For decades cyber security professionals have been addressing the issues of employees bringing their own devices to work. Called BYOD for “Bring Your Own Device”, IT departments have dealt with employee phones, tablets, and laptops.
When an employee brings a device to a workplace there are many potential issues. For instance, does that device have the proper up-to-date antivirus? Can it be used to exfiltrate (copy out) company or agency data? How should it be connected to the corporate or agency network?
Fortunately, many of these issues are addressed by best practices outlined in NIST Special Publication 800-46 (which also deals with many remote access issues) and wile ISO 27001, does not directly address BYOD, it does cover mobile devices and related issues.
But what happens when an employee brings home a laptop or tablet from work? How should that device be connected to the employee’s home network and how can the work and home networks be protected from each other?
The first issue is the physical security of the device. The Society for Human Resource Management (SHRM) has a physical security policy for employee use of company devices. I also addressed some aspects of physical security for corporate devices in a recent post here.
But the cyber security issues are important, too. Most employees will have a single internet connection to share between home use and business use. That means the corporate computer needs to be connected at least somehow to the user’s home network. The work computer or computers must be firewalled from the personal home network. This is easily accomplished with a SOHO router perhaps of the type also used as a wireless access point. That can be used to create a separate wireless network for work which can have strong access controls (at least a complex password!).
One feature of the configuration must be that the home and work computers cannot “see” each other. This prevents the accidental or intentional exchange of data between the environments. Of course, this does not prevent data exchange with e.g. flash drives, and employees should be taught the dangers of that transfer. The computers and mobile devices on the home network must also run up-to-date anti-virus and personal firewall software.
Users of the home network must not be given access to the business wireless network. Likewise, users of the business network must not use those devices on the
home network. Unfortunately, it is difficult and time-consuming for corporate or agency IT departments to enforce these rules. They may be able to look at some logs, for instance, but that could be resource prohibitive. Effective user training is essential here.
Some employers have tracked the activities of employees who work from home. That tracking has generally focused on ensuring employees are actually working. Some employers install software on company computers used at home to ensure they are not used for inappropriate purposes. Specifically, that employees do not violate the organization’s Acceptable Use Policy (AUP).
Users should also connect to dedicated corporate sites or via a VPN (Virtual Private Network). This helps ensure that all communication is private and that the work computer is authenticated to the company or agency network. The VPN or dedicated host should only be accessed with the provided computer or a personal one otherwise approved.
Different organizations will have different cyber security needs. Some will be much more restrictive than others. It is important, however, for organizations to develop policies to address the expanded use of company computers at home and how they are managed.
To your safe computing,