The moment the word BYOD comes up in a leadership conversation, the vast majority of Chief Information Security Officers (CISOs) begin to feel panicked. By our nature, CISOs are conditioned to avoid BYOD in all form factors (office, mobile workforce and remote workers).
Though there are effective mobile device management (MDM) tools for the office and mobile workforce, COVID-19 has created a BYOD use case that no CISO in their right mind could ever have foreseen: letting an employee use their personal device to deliver corporate services in B2B and B2C environments. Fortunately for my stakeholders, I have many times been accused of not being in my right mind – because I focus on preventing threat use cases and do not focus on the “low risk-tolerance” for the BYOD form factor. In fact, with BYOD, I believe there is an approach that could prove as secure as using a corporate device at home.
What are the Work-From-Home Risks?
I have always tried to analyze cyber risk from the attacker’s point of view. As I consider this BYOD threat use cases, the first question I try to answer is -- what are the most likely avenues for attacking a work-from-home BYOD system?
Here are the use cases I believe pose the greatest risk:
- Threat is already waiting for you on a compromised BYOD (e.g. keylogger, other surveillance tools)
- Rogue access to the company infrastructure from a compromised BYOD to breach data on the network
- Breach of corporate data residing on the BYOD
- Impersonation of your employee on the BYOD connection
- Rogue employee activity (e.g. taking picture of data or downloading data to external or cloud storage)
7 Steps for Addressing These Threats
With today’s new normal, many companies will likely have to hire employees virtually, never actually meeting them in person. Sending that ever-virtual employee IT expensive equipment -- costing anywhere between $1000-$4000 -- can introduce significant financial risk. Instead, what if that virtual employee could use their own personal device (BYOD)? I believe that it is possible if you address the threats listed above.
1. Use security software to confirm the BYOD is not compromised before your corporate applications are delivered.
2. Next, isolate the employee’s personal use of their BYOD from your business use of the machine. You can do this with software loaded on the BYOD or a thumb drive with virtualization software. This essentially creates a virtual machine within the BYOD so the employee cannot use the machine for personal use while logged in for work.
3. Ensure the isolation software or thumb drive device you use to Isolate the BYOD also locks down the external connections to just the ones you need for your corporate use (e.g. keyboard, mouse, USB for headset only, web camera).
4. Connect to your corporate network using Multifactor authentication.
5. Deliver your corporate application and desktop via Virtual Desktop Infrastructure with all of the same security technology you use for your corporate devices (e.g. Endpoint detection and response, Data Loss Protection, Web Proxy, vulnerability management).
6. Use anomaly detection software to visually confirm the person sitting behind your corporate virtual machine is the employee using facial recognition throughout the workday (if local privacy laws allow).
7. If your workloads require a clean desk policy (e.g. Payment Card Data handling), leverage some of the new security technology that uses AI and ML to detect insider threat uses cases (e.g. taking pictures of the screen with a mobile phone).
How Did Teleperformance Address These Threats?
Identifying if a BYOD is compromised
We address this with a security scan of the machine before we start the isolation software.
Preventing rogue access to the company
Multi-factor authentication with virtual private network or Security Access Service Edge (SASE) is an effective control to a very high degree of certainty when properly implemented
Breach data residing on the machine
With the use of a virtual desktop infrastructure, there is never any data on the BYOD.
Breach of data on the corporate network
With a properly configured virtual desktop, the security controls (e.g. EDR, DLP and web proxy) on the desktop and the lockdown of the device ports make it very unlikely that a rogue employee can extract the data. This should be regularly tested to ensure your controls and lockdowns are functioning as expected.
Impersonation of an Employee
Leveraging facial recognition software throughout the workday (where privacy laws permit) will ensure the person sitting behind the BYOD is your employee.
Rogue employee activity
This is an exciting and emerging technology in the cybersecurity space. Through artificial intelligence and machine learning, the web camera (if privacy laws permit) can examine the employee’s workspace for compliance with a “clean desk policy”, and can even send an alert if a second person is seen behind the computer, or if the employee is using a mobile phone to take pictures of the screen.
“If you know your enemy and know yourself, you need not fear the result of a hundred battles.” - Sun Tzu, history’s most quoted Chinese military strategist
Human needs, preferences, and behaviors are changing and, along with them, business models must also evolve and adapt. It is estimated that these past months have accelerated digital transformation and remote work models by 5-10 years, leading to:
- 33% of the U.S. labor force is already working remotely full-time, with an additional 25% dong it sometimes, according to a recent Gallup survey.
- Gallup also confirmed that about two-thirds of remote workers want to continue to work remotely.
- From a more worldwide perspective, Global Workplace Analytics predicts that 25-30% of the global workforce will be working at home on a multiple-days-a-week basis by the end of 2021.
So, continuing to manage remote employees at scale is undoubtedly going to challenge IT and security teams for the foreseeable future. And, while this approach to using a BYOD of a virtual employee might not meet the risk tolerance for everyone, I am confident that it can be done securely with the right architecture, and by using security and privacy-by-design as the guiding principles.