The BYOD and IoT issues in the Business Environment.
Aaron Yazzolino
GMP Systems Engineer | Senior Systems Analyst | IT Services & Consulting | Army Veteran
BYOD and IoT effects
Aaron Yazzolino
Whatcom Community College
CIS-499 Capstone
Professor Wills-Ford
5/3/2020
Content/Abstract 2
Introduction and Scope 4
Background of the Problem 5
What is the Need for a Solution? 8
IT Problem Statement, The Deep Dive 11
Glossary of Technical Terms Used 21
Relevant Business Factors and Drivers 22
Works Cited 25
Abstract
This paper will cover the Internet of Things and the issues caused when Bring Your Own devices and other IoT devices meet the modern business network environment. At the start before the rise of IoT revolution of Bluetooth connected coffee mugs and office fridges that alert when the coffee creamer is low. Things were simple and we only had to worry about threats coming in from the outside in, however, in today’s age, we must now worry about the connected devices within a domain. In this new era, the problem lies in how we handle these in the domain, with audits, policies, proper pieces of training, firewalls, IDS, properly setup networks artificial intelligence filtering, just to name a few options. This paper identifies a range of security and safety concerns that arise from these developments with modern BYOD and IoT devices.
I am going to be focusing on two separate areas for the problem, the first being the employee not fully understanding the scope of the work they are doing and or P/P of the company. Be it intentional carelessness with programing in the workstation, to bringing in a virus or malware into the domain by connecting their devices to the network or say using a secured laptop outside of the secured network environment. To help curb this problem the company needs to ensure there is antiquate training to new employees and current ones. Regarding proper BYOD and company laptop and equipment handling and what is acceptable in the policies and procedures. The IT department also needs to have an in-depth vetting process for all equipment being used in the BYOD capacity.
The second area of focus will be unauthorized access to the domain across different platforms to device data, physical networks, and websites. This could be as simple as a person walking by a car and stealing a laptop that happens to be a workstation and or another control device. In Oct 2012, a laptop was stolen from an employee from NASA containing sensitive information and was unencrypted. Say this laptop was from Hanford's 100 Area nuclear power plant. This had programming logic and or access codes etc. for the plant. How damaging could this be? Very! Say this had remote access built-in and one was able to adjust and or change perimeters of running systems. This is just a small snippet of this kind of attack that we are dealing with. Now more than ever it is increasingly necessary to stay as far ahead of the threats as possible. They are not standing still, so you cannot afford to, either.
Introduction and Scape
The main objective of this paper is to explore the threat of IoT, and BYOD brings to the modern business environment and ways to better adapt and secure the networks and domains. With these devices being utilized to access business enterprise contents and networks. The effectiveness of BYOD offers several business benefits like employee job satisfaction, increased job efficiency, and flexibility. However, when we allow employees to bring their own devices into the fray this can lead to a plethora of security issues, like data theft, unauthorized access, and malware/virus being brought in. This paper will investigate the current security approaches and options organizations can leverage these techniques regarding policies, risks, and existing security techniques to mitigate or halt the security challenges.
The rationale for this project
I decided to cover this topic due to the ongoing challenge this topic poses to every company currently. With each year bringing new and more advanced tech into the working world one must keep on top of all the cutting trends. With the complex networks of large businesses down to the smallest hobby shops of main, they all have IoT, BYOD devices around and are growing by the year. With this is improving the working world and productivity this can +also lead to its fair share of headaches as well. There is a demand for security solutions within the business environments that can support multi-pro?le platforms and provide equivalent security levels for various device interactions. From physical controls to audit policies that cover internal and external domains, from employees to customers to contractors there all need to be covered. This is a complex and vast topic that will continue to grow and evolve constantly as time progresses and devices change and our taste for IoT moves into all facets of our lives.
Problem Statement
For all the Internet of Things services and BYOD floating around there are numerous types of devices like iPads, laptops, Bluetooth connected coffee mugs, break room fridges, printers, and other devices; the communication between things occurs through various network domains. It means that there are security risks in each device/network layer and the company/user privacy can be exposed from diverse routes. Therefore, all kinds of attack scenarios in the previous IT environment should be considered more seriously with more concern. How can a company tackle this problem, what physical options are there, what policies can be enacted and written, and lastly how can we train ourselves in best practices regarding this?
