First BYOD, now BYON poses security challenge

Opinion

First BYOD, now BYON poses security challenge

Like bring your own device (BYOD) before it, the march of bring your own network (BYON) is happening silently, stealthily and almost completely outside of management control.

Nearly all modern smartphones and 3/4G tablets can be instantly turned into wireless hot spots allowing them and any other wireless-enabled systems within range to be connected to the web, whether out in the field or at the workplace desk.

From an employee’s viewpoint this makes perfect sense. They may have been denied permission to connect their personal devices to the corporate network or do not want the hassle of seeking these approvals and have the company install control software on their personal devices.

They will be aware that many sites like social media, betting and music download sites are either blocked or have their use monitored. 

And besides, their brand new 4G tariff gives them a cool 12Mbps speed with all-you-can-eat data – which is probably not true of the clunky corporate LAN struggling to deliver even one-tenth of that.

So what’s the problem with BYON?

From a security and capacity perspective you might say, “better them doing it on their kit than mine”, or “at least it’s hardware and software I don’t need to provide support and capacity for”, but you would be missing the point.

Someone spending a large part of their workplace time pursuing personal interests represents a huge hit to productivity and the bottom line once you have enough people doing it, with the bigger issue being that you cannot readily detect, monitor or quantify it. 

These things also tend to become endemic in the workplace culture and hard to reverse after a very short time.

The situation also drives a coach and horses through any policies you might have regarding improper or illegal material being viewed in the workplace, as it bypasses any of the filters or logs you may have spent fortunes putting in place to avoid.

Furthermore the assumption those personal Wi-Fi hotspots are completely air-gapped from the corporate IT is a dangerously weak one. Unless you have a tight lockdown on all your office PCs – preventing their connection to unauthorised wireless access points and backing them up with data loss prevention (DLP) on everything to ensure files downloaded elsewhere cannot be transferred to any office systems – there is a real risk of bridging the secure enterprise network to insecure private ones at multiple points.

Plus, there is the bigger risk that sensitive data will go the other way, by leaking out through the insecure access point or being carried out on an unprotected personal device.

So what to do about it?

First and foremost, check your security, staff and acceptable use policies are clear and unambiguous regarding the use of BYON and personal wireless hot spots in particular. 

Even a BYOD policy written as recently as 2012, may not make specific mention of personal hot spots and their use.

Next, carry out a business risk assessment involving the key risk stakeholders including HR, IT and security to identify the risks in both scenarios of either permitting or banning the use of personal Wi-Fi hot spots.

If the organisation opts to allow their use, you will need to define the precise "what, when and how" of their acceptability and then enshrine it in corporate policy. If you opt to ban them, then work out how you are going to detect and respond to the exceptions which will occur.

In all cases you will need to consider how to prevent any personal network connection, whether allowed or not, from circumventing your entire enterprise security infrastructure.


Adrian Wright is vice-president of security research for ISSA UK

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in April 2013

 

COMMENTS powered by Disqus  //  Commenting policy