Once upon a time, workplaces struggled over the now-quaint idea that an employee might occasionally use his or her own laptop or personal smartphone to perform work-related tasks.

When this trend first began, IT workers often knew all the BYOD users by name — those were the days.

Of all the disconnects that exist today between IT teams and other departments, perhaps the widest chasm is over bring-your-own-device (BYOD) practices. And if it’s difficult to secure the wide variety of known employee gadgets on your network, then it likely feels downright impossible to manage all of the uninvited guests.

The Evolution of Bring-Your-Own-Device

Today, employees bring a cornucopia of gadgets with them to the workplace — and use them all over the world to connect with work networks. A Fitbit, an Amazon Alexa, a smart TV and even a connected refrigerator or microwave could be a potential menace to a company now, according to the May 2018 report from security firm Infoblox.

Why would someone connect a kitchen appliance to an office network? While the answer to this question may never be fully clear, this practice is happening.

All of the aforementioned gadgets have their own applications, and these applications are used by employees who may or may not be well-versed in the risks they entail. The confluence of the Internet of Things (IoT), BYOD and “shadow IT” creates security headaches the likes of which no one has seen before.

Securing desktops was once a security team’s primary job. Now, each employee might have access to dozens of endpoints — each one bringing unique threats.

An Increase in Rogue Cyber Risks

Sure, you can remotely wipe a lost smartphone (and trust the worker to report it promptly). But can you really trust that your employee’s 6-year-old son will never download a rogue application onto his dad’s tablet during a family road trip?

The risks are growing fast: According to the Infoblox report, one-third of large organizations say there are at least 5,000 non-business devices connected to their networks. Predictably, these devices are used for all manner of non-business tasks, like using social networking sites.

“Due to the poor security levels of many consumer devices, there is a very real threat posed by those connected devices operating under the radar of many organizations’ traditional security policies,” said Gary Cox, technology director at Infoblox, in the report. “These devices present a weak entry point for cybercriminals into the network and a serious security risk to the company.”

Infoblox asked workers what they do with their personal devices while accessing the enterprise network. Thirty-nine percent said they access social media, but workers also download applications (24 percent), games (13 percent) and films (7 percent) — not a great use of network resources.

What Security Problem? Denial Runs Deep

Some IT departments seem to be in denial about the problem: While 88 percent of IT leaders who responded to Infoblox’s survey said their security policy for connected devices is effective, nearly one-quarter of U.S. and U.K. employees said they didn’t even know if their organization had a policy at all.

The risks from all of these connected devices aren’t theoretical — they’re real. The U.S. government created “Weeping Angel,” software which was capable of turning smart TVs into surveillance microphones. (This is just one way hackers could use an insecure gadget to steal company secrets.) The more significant threat, however, might be the use of devices as part of a botnet.

In 2017, Verizon discovered that 5,000 devices at a university — including vending machines and lightbulbs — were used in an attack that caused the entire school’s network to slow down. And then there’s Mirai, an IoT-based botnet attack that managed to slow down whole portions of the internet back in 2016, primarily by deploying a network of hijacked closed circuit television (CCTV) cameras.

How to Effectively Manage BYOD Practices

Neither BYOD nor IoT is going anywhere. So, what should IT departments do? The solutions aren’t easy — and they’re going to have to evolve alongside every new gadget and application that connects to the company network.

Here are a few practices to consider:

  • Implement policies and software solutions that restrict access to specific content categories, such as social networking sites.
  • Establish training to ensure that all employees are aware of policies around BYOD devices, including specific training around IoT devices.
  • Ensure constant monitoring of approved hardware and software. (Just because your team decides a particular tablet or application is safe today doesn’t mean it won’t be unsafe tomorrow.)
  • Consider cost-benefit analysis. Sure, employees are happier with their own devices — and the company saves money on hardware costs and training — but is it worth the risk?

The combination of BYOD and the IoT will continue to dramatically increase the number of gadgets that security professionals have to worry about. Securing these devices and all their associate applications while enabling employees to work efficiently will be one of the toughest tasks of our time.

Don’t make the task any harder than it has to be: Start by keeping out the uninvited guests.

Read the white paper: The Ten Commandments of BYOD

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…