Background of the Problem
Physical: With IoT/BOYD there are some amazing advantages but there are many concerns as well that come from people bringing their own devices. One of the biggest issues with IoT/BYOD is the higher security risk involved in it across multiple domains. Traditionally, security has been provided by techniques based on classical cryptography and physical and security controls. These security techniques were designed with an implied assumption that these domains were physically well-protected areas. However, many of the devices in the IoT are physically unprotected and easily accessible to a threat actor. For example, I currently work for the Veterans Administration and we recently installed a 3 in 1 printer in the front reception center. With all the IP, Vlan, Network ID, Passwords on a label right on the front in the open. With this info out in the open, it is surprisingly easy to get into the networks and then jump around in the domain. Thus, security protocols for the IoT need to be immune to physical and side-channel attacks, in addition to providing anonymity, privacy, trust, and compliance with current policies and laws. Moreover, security protocols for the IoT must also have exceptionally low computational, memory, and power requirements, easing the strain on the network.
Auditing/Polices: With complex policies in place over what can be done on and off company time with devices. So, if you say use your company-issued laptop at home for accounting work or sensitive subject matter, you cannot have your kid writing a paper on it or least must take steps to separate the accounts on the say laptop or tablet. With the current COVID-19 time we are living in this has changed and opened a new world of more people working from, home. This opens the threat of the employee or contractor downloading viruses, worms, and malware that was targeted towards remoter workers. Targeted spearfishing is always an issue along with man in the middle attacks via SSH or Telnet into a company via the work from home groups. Also, there is the complexity that BYOD stirs up as well, Mac vs PC and Android, the software issues as well with current pricing, and how this will play into the polices and costs. How are updates and patches handling this all needs to be written into the policy as well and conveyed to the employee just how they play into this and their roles? However, it is not all bad and woes with BYOD.
With current cybersecurity policies and protections already in place. The properly conducted audit will provide recommendations for process improvements, along with giving the business a decent idea of what they are going to be working with moving forward in this new realm of IoT/BYOD. The modern IT audit teams run in the form of a hybrid model. The also big focus with a proper audit and audit policy is getting the company in alignment with one of the cybersecurity/ IT frameworks such as with National Institute of Standards and Technology (NIST) and SysAdmin, Auditing, Network, Security (SANS) frameworks or even COBIT.
This will focus on all domains of the business and reach out to third-party contracts and vendors. With modern companies having large, complex networks that generally present more potential exposures areas and risk domains. The audit team will promote the adoption of automated tools for analyzing contractor and vendor performance and implement them if they are not in place already. If they are in place, the auditing team/policy will assure their integrity and effectiveness. Once the audit is conducted the team will then debriefing and go over all the data and findings of the internal audit.
Education: This comes down to the education of the employees from the CEO down to the mail clerk and everyone in between. With the increasing reliance on one's smartphones and tablets, cloud services, and the internet as communications, business organizations face growing threats from cyberspace and from within from the uneducated and inexperienced employees. We as the IT dept or person for that matter respectively are tasked with protecting sensitive data and information and other business assets and critical infrastructures. One of these large tasks is educating our peers with the ever-evolving landscape that is threats BYOD and IoT bring into the world.
We need to design and implement a respective information security education plan that ties in with current auditing reports and polices from within the company as well with governing bodies. This can be from coming up with classes, emails, meetings, or any other means available for the IT department and or management in charge of the task of education. Few basic examples would be implantation of Microsoft Authenticator for use in authenticating remote workers and their devices. An email goes out with instructions on how to use it and its need, then a class can be held about the details of this, what and whys of the new tool. Simple steps like this can mean the employee having a full understanding of the problem and solution to the uneducated employee causing damage and a breach.
What is the need for a solution?
As touched on above the need for the solution would be the massive impacts on the business. If a breach were to happen caused by a rogue device on the network that happened to slip through the cracks the repercussions can be immense. The first part would be what was taken if anything were taken? It could be data, trade secrets, client and or patient information, and records. Or could be loose of revenue from a site being taken down or a web server was taken down. There is also the legal matter of breaches as well, the law does not care how it happened only that it did. So, if the business can be proactive about the control of BYOD and IoT this can help save the company in the long run. Legal battles and damage to a company's image can take sometimes millions of dollars and many years to fix or recover from if they can. The need and importance for a solution are extremely high, and something that should not be overlooked or looked down on as trivial.
