How a BYOD Telework Policy Could Put Your Agency at Risk

More than one-third of the American workforce has worked remotely, a Gallup poll finds -- but accessing an employer’s assets via smartphone, tablet or laptop could make the organization vulnerable to cyberattack.

The National Institutes of Standards and Technology is revising its guidance on telework to address the cyber risk associated with “bring your own device” policies. This week, NIST issued a draft of the revision.

Nextgov spoke with NIST researcher Murugiah Souppaya about safe teleworking. This conversation has been edited for length and clarity.

NG: Tell us about the threat landscape. Why can BYOD be risky?

MS: End-user devices are spread out, outside of what I call the “trusted boundary,” the enterprise network. The exposure is a lot higher, because of the level of access and the type of data that the user can get to from the devices. It opens up a larger attack surface for the organization.

NG: NIST’s original teleworking guidance was issued in 2009. Why is NIST just now updating it? Is there an increased threat to organizations allowing telework and BYOD?

MS: Back in 2009, 2010 was the introduction of smartphones and all those devices. We didn’t really cover that space in the original publication. We’ve been working on updating these publications for a while now, for over a year.

A lot of the attack vectors are coming in from the end-user devices that are outside of the corporate network. People are using these devices at home, on the road.

NG: So, what are the challenges of implementing BYOD policy safely?

MS: A lot of organizations are moving toward that model because of user demands. Users these days have access to some really nice consumer devices. Consumers update their devices more often, and those devices are getting a lot of capabilities on them.

The challenges with organizations is the device, because the organization does not have physical control over them. They try to minimize risk ... to at least try to isolate or segregate the corporate data and application away from the general purpose operating system.

There’s always this notion that they’ll be saving money because they’ll no longer have to provide those physical devices, but on the other hand they need to enhance their security control capabilities.

NG: Even with these guidelines, is a BYOD policy inherently riskier than using agency-issued devices?

MS: I wouldn’t say it’s riskier. I would say organizations need to take a risk-based decision to decide if they want to allow access to enterprise data and applications. Organizations may decide not to give the end-user access to everything.

For example, if it’s government-furnished equipment, they have much better control over that device because they provision it. They manage it, they can have full access to that device, which means they can do better enforcement of the security control around those devices.

But if the user is using their personally owned device, the organization may want to minimize the risk and only allow the user, on a potentially untrusted device, to have less access to sensitive information.  

[Organizations] also want to make sure they have documented policy and processes so that the system owner or the data owner or the decision-maker within that organization understands the type of risk they’re accepting.

The idea is not really for the organization to go out and build brand-new infrastructures and get a whole new set of resources and people to manage it. It’s more about leveraging what they currently have and adding some additional capabilities.