Published on February 24th, 2015 | by admin
BYOD: Should you be concerned?
Not to be confused with BYOB, BYOD stands for Bring Your Own Device, and refers to company policies that allow employees to bring their own devices into the workplace. Smartphones, tablets and notebook computers are expensive to outfit to any but the smallest of workforces and, in many cases, it may make sense to take advantage of hardware that your employees already own. While you or your security team may have your company network locked down, what happens when your employees connect their devices to your network?
With threats from outside sources only becoming more vicious, it can be difficult safeguarding your data and the integrity of your network. Allowing employees to connect their personal devices only makes your job more difficult. The goal is to mitigate increased vulnerability and still be productive. Instituting a well-defined BYOD policy that integrates with your overall security becomes paramount in keeping your data safe and attackers on the outside.
Policies in most cases must be unique to a company and based on security level and need. Government agencies handling information at secret and above clearance ratings have a no-employee-device policy and provide lockers outside secured areas to hold personal devices while employees are in the building. At the other end of the spectrum are small company networks using nothing more than the built-in firewall application that comes with the Operating System (OS) being used. Most companies and organizations fall somewhere in between.
Hiding your head in the sand doesn’t mitigate the risk. It requires a serious look at the structure of your network and how, if at all, access will be allowed. Just adding an access point for BYODs, without reevaluating your whole security infrastructure, will undoubtedly create vulnerabilities well beyond the personal devices. If you create Wi-Fi access points, they themselves become targets of brute-force attacks. So, what is the right approach?
The first question to ask yourself is: What benefit will be derived by allowing BYODs on your network? If the only benefit is making the employees happy, is it worth creating a higher risk that needs to be mitigated? In most cases that answer will be “no,” much to the joy of your security team.
But what are the risks of saying no? While you don’t have to worry about the smartphones, tablets and notebooks being on the network, you’re sure to have enterprising employees that work at home even if they aren’t required to. If they send their work from a personal email to their work email, your email security protocols should provide the same level of protection it affords all other email. But what if they decide to store the work on a flash drive and plug that directly into their office computer? They’ve just bypassed your perimeter security without you realizing it. You can lock down your USB ports, but that comes with its own set of nightmares, including cutting access to legitimate USB devices. While a discussion for another time, your security team should also be looking at controlling USB access if they haven’t already done so.
Should you decide to go down the rabbit hole of allowing employee devices on your network, you should know there are ways to mitigate the risks. If the numbers aren’t too large, your security people can scan the devices prior to connecting them to your network. Another option is to create an isolated subnet for BYODs that automates the scanning process. However, both of these solutions come with a substantial resource overhead that many companies can’t afford. On top of tracking devices, you also need to deal with employee compliance. While some solutions isolate the device, others rely on employee compliance, which in the best of circumstances still leaves a high enough non-compliance percentage to put your data and network in jeopardy.
The question that needs to be asked is: Is there a better approach to mitigate the risk to company data? The answer is a definite maybe. Management tools and applications can be focused on protecting the data instead the network. This doesn’t mean that you neglect network security, just that you make protecting your data your highest priority. It’s surprising how many employees have access to data on company networks when they have no need to access that data. There may be data on your network, such as Personally Identifiable Information (PII), that you don’t allow access to by any BYOD.
By developing security policies that lock down vulnerabilities to personal devices (such as requiring passwords and encryption), along with securing access to your data, you are still incurring additional risk, but at a level that is more controllable. There isn’t one easy solution for addressing what a BOYD policy should look like, and many organizations will take the wait-and-see route, relying on larger or more innovative companies to work off all the rough edges before they make the change. And, there’s nothing wrong with this approach, as long as they understand and deal with the risk of doing nothing.
Employees are an organization’s best and sometimes worst asset. Even the best of us slip-up and leave our devices unattended from time to time. If your security team has developed checks and balances that protect both the network and the data, that slip-up doesn’t have to be devastating. Ensuring that all of your employees understand security concerns and are positively engaged in implementing the parts associated to them, improve your chances for success considerably. This becomes easier as the workforce becomes more tech savvy. Your employees will have a vested interest in protecting the assets on your network because their hardware is part of what’s being protected.
Learn more about protecting your network, BYOD allowances and all, at www.ss8.com/enterprise.