How can the business grow from fixing this and the benefits from the fix? These really can vary from company to company along with different industries as well. How the business reacts to the ever-changing tech field is a big impact as well. This can affect the solution greatly in terms of sticking and holding down good policies and procedures to protect the company’s assets. If the company and at all levels fails to react to the changes in the solutions laid out to address the matter nothing will happen, well things will and none of it will be of a positive outcome. How can a business achieve growth and gain from having these practices put into place, along with the money saved from not having the downtime and losses? This we will touch on in a bit more detailed light below. But with education and clarity, this is something that does not have to be a scary threat lurking in the pockets of the employees.
Reflecting upon concepts learned in the CIS classes
The biggest tie ins would have to be the wireless class, auditing, and ICS architecture classes along with a few in the associate’s program as well since this has been one long 4-year ride. The wireless class is the biggest influence over this paper due to the amount of IoT we went over. From the smart home labs and reports we did to the wireless work with cell phones and WIFI, this all pushed for a greater understanding of IoT and Bluetooth along with WIFI. This comes to play with the ICS classes too and going in-depth on attacks and ways into a network. Most are related solely on ICS networks but there are some and mostly the principles are all the same. Since most of these attacks can be all found across varying types of industry and businesses from oil refineries to the mom and pop general stores. They are all affected by some type of IoT or BYOD threat.
The last and almost as important even knowing the class was almost completely useless as a class, it did open the avenue for more in-depth research on my own about the importance of auditing and the sheer manganite of benefits that can come from it. With making sure your company is coming with local laws and mandates to adhering to government regulations on NIST and other documents. A well rounded and properly conducted audit and continuous auditing can save the company money along with time and stress. I feel this has a decent weight in this paper since it helps so much in auditing how a business deals with the BYOD problem.
In going over these classes such as wireless, ICS, and auditing and compliance. The tech classes for the technical side of the problem and the audit and other classes for the soft skills or policies that need to be written and items like NIST to adhere to. I feel I gave a well-rounded background to help with this paper and tie it all together.
Background information
In this section, I will dive deeper and into a more technical way concerning the problem that BYOD and IoT affect the business environment. I will also explore some of the solutions available for the BYOD and IoT problem. While above was a quick streamlined semi-detailed breakdown this will go over the major causes, fixes, and concerns the topic brings. There will be a look into a couple of case studies and or papers regarding this matter as well.
“It is estimated that the number of sensors and corresponding devices in the Internet-of-Things (IoT) domain is projected to grow beyond 1 trillion devices by 2030 (and beyond). While this opens up immense economic opportunities and improved services or even significant changes to society, the proliferation of such devices can also raise significant security concerns.” (1)
This puts it into perspective just how big of a deal IoT and BYOD are in the modern working world. With the sheer number of devices floating around and now so that we are living in a pandemic Covid-19 world, that is being made up of remote workers this now adds a whole new dimension in this battle.
The in-depth way these attacks happen is in a multistep process normally in a 6-part attack. 1.Reconnaissance, 2. Weaponization and Delivery, 3. Exploration, 4. Installation, 5. Command and Control, 6. Actions on Objective.
Causes of the problem or technology issue
What is the in-depth reason for this? Why in detail are BYOD and IoT a threat to the business environment and how can it be used to disrupt all the things. This will go over in detail the types of attacks, reasons behind them, how it will affect the network, how the tech leads to this happening via Bluetooth, wireless, etc. This is going to be the full-blown HOW this is an issue.
Starting with the reconnaissance phase this is the area where the attackers pick the target and start looking for ways in. In this case, it will be using a smartphone or smartwatch to start probing and lightly scanning the networks and firewalls. There are ways to run Nmap on an Android along with a few other tools used to scan TCP/IP ports, WPA/WPA2, open networks, and get a general lay of the land. This can even be done completely passively there is a Bluetooth controlled coffee mug… yes, you read that right. Ember makes a few different models one that is an all in one and the other is a cup and a base station. This can lead to someone talking around with this coffee cup scanning away and or deploying a packet to a target device. These are controlled mostly via a smartphone app with different levels of access to the phone. So, this is connected to the network, and then once in the network, you can move around within. More so an issue with remote workers since some companies VPNS and or SSH networks are not set up properly.
Moving on to the second stage weaponization and delivery. This is when all the data collected is then compiled and the attackers decided their next moves, how will they attack, and using what methods. So now that we have scanned the network we wish to get into and have a decent idea of the lay of the land. Now we must get in, so with the coffee mug being used as an example and the smartwatch we now have a mobile hacking station. Let us take my work at the VA Vet Center for example and moving on we will use my work like the business.
