Navigating the Perilous World of “Bring Your Own Device” (BYOD)

Most businesses today have an environment where employees and visitors bring their own devices, such as phones or laptops. While some organizations may restrict devices from connecting to their infrastructure, it's common for people to enter a commercial building—be it retail or office space, or otherwise—with a mobile device, at least.

Retailers are known to actually encourage shoppers to bring their smartphones, offering up the sweet carrot of free guest wifi to, let’s say, help improve the shopper experience (wink). In corporate offices, employees, their visitors, vendors, and jargon-speaking consultants make up the bulk of users carrying personal devices. And we’re not just talking about the physical realm, by the way. BYOD applies to anyone using their own device to access corporate resources, such as remote workers, often wearing pajamas, checking their email from home, or using the company’s VPN from outside to connect to other network resources behind the corporate firewall or to cloud-based applications and data.

The Comical (and yet Not-So-Comical) Risks of BYOD

While there are advantages inherent in BYOD scenarios—like, for example, in the retail space where connectivity can provide consumer analytics (oh wait, so it’s not just about a better shopper experience?)—there are lurk inherent risks, particularly where devices can connect to sensitive corporate networks. Being aware of the risks is a starting point in the effort to mitigate them.

At a high level, risks arise from two primary sources:

Firstly, personal devices are, shall we say, exceedingly difficult to control. They dance to the whimsical tunes of their owners, sometimes cha-cha-cha-ing their way into the treacherous territories of malware and viruses. Once in a while, these infected devices, oblivious to their tainted status, become the unintentional rebels, spreading digital mayhem across your secure corporate networks.

Secondly, the human element. Ah, the innocent blunders of our species, such as sticky-noting wifi passwords everywhere (monitors, desks, foreheads) or sending that ultra-secret product diagram to Bob the Barista instead of Bob from Accounting. Whoops! This friendly fire in the tech world can, unfortunately, lead to some truly cringe-worthy moments (and, not-so-comically, serious financial repercussions).

When malware brings a system down, employees may be unable to get work done. Deals may go unclosed, products unsold, and customers unserved. Stolen data is another possibility, which may be in the form of intellectual property, or sensitive customer or employee data. Liability stemming from such breaches can have a tremendous associated cost. Whatever the case—inoperative systems or stolen data—add the financial cost of the recovery effort itself to the list of heartburn-inducing consequences. And if that’s still not enough to scare the entire executive team, factor in the impact to a firm’s reputation that can occur in either of these scenarios and you’ve got real cause for some sleepless nights.

ISO BYOD Solutions

Okay, we know we don’t want to “go there”. So how do we avoid the severe costs that BYOD risks threaten to impose on us? Fortunately, our demise is not assured. And while this article is a lot more about risk awareness than explaining solutions in any level of detail, I can give you some fundamental ingredients required in any effective defensive strategy recipe.

If we’re going to allow personal devices onto the corporate network, then we’re going to want to have in place, at a minimum:

a. User-based authentication, along with a registration mechanism recording the user and device. If something is going to happen subsequent to providing access, we want to be able to pinpoint its origin.

b. A device safety sniff. We want to know whether there is an acceptable form of endpoint protection in place, and whether patches are up to date.

If our users make it this far, only then is user/device allowed onto the network, under a watchful eye, of course.

c. Trust, but verify. In the spirit of gracious but cautious hosts, we want to keep our users and their devices isolated from sensitive data and applications as much as possible. We segment resources, and monitor traffic generated from devices to ensure, for example, that no malware is being disseminated, or that corporate intellectual property is not being downloaded. This involves data collection, real-time analysis, and some method of meaningful response.

The Future (It’s Coming, Ready or Not!)

For large corporations such an infrastructure might be a walk in Technology Park. Smaller organizations might struggle to implement these capabilities due to a skinnier wallet. However, the need for security is the same. Unfortunately, the type of protection I’m talking about here is where we’re all going, like it or not. Remember, that even in a sea of bad analogies, staying vigilant and proactive regarding BYOD policies is no joke!

The best way to tackle security in a BYOD environment is through a layered approach, using multiple tools and strategies to ensure protection at every possible entry point. The increasing sophistication of threats means that even small businesses must adopt robust security measures. While there's no one-size-fits-all solution, the goal is to remain vigilant and proactive in ensuring network and data security.