Nearly half of North American and European employees use their own devices for work. In developing nations (e.g. India), the rate is much higher. As external devices become integrated into the workplace, however, they bring cybersecurity vulnerabilities along with them, because every new computer in a network constitutes a new path for potential malicious attacks.
This isn’t an opinion – it’s been demonstrated to be true, even for the most secure networks in the world.
SIPRNet, the Secure Internet Protocol Router Network, is the network by which classified information is shared within, and between, the U.S. Department of Defense and State Department. It is, probably, the world’s most secure computer network. It’s heavily defended, both digitally and physically, and it’s separated from the wider internet. Backed by the collective strength of U.S. military intelligence, some have gone so far as to call SIPRNet “completely secure”.
However, no network can be completely secure. SIPRNet, in only the last dozen years, has been subject to an historical breach (in 2010, when Chelsea Manning leaked internal documents to Wikileaks), and a crippling breach (in 2008).
That 2008 incident was particularly interesting. Legend has it that some time during that year, a flash drive was picked up in a parking lot, located at a U.S. Department of Defense building, within a U.S. military base in the Middle East. Somebody picked up that USB, walked it into the building, and plugged it into a laptop. It was carrying Agent.btz, a malicious computer worm, and the laptop it infected was connected to the DoD’s internal network.
What happened next, who was responsible, and which foreign power may have had an interest in infecting the U.S. defense apparatus is an interesting story, and to this day still largely classified. It’s all very complicated, but the lesson here is not. The world’s most heavily-defended computer network was crippled by ordinary malware, carried on a typical USB drive.
If SIPRANet can be hacked by an outside device on its network, what chances does your company have of surviving the same?
Our home and office networks tend not to be so attractive to foreign agents as SIPRANet, but malware is a threat even to computers harboring no state secrets. Therefore, organizations must weigh the benefits and drawbacks of allowing external devices into the workplace.
The fundamental problem with devices brought into the workplace is that any potential threat paths they harbor can’t be easily accounted for. In other words:
Picture all the computers in your office as people. All day, every day, these people sit in the office, at desks, doing their work. Generally speaking, they’re pretty predictable. However, what would happen if you invited complete strangers, into your office? Most of the time, nothing untoward would occur. Yet with each one of those people there may be some chance, that someone might be ill–with a cold, or a fever, or something worse. Maybe that sick person was outside for too long, before coming into the office. Maybe they interacted with another person, before coming to work, who transferred the sickness to them. Either way, the sickness could easily spread around the entire office.
Office computers are themselves vulnerable–particularly to phishing attacks–but at least they’re known entities. They’re almost always used for a limited number of predictable tasks (employees aren’t likely to visit shady websites, or do any other particularly interesting things online while on the clock), and they’re covered by your company’s cybersecurity infrastructure. Personal devices aren’t necessarily subject to that same scrutiny–even if they’re used exclusively for work tasks from 9 to 5, they may yet carry malware contracted while off the clock. What’s more, after leaving the office, they might take away sensitive company data. If that BYOD device is then lost, sold without being wiped, or hacked, there’s nothing your company can do about it.
Still, the rate at which BYOD is being adopted by companies around the world suggests that the benefits outweigh the risks. Allowing mobile phones and tablets on company WiFi is convenient for employees, and allows them to multitask more efficiently. Plus, permitting employees to bring their home laptops into work saves companies on the costs of buying equipment.
Luckily, BYOD need not be an all-in or all-out decision. Rather than ban all personal devices, or allow all personal devices without any further consideration, there is a third option. Companies can allow personal devices in the workplace, while also subjecting them to close scrutiny.
For critical industries – like government facilities in the Middle East – border checkpoints are required in order to check, scan and possibly wipe any outside devices that make their way past the physical barrier of an important building.
For the rest of us, such drastic measures may be a step too far. One way ordinary companies can screen employee devices is to implement AI-driven network monitoring. A software tool overseeing a corporate network can identify new devices, scan them for potential threats, and take measures to ensure that the access they have is legitimate, limited, and therefore not harmful to the rest of the computers on the network.
BYOD is problematic only insofar as it is unpredictable. Careful, considered security measures can alleviate those concerns.
About the author:
Nathaniel Nelson writes the internationally top-ranked “Malicious Life” podcast on iTunes, hosts programs on blockchain and SCADA security, and contributes to AI and emerging tech blogs.