We recently got new copier/fax all in ones networked into our office network that is shared with all doctors, managers, and records since we are a small site. We as protocol have the IP, subnet, VLAN, and MAC Address and call routing information on a label on the front of the device. So it would not take much to get into this network and dive around. So once the scan maps the area we then can go after say patient records and data all protected under HIPPA. With attacking the open ports, we can now run a small program to create a backdoor within the network. Now that the attacker is in the system this moves us onto the next stage of the attack, exploitation.
Now that the attacker is in, they need to look around and explore and see where they are how to navigate around within the network. Now that they have a backdoor and are in the network, we can use it right away or let it sit dormant and or slowly leak information back to a computer off-site. The attacker could then see if he wanted to go for records or what his target was from here. Now the big problem with IoT and BYOD is not only the problem of in the office but at home with remote workers. So, they are the target they download an app on the phone that acts as the middleman for an attacker. Say they wanted to steal IP from Boeing or a defiance contractor. Because the Play Store in Android is not a vetted platform anyone can throw an app up there be it solid or a rouge one.
This brings us to our first section of the ways to fix this, we will get back to the attack stages shortly.
The company needs to have a solid vetting/onboarding for all IoT and BYOD devices from the IT Dept. There needs to be on-going training to employees and contractors as well about the current and ever-changing threat that IoT and BYOD bring to the table. Some of the examples are to limit what brand phone or tablet that can be used for work is. Apple or Samsung are some of the best while Huawei is the worst and has been banned from DOD and Gov depts. due to their ties with China and leaking information. There needs to be solid policies and procedures in place to limit and educate what applications and programs are trusted and accepted to be downloaded onto a device used for work-related tasks. Such as an example listed below for a healthcare company.
i. All employees must report to the IT department to enroll in the BYOD program, receive security updates, agree to remote access to the device, allow access to blocking of the said user being able to delete data, install specific software such as remote logging and wiping functionality, along with a final check of all company supported to set up of the device. All devices must be password protected by pin and biometrics as well, for applications used on BYOD devices an authenticator must be used to access said folders, files, data, and apps used for official use. NFC must be disabled at all times when using a BYOD for any business use. No jailbreaking of the devices is allowed, and all devices must be on the current update and or the most approved recommend update by the IT dept. Only download and run apps only from authorized app stores and trusted sites. Use an isolated, protected, and encrypted environment that is supported and managed by the organization to access the organization's data and services, information of this will be provided in the subsection of the policy and if you have any questions please see your direct supervisor and or submit a help desk ticket.
With these things in place along with a robust audit schedule and in-depth sweeps, you can try and limit the impact of the IoT, and BYOD threats a company faces. The IT Dept and direct supervisors will conduct entry and exit meetings with all staff and vendors using BYOD to ensure all data are removed and or devices are properly configured to meet all rules stated in the enacted policies. Enforcement and monitoring software will be used to ensure all policies and rules are being followed and to check for issues. Along with instituting monthly or bi-monthly audits held and random audits of all BYOD devices. DevOps will also continue to improve on the BYOD experience and offer better and safer ways to secure the network and all BYOD items.
Currently in the business network environments include such physical devices as Intrusion Detection Systems (IDS), firewalls, and other devices on the market that will help in IoT and BYOD security. In adding control over the network and allowing proper authentication and secure connections to be made. That being stated there is much more to dive into including how the networks are psychically built and what architecture models to use.
Now to move onto physical more tangible protections to the business network and or home network for our WFH folks. Real-time network traffic monitoring along with peripheral scanning of the wireless Wi-Fi access points within the network should be performed regularly by the IT dept. Cisco Meraki has a very robust suite that the IT dept can be utilizing to perform this and to make sure the APs are acting as they should. You can have the network flood a rouge wireless Wi-Fi access points, or for short, access points (APs), in the network, and or device to prevent intrusion onto the network from this system.
The other side is the Zero Trust Approach by John Kindervag of Forrester Research, in 2009 the framework was produced. “Created as unmanaged mobile devices started entering the workplace, Zero Trust stated that all network traffic be deemed untrusted and established that organizations needed to deploy specific measures to protect themselves.” (3) This has influenced my way of securing networks and handling the problem along with my educators as well. I believe this is the more widely used and accepted model in dealing with the modern BYOD, IoT threats. Spoken above about the onboarding devices and having the IT dept. give the go-ahead to bring it onto the network, just as important as that is the proper network segmentation form the day to day to the protected departments and or data.
