Bring your own security (BYOS): good idea or not?

Bring your own security (BYOS): good idea or not?

We’ve talked about the concept of Bring Your Own Device, or BYOD, on the blog before. BYOD is a popular policy whereby employees can bring personally-owned devices, such as laptops, tablets, or smartphones, to work and use them to access data and applications. It helps to cut costs and can increase productivity, but it brings with it many security concerns and implications.

Similar in theory to BYOD is BYOS, or Bring Your Own Security. This method allows employees to choose which security solution they would like to run on their devices. Is this theory a natural evolution of BYOD or does it bring with it more concerns? Do those concerns matter if the device that will be submerged in the company network has its own security software installed?

BYOS concerns

Differences in the security software that runs on corporate systems and BYOS devices can give your IT department a headache—especially if said devices have access to company resources like shared drives. Are there any conflicts between the software on the devices and the security solutions running in the corporate environment? It’s certainly possible.

There could be gaps between the devices’ security programs and corporate systems that attackers could take advantage of. In fact, adding security software to an existing setup does not always enhance security—especially if they are of the same type, such as two large antivirus suites or two free remediation tools. Even worse, you could end up weaker than you were before.

In addition, misconceptions may lead device owners into a false sense of security. For example, some may believe they are protected behind the company’s firewall as soon as they connect to the corporate Wi-Fi, or even as soon as they walk in the door. But is that true?

Let’s look at a few scenarios involving both BYOD and BYOS, their pros and their cons, and the security implications that each scenario brings with it.

The scenarios

To begin jumping into the following scenarios, let’s first set the stage by presenting four possible ways the BYOS policy might be implemented, whether devices are personally owned or issued by the organization. They include:

  • The employee owns the device and has his own security software installed.
  • The employee is issued a company device that she may also use for personal purposes. She gets to choose and install whichever security software she wishes.
  • The employee owns the device, but in order to be allowed to use it for company matters, she must install the company’s choice of security software.
  • The company issues a device that came with its choice of security software installed.

Before we talk these scenarios through one by one, let’s first establish one thing up front: An employee running security software that he did not choose, nor is familiar with, is probably a bad idea. Unless it is a cloud-based product that can be administered from a central location, the employee should get some training on how to optimally use the solution. There is no stronger security for workplaces than user awareness. In fact, we would—and do—advise this no matter what the scenario.

Scenario 1: All on the user

In the first scenario, in which the employee uses his own device and security software, you might say that it’s good for the company to stay out of the way and trust its users. However, when it comes to matters of security for proprietary data, it’s never a good idea to let it all blow in the wind.

It’s easy to say that it would be the employee’s problem if anything were to happen to the data on his device, but what good would that do the company? The information would already be out there, and the loss of data, endpoints, productivity, and reputation would cost much more than a single salary.

As for the employee: Would he even come forward about the leak if the company had no control over his device in the first place? Probably not. The company might be able to trace the infection back to his device, but after how long? How long did information-stealing malware sit and propagate in the network? What sort of secrets will it expose to those willing to pay top dollar on the black market?

This scenario would be the single worst BYOS idea if it weren’t for…

Scenario 2: A rare scenario

In this scenario, the organization issues a device to its employee but expects her to choose her own security program.

This is a rare scenario for good reason. Perhaps a company’s own IT department might have its employees test out different vendors. Perhaps a user only makes phone calls or types up documents on her device, and doesn’t need the Internet to do her job. However, in any other case you’d have to have one trusting organization and one extremely security-wise workforce.

Otherwise, employees might go for the cheapest option if they need to spend their own money—or use a free, limited version instead. Or, if billing the company, they may just grab the only name they know without investigating if it’s a good fit for the device or the user. The only other explanation is that the company cares so little about the security of their devices and networks, that they’re willing to throw away money on them.

Scenario 3: Mostly pro, a little con

This situation calls for the employee to select the device, but the company to prescribe the security setup.

