Logout

BYOD Network Security Risks


BYOD is an approach toward managing the IT devices of employees or the personal of other groups and organizations such as schools. It stands for "Bring Your Own Device".

The "D" can be any device, both phones and laptops - any mobile IT device which can indeed be "Brought". But in the beginning, before the advent and advance of smart phones, it was indeed laptops which this refered to.

Wikipedia for general background.

Why BYOD?

- comfort and familiarity, and so increased productivity

- better programs run on the person's chosen OS than the company's

- company does not need to spend money on those devices, or necessarily on the upkeep and management. (But conversely, more money can end up being spent on security and on trouble-shooting)

- note that companies often say that that they will compensate employees for having to buy their own devices, but in the end if often works out that they manage to not quite reach that level of expense; i.e. the bottom line is that they actually do save money by implementing a BYOD program.

- Employees will definiely take the device home, and so are more likely to work from there.

- There is no need to go back and forth between company and personal device - saving time and bother and issues.

BYOD in Contrast to "Standard Issue"

The alternative to BYOD, and the approach that most often was used with the introduction of laptops into the workplace and schools was to have standard laptops issued to employees/students/teachers. The prime advantage of this approach is clear: similar software and hardware, and so a lack of compatability issues. With standard issue laptops, people could share files and use shared hardware resources such as projectors with ease. And everyone was familiar with the particular OS used on all laptops. Another distinct advantage to this approach is that whenever a device had a major problem, it could be "reset" to its orignal state by "re-imaging" it. An image is a hard drive volume with certain software and preferences. In the laptop program of ISP, for example, if a student's hard drive crashes, they simply get it re-imaged.

Another major advantage of standard issue devices is that security issues and preventative measures are also standard. Only the threats specific to the hardware/software and OS of the standard machines need be monitored and addressed. Furthermore, the most secure hardware/software/OS can be chosen to be the standard issue. A particular choice here would be to use Macs, or other Unix based OS machines, which, even in 2014 are still much more secure than Windows machines. Or in terms of mobile hardware, insisting on Blackberry mobile devices, which, in spite of recent set-backs, are still considered very secure for wireless communication.

So in a nut shell, having a BYOD policy means that not only are there many more hardware/software/OS issues to attend to/look out for, but litereally every single threat and weakness in existance has to be taken into account, for, any hardware/software/OS "weak link" target could potentially enter the front door of the business/school.


The Weak Link

And the concept of the "weak link" is important here. The term comes from the idea that a chain is only as strong as its weakest link. So to use the analogy of a house burglar, they are not going to try to break in through the secure front door, rather they are going to find a vulnerability, and "sneak in through the back door"; all a would-be hacker needs is a "foot in the door", and then once in, they can consolidate their position by breaking through increasing levels of security. All they need is that oportunistic "in", and that can come from any weak link. You could have 99 perfectly secure MacBook Pros, for example, in an office, but if there is one "weak link" PC without a proper firewall, then the hacker can gain access to the network.

So the main issue is that this weak link device is connected to the company/school network.

But there are actually the more simple implications of phones/devices being lost/stolen, or employees moving on to another company, but keeping the company device. (See the above-referenced Wikipedia article for more on this.)


The End of BYOD?

Both from a logistics point of view and security perspective, BYOD policies seem to be, ill-advised, and they very well may just be a passing fad. The advantages, listed above, just doesn't match up to the realities of logistics and security threats. This article notes a rise in unique mobile threats of 261% in the six months leading up to March 2013, due in large part to BYOD.

Meantime the experience of educational forays into BYOD policies bears out the opinion that BYOD's days are numberd. The talk, at least among international schools IT people, is how stupid a policy it is, if only because of the logistical challenges, let along the security threat. Back when the BYOD term was first coined, the International School of Milan was one of the earlier adopters. Other IT folks flocked to see how they were doing things. Those same IT folks, (including the IT director of the International School of Milan, only a couple of weeks ago!) now flock to schools like the International School of Prague, who resisted the BYOD temptation in implementing their laptop programs.

 

For companies, bottom line is that BYOD a huge risk, because one big attack can take down the whole company for a period of time, which can cost huge losses, both in terms of money and customers.