Having the ability to segment different devices into different network segments forms the foundation of a robustly secured network that is needed to have the highest levels of security measures modern businesses need to achieve their high levels of functionality. Thus, ensuring all BYOD and IoT devices are connected to securely and monitored network segments, businesses can then enforce stricter controls and apply the appropriate BYOD/IoT policies. Such as strictly enforcing granular access control once a device has been allowed ono a network segment via secure authentication and access control.
The business impact of the problem
How is the business affected by this? What are in implications if an attacker gets into the network and takes any form or data, IP, money, records, or any number of actions they can take. This can lead to losses in jobs, legal issues, HIPPA and privacy local and federal violations, and Data/IP being removed from the company. What could be the fallout from this and how could they recover from this? Where their proper recovery plans in place and were they fallowed and how well?
Data breaches are not a simple concept of “Oh well someone got in and took some things or breached or defeasances.” They are multifaceted and deeply problematic. The biggest hit to a breach caused by a rogue BYOD/IoT devices leading to a breach is the financial loss had by the business.
“Studies show 29% of businesses that face a data breach end up losing revenue. Of those businesses, 38% experience a loss of 20% of more. Additionally, according to the 2018 Cost of Data Breach Study, the average cost of a data breach in the U.S. is $7.91 million.” (9)
This then moves us into the reputational damage from the breach, be it from the consumer or the shareholders or government agency that works with the business. Take the Home Depot and Target breaches for instance. Granted these were not BYOD issues but more the reputational damages study. Home Depot happened back in 2014 and Target in 2013, now Home Depot had a very robust business continuity plana and disaster recovery plan, Target did not. So how each company reacted sets the tone for how the public, in general, reacts to it. Target is still hurting to this day over this breach due to their poor handling of the situation vs Home Depot everyone all but accepted it and moved on with high brand trust and reputation still intact.
The other major problem is disruptions in normal operations. Be that from a network that was brought down, time spent patching and fixing the network, to the loss in productivity due to say stolen or deleted IP. According to inc.com, 60% of SMBs close after a cyber-attack after just six months due to how devastating they can be if not prepared for the outcome. Lastly, there are the legal ramifications of a breach as well. Legal fees that go along with these payouts to the consumers and fines being paid and lawyer costs can be into the millions. Say you are a medical company and your records are breached, you are now in violation of HIPPA and there can be an exceptionally large penalty per patient record that was stolen. Also, the legal right to keep your company operational comes into play as well after a breach.
In closing the business impact of a seemingly small breach can be quite high and enough to shut down a business if not prepared for the impact such a cyber attack can lead to. It just takes one time to say a contractor to connect to a network and then the balls are rolling on the attack. In a matter of seconds if the company is not fully prepared to handle the new world of BYOD/IoT.
Cost analysis for implementation
The cost analysis is the projected cost of implementing a solution. How much is the audit going to be? How much are the hardware and IDS etc.… going to cost, training the employees and contractors, new polices to write and what will be the breakdown of how much this “fix” will cost the company. The first cost will be implementing and managing the solution, such as new IT staff and or cloud service costs such as Cisco Meraki and or similar options. The next is how much will it cost to implement the policy itself and audit the business, will they have to hire an outside auditor and person to write it or will it be in the house? This needs to be addressed to shape the program, be it in-house or contracted, and even say a once a year outside audit. Added to this are the cost of staff as well for maintaining the systems, is the current IT dept. up to the task? Will the business need to add more staff or outsource in the cloud? These are questions that need to be asked as well in a realistic sense of will the current staff get burnt out from dealing with too much, and is a new say security dept needed?
I along with human cost there are also the added costs when it comes to enterprise software licensing and increased network traffic. Does the current ISP allow or handle the traffic that will be increased along with remote workers as well? Now for the last two sections are rick management expenses for developing or editing a current business continuity plan and risk management strategies. And for any internal software and or apps that need to be devop0led for this to take place. The one big plus to this is happier employees are more productive employees. If they like working on a brand of phone and or like Mac vs PC then they can work accordingly and with more productivity since they are familiar with the devices.
