Avoiding the unexpected consequences of BYOD
Bryan Lillie, Chief Technical Officer - Cyber Security
Initially these initiatives were uncontrolled, but now many commercial organisations have matured and de-risked their approach, choosing instead to harness the value of employees’ own devices.
But BYOD is now entering a new space. Until now the number of smart connected personal devices was largely limited to phones and tablets. More recently smart watches and other wearables have joined the list of technology that many people find indispensable. As the Fourth Industrial Revolution (4IR) ramps up, the number of interconnected digital devices will increase exponentially. With that comes a correspondingly rapid increase in the number of potential BYOD endpoints to be managed. Commercial organisations with existing BYOD approaches are prepared. Their existing endeavours can scale quickly to accommodate the imminent influx of new connected tech.
Organisations in highly-regulated environments such as defence, security and CI (critical infrastructure) haven’t followed the same path. These markets operate in a different context to the commercial world because they have a requirement to secure mission-critical environments. This changes the nature of the risks to be managed – the impact of a compromised BYOD endpoint could be considerably more severe. In recognition, they haven’t taken the same steps as their commercial counterparts and their exploitation of BYOD has not been as widespread. Regardless, the flow of new technology into their ecosystem is growing and therefore the pressure for them to implement solid BYOD policies is as well.
This largely stems from the fact that defence, security and CI organisations are increasingly required to be more responsive through digitised operations, leveraging data assets and exploiting emerging technologies, whilst constantly managing restrained budgets. Many personal smart devices can help achieve these outcomes so a growing number of individuals are using their own technology in high-criticality operational environments, but without sufficient controls. As 4IR technology enables greater use of these devices and the Internet of Things (IoT) becomes more pervasive it will inevitably lead to even more personal technology encroaching on sensitive environments.
This could be very useful if such user-driven behaviour can be harnessed to boost performance. For example, the probability of mission success and survivability could be significantly increased by incorporating personal devices into operational node architectures. But because BYOD implementation has not yet been properly de-risked, as the presence of unregulated and unmanaged endpoints grows, so will the threats and unintended consequences. In one recent high-profile example, the locations of remote military bases were inadvertently revealed through the use of Strava’s fitness app. The root cause of this security breach was that the app monitors the number of runners using particular routes, then offers other users access to these popular circuits. The arrival of newly operational bases with large numbers of personnel looking for ways to keep fit led to previously unknown routes becoming instantly popular due to the volume of Strava data now available on these sites. This was largely unpredictable but it illustrates why BYOD in high-criticality environments can quickly become a significant threat.
The potential value of commercial-ready personal technology could certainly far outweigh the challenges for these sectors. But BYOD needs to be de-risked now while the scale of change is still manageable. So how do we accelerate the process of maturing and de-risking BYOD in defence, security and CI environments? Essential elements of successful implementation should include the following:
- To harness the benefits, we must clearly define the opportunities and risks. A holistic view is invaluable, as is exploring the unintended consequences.
- We need to design BYOD solutions/policies that appropriately balance security and performance requirements.
- We must build trusted partnerships to learn from commercial organisations who have already successfully implemented BYOD strategies.
- We have to capture both organisational and user perspectives to ensure the needs of the organisation are equitably balanced with those of employees – for example, monitoring ‘acceptable use’ versus loss of personal privacy. Part of this is about recognising user requirements because these will drive adoption of BYOD. In the end it is employees who will weigh up whether it is worth them bringing personal devices to work so it’s their drivers we need to best understand.
- We must clearly define the system boundaries for each type of device and user group. We need to specify clearly what usage is allowed, what data and applications may be accessed, and where.
- A clear policy and operational framework, which defines a layered usage approach based on device types, users, data, applications and usage, will ensure everyone across an organisation understands how best to use personal technology without compromising security. It is helpful to also articulate how the organisation benefits and how data will be used for user clarity.
By taking this approach many organisations in these sectors will be able to proactively get in front the problems BYOD could present. As IoT begins to encroach on these environments there is no choice but to make personal devices safe, secure, and part of the mission ecosystem. Clear policies and a framework for accommodating new devices will increase the chances of making BYOD a safe, assured way to harness individuals’ desire to use their own technology as part of a broader strategy for deploying 4IR technology.