Here, the employee gets to either purchase or be reimbursed for the device she likes with the caveat that she must install security software that meets corporate guidelines. This is mostly a win-win scenario, as the employee gets to use the device she prefers, but the company can be reassured that the device is secure and safe to use in the corporate environment. In an ideal situation, the device can even be monitored by the corporate SIEM or cloud console.

One note on this scenario: While it’s an ideal setup for supplementary devices or remote employees, it might not make the most sense for users’ primary machines. This is because managing a fleet of different devices with different operating systems could get tedious for IT teams, even with the same security protocols followed.

cloud management

Scenario 4: The company’s choice

The fourth scenario, where the company decides on the device and the security software, is the easiest solution for organizations, but decidedly neither BYOD or BYOS. This sounds more like what an HQ worker might expect to receive from the IT department on the first day of employment.

While easiest to control, it’s also costly—whether the company is providing a single laptop or a supplementary smart phone. In this case, businesses should be prepared to defend against threats encountered by employees doing legitimate work or occasionally using the device for personal reasons, such as online shopping or social media. Companies should essentially treat this more or less the same as when an employee occasionally takes a company laptop home to do some work.

Installing security software on a corporate machine

A completely different scenario is one in which no outside device plays a role. Instead, employees bring their own security into the workplace environment. This does sometimes happen—people install their preferred security software on their work computers of their own initiative. For example, our telemetry tells us that our free consumer remediation product is downloaded and run on many corporate machines, used to clean malware that has slipped through the cracks of their workplace’s official security setup.

What we can’t see in our telemetry is whether this is done by users themselves or by someone from the IT team as an impromptu method to deal with an infection. Although using a free consumer product in a business environment is technically against the rules, it doesn’t pose a direct security risk. It does pose a question for the company’s IT department, however, who would probably like to know which threat managed to wriggle through their net and how.

Regardless, there’s a difference between employees installing free remediation tools for clean-up purposes only and those that install paid-for, active protection on top of network security. In the latter case, the active endpoint security conflicts with the active network software that is controlling the corporate environment. Like two dogs fighting over a bone, and no one wins, because the bone (malware) escapes.

Important considerations

The safest, most efficient way to implement workplace security for both the company and its employees is to come up with a corporate policy. When trying to decide on a BYOD security policy, there are a few points that should at least be considered. They include:

  • Which Operating Systems will you allow? Not every software can cover all the OSes, and if you want to go for uniformity or central management, this is an important issue.
  • Which software will you allow? And if you are going to use restrictions, will you be using a blacklist or a whitelist?
  • How detailed do you want your security policy to be? Are you going to give your employees a general outline or are you really going to drill down into details like minimum requirements for passwords or how to identify phishing emails?
  • Do you want to be able to monitor devices that fall under the BYOD setup from your central management console? And does that require the devices to meet certain specifications?
  • What happens to the devices when the employee leaves the company? Or better yet, what happens to the information, software, and other company-related data on the device?

Best practices

The list of best practices to turn any Bring Your Own Security setup into a successful and secure endeavor looks a lot like the list for any security guidelines, but we want to repeat the advise anyway:

  • Train your staff on basic computer hygiene, such as avoiding tech support scams, steering clear of links to unknown sources, and never opening attachments from suspicious emails. In addition, make sure they’re aware of what to do and what not to do in the event of a breach.
  • Create a fair policy that has been clearly communicated so that employees understand what is acceptable and what the consequences might be if they don’t comply.
  • Encrypt file storage and communications to lessen the chances of vital information or data falling into the wrong hands.
  • Ensure timely software updates for all. What’s the use of a system admin rushing to check, verify, and install updates when there are some devices roaming around that are a few patches behind.
  • Use a VPN for off-site communications to rule out eaves-dropping and man-in-the-middle attacks.

There are pros and cons to most BYOS and BYOD scenarios—however, if a company’s IT team and workforce is prepared, many of these situations have a good chance to work out in the best interest of all involved.

Awareness of the possible implications is always a good starting point. Vigilance is security’s better half.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.