXEN-managed networks, there are standard policies in place, anti-virus and anti-malware installed, and patching updates performed on corporate machines to help protect the environment. These programs and updates are monitored and enforced to ensure that protection is at its best. Personal computers rarely have such security measures in place, or to the level expected in a corporate environment.
What’s the impact if these vulnerabilities are exploited?
Given the vulnerabilities personal devices have, how can they be exploited? What’s the impact if a personal device on your corporate network were to be hacked or infected?
- Attackers can bypass your protections. Because personal use computers have a greater risk of being compromised, it is important to consider the implications of a compromised personal computer being on the corporate LAN. It is possible that a personal PC could be compromised at home our outside the network. Often hackers will set up remote access capabilities to control a computer. If that computer is brought into the corporate network, that hacker now has access to corporate resources, completely bypassing the firewall used to protect the company from internet attacks.
- Lack of device management hinders response. Responding to an incident when OXEN does not manage the device is also more difficult. There is no monitoring agent on a personal device. It is essentially a rogue device, likely to remain unknown for a longer amount of time. This delays resolution and can give hackers more time to cause more damage.
- Contractual obligations become murky. A personal device infecting the corporate network would not be covered under contract. Likewise, even though the corporate network is generally more secure, if a compromise were to happen on a corporate device, and infect a personal computer, that would also not be covered. Regardless, it sets us up for a less than desirable outcome that we would all like to avoid.
How to Make BYOD Exceptions
It is possible to make exceptions and to have a safe BYOD policy in your environment.
It would be acceptable and even preferred to bring a personal computer to the office if it is isolated on a guest network that does not have access to corporate resources. This is desirable because it could potentially mean less mixing of personal and business use on a corporate machine.
Zero Trust Networks
If you want to implement a BYOD network, you should take a “zero trust” networking approach. This means that you consider every device hostile. Nothing is trusted. This means beefing up security for access to company resources. In most cases if you are on the office network your device is trusted. That makes things easier to “use”, but it also makes it easier for a hacker to “misuse” that trust.
Ultimately, security is best done through uniformity, centralized control, and monitoring. Anything that pushes against those things will create more risk.
While there is no cookie cutter approach to BYOD, it is commonly recognized as bad practice to mix personal and business devices on the same network. There is typically a better solution to be implemented. Identify the reason for wanting to bring a personal machine in, and then let’s talk about how we can achieve that without more risk being added.