Is your company allowing employees to bring their own devices (BYOD) and use them to log onto the corporate network? If so, do you know what is happening on your network as well as how many devices are on your network?
Network Discovery on BYOD
Recently, I ran a network discovery at a company and found some interesting things. First, I ran the discovery during the “off hours,” meaning there should have been no one in the facility and only the automation and security systems operating. Instead, the scan showed 70 computers, instruments, and printers running on the network.
Next, I ran the same scan during business hours ― full production and full staff – resulting in 120 devices being found on the network. What were the additional devices? Some of the devices were corporate workstations which get turned off overnight, and the remainder of the ‘new’ devices were personal cell phones.
Now, depending on how your networks are configured, that might not be a problem. In a properly segmented network, company-owned devices would have their own segment, and employees’ personal cell phones, laptops, and tablets would be on one or more additional segments. In this case, however, the staff members’ devices were also on the production network, introducing significant risk for the organization.
Risks with BYOD
Phones are susceptible to all the same types of malware and viruses as computers. While updated software provides provides protection against viruses, malware and spyware, old technology at some point stops being compatible with these updates.
Another risk with BYOD is that many cell phones support tethering, which allows the user to exfiltrate data via the cell phone to another computer, server, or cloud repository without the company being able to detect it. This would be done by connecting the device to the internal network and then tethering the device to the external network. Once connected, data can flow both directions, e.g.: Good data (company confidential data) going out and Bad data (viruses, malware, spyware) coming in. Worse yet, someone else could establish a presence, which would allow them to attack other companies while disguised as your company or establish a server from which they transmit spam from your network.
The lesson to learn is that things are never as easy or as secure as you think they are. Be diligent about policies, processes, and knowing what should be flowing where on your network. Not sure what your level of security is? Take our 2 minute Cyber Quick Check to get started on a path toward Cyber Confidence. Our suite of Surveyor tools help you pinpoint your vulnerabilities giving you the knowledge you need to move toward cyber resilience.