If you’ve ever worked for a large organization, you’re no stranger to acceptable use policies which dictate your allowed use of personal laptops, tablets, smartphones and other devices on the corporate network. Such policies aim to minimize the security risks assumed when employees connect their personal devices to enterprise networks. BYOD security and device management have long been discussed topics within the enterprise, but their cousin BYOP (Bring Your Own Password) may carry even more significant security implications.
A Necessary Evil
As of last year, 87 percent of companies actually required employees to use their own devices to access business apps. Add that to the foregone conclusions that all devices existing outside of company firewalls have most likely operated on many different unsecured networks and that individuals’ security hygiene at work probably doesn’t translate well to the home. The latter point is especially true when taking into account how any company’s attack surface widens drastically when an employee’s family, friends or even unexpected “guests” utilize (and therefore contaminate) employees’ private home networks.
The global market for BYOD security solutions has grown along with BYOD use itself. According to Computer Economics, while nearly 60 percent of organizations now have BYOD policies in place (up from less than 50 percent in 2015), only 38 percent have formal policies governing what devices are permitted and how those devices can be used. Fewer than 10 percent of employees report they have “complete awareness” of all of their devices across networks. On the enterprise side, an alarming 35 percent of companies do not report feeling prepared to determine a BYOD policy, while only 64 percent of companies feel they have situational awareness of all the devices on their network. In effect, enterprises stand to lose visibility of the endpoints, users and accounts accessed on their networks.
When employees bring the unmanaged personal devices they use for both corporate and personal accounts at home to the corporate network, the enterprise is exposed to exponentially more threats. This is especially true with jailbroken devices, whose default security settings have potentially been completely disabled. The most obvious threats posed by BYOD include the spread of malware, unnecessary resource-thirsty apps (such as Pokemon Go Ultimate) and of course, unwanted corporate data exfiltration. But devices are only half of the equation. A tangled web of devices, apps, accounts and identities are suddenly on the same network — passwords and all.
The statistics in the preceding section become even more concerning when considering the threats tangential to BYOP, especially across multiple accounts. Compromised devices on the corporate network can lead to the exposure of enterprise account credentials that can be viewed or stolen when accessed on personal or shared devices. Even though organizational policies might dictate the use of strong passwords for corporate accounts, thanks to BYOD, all bets are off because 35 percent of employees store their work passwords on their unmanaged personal smartphones. And when employees use the same (or similar) passwords across personal and work accounts, the risks and potential for one stolen password to provide the key to many corporate accounts are only exacerbated.
The complete lockdown of now ubiquitous BYOD and BYOP simply isn’t practical, so how can organizations defend themselves?
From a strategic standpoint, information security executive leadership can gain situational awareness by mapping out their theoretical exposure. This map needs to cover the number of employee accounts used between each employee, the number of personal accounts their families have on average, the number of work accounts they have, and the total number of employees. Such maps should have multiple, interconnected nodes accounting for each employee, family member, device, network and account. Each connection between them represents a potential pathway for a malware infection or account takeover, and each personal device or account represents a weak link given the “human element” of security, specifically bad password hygiene.
To start actively addressing the problem, organizations can educate their employees on the importance of not reusing passwords, using strong passwords, and even passing that advice on to their family members. Acceptable use policies should be updated and shared regularly to include guidance specific to password strength and, of course, BYOD security. New guidance should stipulate exactly what can and cannot be accessed from unmanaged, especially mobile, devices.
Even for companies with SIEM/IDS/IPS suites that update dynamically, generate meaningful alerts and learn their own networks using machine learning, BYOD security does not apply strictly at the device level. Application-based security controls and other mechanisms are also important. Some companies require users to access company resources only through apps developed in-house through encrypted connections. This serves as a reliable way for companies to control the movement and security of corporate data plus credential exposure on unmanaged personal mobile devices.
Finally, BYOP as a side effect of BYOD also needs to be addressed head-on. Organizations should require that employees use password managers for both their personal and corporate accounts, and those passwords should be long, complex, stored securely and never reused between accounts.