For the past 18 months, employees across the globe have been working remotely from home due to the Covid-19 pandemic. One consideration that has been a concern throughout for many security teams is personal device usage. Commonly referred to as bring your own device (BYOD), it is a topic that was prevalent even pre-Covid and been a significant challenge for many security teams over the years.
Cast your minds back to March 2020: governments were issuing stay-at-home orders at very short notice and many employees were expected to work from home, some without access to work devices. These were unprecedented times (a phrase used sparingly in this article) and, as such, some employers enabled their employees to use personal devices for work purposes until authorised equipment could be issued. Other organisations expanded their BYOD policy to allow it throughout the pandemic, especially if infrastructure and services were in the cloud and could easily be monitored. Why spend money on extra devices if everything can be accessed by an employee already?
As more workplaces in various countries start to open again, these decisions must now be reassessed. Here in the UK, Monday 19 July was the day when all restrictions were lifted, including working from home.
For many employees, myself included, a work-issued device is the norm, only to be used for work purposes. Personally, I prefer the separation between work and personal, so a work notebook I can turn off at the end of the day and put away is a blessing. However, for others, one device is more cost-effective and means they can do everything anywhere. All employers and employees need to consider the security and privacy implications that this option raises.
Personal devices bring all manner of risks to consider:
- Multiple user accounts.
- Synced up services and browsers to other devices.
- Saved passwords.
- Personal files, including photos.
- Unapproved software.
- Potential data leakage.
- Potential malware infections.
Bringing something like this into the office without putting controls in place is like inviting a fox to dinner in a hen house – it is not going to have a good outcome. So, what do security teams need to consider for employees returning to the office?
Firstly, a clear framework of policies and procedures should be in place that employees must follow. ISACA’s COBIT framework, as well as others, such as ISO 27001 and SSAE 18, all have controls related to asset management and personal devices, so if these are in place already, then organisations already have a baseline that employees should be following.
These policies and procedures should clearly detail what employees can and cannot do with personal devices, with clear consequences for non-compliance. If organisations do not follow these or other frameworks, then there is no reason why a personal device policy cannot be put in place to ensure there is clear guidance going forward.
Policies can cover all types of devices or be as specific as required. For example, an organisation could prohibit the use of personal notebook devices but allow personal mobile devices to be used for email and calendar requirements only. This could take the form of a signed policy that employees agree to if they want to use one mobile phone for everything. How restrictive an organisation wants to be comes down to its risk profile.
Documented policies can only go so far, so organisations will probably require technical controls to be in place, too. There are many different systems and services that can be put in place, depending on the restrictions required and budget available. All these controls will again come back to the risk profile of the organisation.
If an organisation is going to allow personal mobiles only, then mobile application management (MAM) could be rolled out to those devices. This would allow the phone to function as normal for the employee, but restrict work aspects to specific applications and prevent data leakage by disabling items being copied or transferred from these applications to personal applications.
However, if an organisation is going to allow personal notebooks as well, then consideration needs to be given to how that device is monitored for risks such as those listed above. If the personal device policy clearly defines that all personal devices require endpoint software to be installed, then the employee can either accept this as part of the policy terms or be issued a company device.
This software could still allow employees to use their device as normal, but certain risks, such as software installation, account provisioning, malware alerting and data leakage, would be covered. That could bring challenges to the employee at home, but this is the trade-off when using a personal device.
Providing access to the network is another matter – organisations can implement controls to prevent personal devices accessing the office network. This could range from media access control (MAC) address allow-listing to preventing LAN cables from providing access, a control commonly adopted to prevent visitors plugging in devices. If these controls are implemented, organisations need to consider carefully if they should be loosened or removed for returning employees.
Training is another factor to consider, both for employees and the security teams themselves to deal with these new risks. Employees need to understand through security awareness training what they should and should not do, and the consequences of their actions.
Likewise, if an organisation starts allowing a wide range of new devices to be used, both the IT and security teams need to be able to support the challenges these devices bring. ISACA’s State of Cybersecurity 2021 report details the challenges of insufficient staffing and training in security teams, so organisations need to ensure that their security teams are adequately prepared, both in terms of staff and understanding of the new requirements for returning office workers.
Of course, these points are not all-encompassing, but will give security teams and organisations initial starting points to consider as they look to welcome back employees to the office.
Simon Backwell, CISM, is information security manager at Benefex and a member of ISACA’s Emerging Trends Working Group