Exploring the security of phones in the workplace and smart devices
Continuing the discussion about cybersecurity and how to implement measures to keep oneself and those they love secure for National Cybersecurity Awareness Month (NCSAM), consider how you use your phone at work and internet-connected devices. Both are playing an increasing role in our daily lives. How we access our company email, log into our work computer, check the door and adjust the temperature in our homes.
Starting with how we use our phones, this is part of a movement called Bring Your Own Device (BYOD). The intention of such programs lies with saving companies money in not having to buy a computer or phone to issue employees. Companies like AirWatch, Good, Citrix and others made this more attainable for businesses to securely implement.
Bring Your Own Device or Bring Your Own Disaster?
You can use your personal phone or computer to access the company’s resources and the company has some control over your device. Policies around BYOD are part of the compromise between both parties in using their phones, tablets or computers on the corporate network. When connecting to corporate Wi-Fi, there is an element of BYOD introduced. From a personal use perspective, the decision to join a personal device to an employer’s wireless network should be thought out carefully.
On the one hand, consider your privacy. On the other hand, think of your company and its interests. From the perspective of your privacy, it makes sense to avoid searching for any personal terms or visiting any objectional sites on your phone. If you wouldn’t do it on your work computer, it is probably a bad idea.
From the lens of the company, they have to make sure that their infrastructure and data is secure. Secondarily, they are paying employees to perform a service. Excessive time on personal devices is time away from that, yet still compensated.
In short, decide why you want to connect a personal device to a corporate network and what you plan to do on it. If you lack cellular reception at your desk and you want to stream music, but not browse the web, that makes sense.
The (in)Security of the Internet of Things
Shifting the discussion, another thing to consider during NCSAM is internet-connected devices. Other terms for these devices may be smart devices or the Internet of Things (IOT). In 2019, we have intelligent doorbells like Ring and Nest. Refrigerators have built-in cameras and tablets to help with meal planning and inventory. Grills and water heaters have internet connections now.
The issue with IOT is that it sacrifices varying levels of security for convenience. Using IOT thermostats as an example, a person can change the temperature setting in a room only by walking in with their phone or via a mobile app.
While it is nice to adjust the temperature in the living room from your bedroom is excellent, the issue lies in the security of the devices themselves. Many are rushed to market to be a first or second mover. Often, these devices are discovered to be using insecure protocols, have hard-coded passwords or create open connections to the internet without any authentication required.
Criminals may have an interest in a home security system or smart doorbell, but that is only the tip of the iceberg. In 2016, the Mirai botnet wreaked havoc across the internet. This army of compromised systems primarily consisted of IOT devices. The source code of Mirai was open-sourced and continues to be relevant three years later. Mirai is free processing power to commit crimes and disrupt organizations that is enabled by a lack of integrating security into a system development process.
It is also essential to consider that a malicious actor could be watching your every movement in your home remotely, as some IOT devices include cameras. Given the insecure nature of IOT, this could be a criminal across town or an adversary that is seeking to find something compromising. They may attempt to either blackmail or to sell without your knowledge or consent.
From a home internet perspective, segregating the IOT devices to their own dedicated network (with or without internet connectivity) is the best option if you are going to use such devices. With some of the smart devices, you may have to find a workaround for them to have full functionality since they typically require an internet connection.
In conclusion, these privacy concerns are relatively simple. A happy medium ground can be defined. It is better to see how to use something that poses some security risk than to forbid the use of such devices explicitly. Prohibiting the use of technologies or devices opens the door to rogue devices.