You cannot forbid to bring: how to implement the BYOD concept and not harm information security

Every year, more and more companies in one form or another introduce the BYOD concept. According to a Global Market Insights study, by 2022 the BYOD market volume will exceed $ 366 billion , and Cisco reports that 95% of organizations in one form or another allow the use of personal devices in the workplace , and this approach allows you to save $ 350 per year per employee. At the same time, BYOD creates many difficulties for the IT service and a lot of various risks for the company.



The ability to perform work tasks using their own gadgets is perceived by many as an element of freedom, a progressive approach to company-employee relationships, and generally a typical example of a win-win strategy. In general, there is no reason to doubt: the employee is happy to use equipment that he has chosen to solve problems, and the company receives an employee who is always in touch and does the work even after hours. According to Frost & Sullivan, BYOD adds up to 58 minutes a day to employees and increases productivity by 34% .



Despite all the advantages, BYOD gives rise to problems - problems of incompatibility and timely installation of security updates, theft and damage to personal devices. And this is only a small part of the headache that you have to endure in the name of convenience. We will talk about how to solve these problems while maintaining a balance between safety and efficiency, in this post.

BYOD

It stands for Bring Your Own Device, or "bring your device." In 2004, BroadVoice VoIP provider proposed connecting customers' equipment to its network and designated a method such as BYOD. In 2009, Intel “updated” the concept of BYOD, somewhat expanding its meaning. With a light hand, Intel began to mean the use by employees of companies of personal devices to solve business problems.



Since there is no strict definition of BYOD, different organizations may understand this concept in different ways. For example, some companies allow employees to use personal devices to solve work issues, but the employee incurs all communication and repair costs himself. Other companies compensate for these costs, or connect employees to a corporate contract.



Since in the case of BYOD, the company does not choose the devices that employees use, the compatibility problem is raised to its full potential. CYOD, another similar BYOD concept, allows eliminating it, at the same time solving financial and legal issues.

CYOD

The abbreviation CYOD stands for Choose Your Own Device - "choose your device." Under this concept, an employee can choose from the list of typical devices that which will best allow him to solve his tasks. Depending on corporate policies, CYOD may allow or prohibit the use of corporate devices for personal use.

COPE

This term stands for Corporate-Owned, Personally Enabled and means that the devices selected by the employee are purchased by the company, but it is up to them to configure and maintain them. As a rule, COPE also implies the possibility of using the device for personal purposes.

ROSE

POCE - Personally owned, company enabled, "purchased by an employee, authorized by the company." Essentially, this is just another name for BYOD.

Benefits of BYOD

For staff

• one device for personal and work tasks (if this does not contradict corporate policy),
• the ability to use the latest device models,
• mobility,
• flexible schedule,
• remote work.

For the company

• cost reduction - the company does not have to purchase devices for employees,
• increasing employee motivation,
• Availability of employees after hours
• higher efficiency of solving urgent issues,
• reduced need for office space.

Risks and threats BYOD

Risks associated with BYOD are a natural consequence of the benefits of the concept. The more freedom employees who use personal devices to interact with the network of the company get, the greater the potential damage they can cause.



Lost or stolen device



If an employee loses the laptop on which he performed work for the company, this will create a lot of problems. Over time, corporate documents, including confidential ones, as well as documents containing personal data inevitably accumulate on the device. The leak of such information is likely to lead to fines, competitors or attackers can use them to blackmail or simply sell on the black market to cybercriminals who organize targeted or phishing attacks.

But in addition to documents, the device stores credentials for access to the corporate network and / or encryption keys recorded in the registry so as not to mess with tokens. Using this information, an attacker can penetrate the network, steal everything that he can reach, install malware.



Another problem is that an employee who is deprived of his working tool cannot do what he is paid for. And this issue needs to be resolved as quickly as possible. If a large corporation is likely to be able to pick up equipment from the reserve, one cannot count on such a luxury in a startup.



Vulnerabilities and malware



Obviously, employees working according to the BYOD scheme will use their devices to solve not only work, but also personal tasks. After completing the work, they will watch online videos, look for essays for children and play games downloaded from torrent trackers. And with non-zero probability their children will do the same.



The result of such frivolity, as a rule, is not too inspiring: malware appears on the device - spyware, ransomware, and backdoors. When connected to a corporate network, the entire set of malware will look for new victims. And it is possible that he will find. But even without this, stolen logins, passwords and details of corporate bank cards will not bring any benefit.



Even if the employee behaves responsibly, does not visit suspicious sites and does not download pirated software, the problem of phishing emails remains, as well as keeping the OS and programs up to date. Using well-known vulnerabilities, malware can infiltrate the device on its own or with minimal involvement of the user who clicked on the link in the letter, very similar to the usual letter of the counterparty.



Mobility as a problem



The off-road nature of the use of equipment under BYOD means not only an increased risk of losing your favorite gadget, but also risks associated with confidentiality. Fans of working in coffee houses and other public places do not take into account the fact that:

• they are in the field of view of strangers and video surveillance cameras, which means that the passwords that they enter and the documents they work with are made public by strangers;
• the use of public Wi-Fi networks at airports and hotels carries the risk that the transmitted information will be intercepted or a malicious script will penetrate the device;
• the active use of mobile Internet in roaming can lead to financial losses.

How to protect yourself?

The risks posed by BYOD cannot be completely eliminated. But by combining organizational and technical measures, damage can be minimized or even completely eliminated. The main ways to ensure BYOD security are virtualization, the management of mobile devices, applications and data, as well as intelligent endpoint protection systems.



Virtualization



The beauty of this technology is that the user's device is used exclusively to gain access to the virtual workstation. All documents and programs are also located there and are not copied to the device. The service of virtual workplaces is carried out by IT specialists of the company, so all that is required of an employee is to keep secret the details for access to the corporate network. This will not help if spyware penetrates the device, but eliminates data leakage during theft.



MDM, MCM, MAM and other mobile device management systems



Mobile device management systems allow you to centrally manage the entire BYOD zoo, setting restrictions on documents, on resources to which the user has access, and on operations that he can perform when connected to a corporate network.



For example, the Microsoft Intune tool supports devices based on Windows, macOS, iOS, Android and allows administrators to:

• automatically delete corporate data if the device does not connect to the service within a specified time;
• establish a ban on the storage of corporate information in any location other than "OneDrive for Business";
• Request a PIN or fingerprint to access Office applications
• Prevent the copying of corporate data from Office to personal applications.

Similar solutions for managing mobile devices are offered by Apple (Apple MDM), Citrix - XenMobile, Cisco - Meraki, Trend Micro - Enterprise Mobile Security and several third-party manufacturers.



BYOD Protection



Even the most advanced controls will not help if the device gets into the device, therefore, in the case of BYOD, it is worthwhile to use XDR-class security solutions (X Detection and Response, where X corresponds to various corporate environments). Such systems can detect and help stop unknown threats, providing monitoring of all information systems in the enterprise. The approach to Trend Micro XDR includes the EDR subsystem (Trend Micro Apex One), which forms the multi-level protection of end devices, as well as network products of the Deep Discovery family, which allow detecting threats on nodes without security agents.

What is the result

Uncontrolled use of BYOD can create huge problems for companies. In order to fully feel all the advantages of using personal devices to solve business problems, it is necessary to take risks into account and protect the network perimeter and user devices. An additional level of protection will be provided by the development and implementation in everyday practice of a security policy that users can focus on during their work.