Risk analysis for implementation
This will go over the risk of implementation, what could go wrong? What could happen once we add things into the network, polices, laws along with disruption of the company to start the protections and fixes. Network downtime, prices cost for auditing, the start-up cost for aps, and IDS in the network. Having to hire admin or more IT staff and or bring in outside company. A comprehensive risk analysis and change orders need to be completed alongside the audit and drafting of the BYOD/IoT policies and strategy.
The first big risk is anytime a new device, program, app and so on new is introduced into a working network there is a risk it will take down the system and or not play nice. The proper steps need to be made in a sandbox environment and proper vetting before introduction to the domain is done. There is also the planned downtime that comes from adding new items into the network, this can disrupt current business if done at the wrong time. So careful planning needs to be done to reduce the risks and chances of business outages.
Along with training the employees about the new hardware, policies, staff, laws, network usages, and the like. This must be done over time and there is the human risk that comes from this. With the human element, there is the chance of people not paying attention or miss understanding the policies and new changes thus causing outages and or threats to become introduced into the domain. The IT dept. or project leads need to be able to determine the ability of the personnel to detect and respond to these new changes and adjust as needed.
Glossary of technical terms used.
- BYOD Bring Your Own Device
- IoT Internet of Things
- IT Information Technology
- IDS Intrusion Detection System
- IP Intellectual Property
- AP Access Points
- COBIT Control Objective for Information Technologies
- ROI Return on Investment
Why a technology solution is needed.
The business trusts IT to secure the business and IT may not understand what the business is trying to accomplish. Everything is an essential driver if the business is driven to succeed. The monetary challenges that can come from not taking the BYOD/IoT threat seriously are quite large. Data breaches that have caused the business to waste millions of dollars in reparations to customers and the government and legal fees. This is the biggest driver that comes to mind since trying to get upper management and the CEOs to understand the need for such a policy and protections. Is to show them in means they understand the ole might dollar is at stake if nothing is done. There is the adage "It does not matter of if you will get a breach or have a security incident but when it will occur." So, this needs to be driven home and at the forefront of pushing for the solution.
There is also the unplanned downtime that is never regained or forgotten. This downtime that was a direct cause of the domain being taken down by an attacker can range from a few thousand dollars into the tens of millions for the large enterprise domains. Keeping the costs down for this is a major player, if it is not cost-effective to swap the whole network over then maybe a single IDS and policy is the best course of action. The ROI needs to be in-line with the current financial environment of the business currently and in the foreseeable future. Also taking the impact on the employees, will they have to buy new devices? Is there a budget in-line for this? Will these new changes negatively impact them along with their downtime? This all needs to be addressed before implementation and budgeted in the consideration for the new plan.
What would the impact look like if no technology solution were to be implemented to address the BYOD/IoT problem? Well… everything has spoken above before in prevention areas, so massive data breaches, viruses, network downtime, unproductive employees, loss of profits, and revenue due to legal battles and picking up the pieces after an attack. Now I mean you could go for a long time without ever seeing an issue or an attack. However, the chances of that currently are slim to none. With the current climate with Covid-19 and the onslaught of work from home being done and people coming and going from the offices in odd ways, this just opens the door to issues.
If nothing is done you fail to assess and update the security policies in place or the measures in acted already. Which are most likely outdated and neglected in the ever-evolving business environment? Now more than ever it is increasingly necessary to stay as far ahead of the threats as possible. They are not standing still, so you cannot afford to, either.
How does the research paper reflect concepts learned in the CIS classes of the Bachelors'?
Currently, the most influential classes as stated above are the wireless tech class, auditing and compliance, and the ICS architectures classes. Due to my laptop breaking, I am unable to cite specific classes due to all my cataloged work is on a hard drive in there. The wireless tech class with the labs focused around the "smart home kits" really opened for more in-depth research outside of the class about current issues facing BYOD and IoT. The auditing class be it an awful class with an absent professor, the whole class was truly laughable. I was however able to research in-depth the vast importance of auditing and current ways of bringing in a company into compliance with current trends. This then led to the older work I have done with BYOD and IoT and was to secure it. The last section of the BAS program that helped was the ICS classes and how we focused on securing the environment and current threats they are facings. Most of these teachings and concepts can be applied to a wide area of network security in varying industries. With the current trends in that field with people running around with tablets and laptops in place of full workstations this fundamental change then leads to different forms of security spoken of above that translate again to all areas of network security. I feel these are the areas in which the BAS program ties into the paper and brought on its topic and contents spoken of within its pages.
Security should never be an afterthought which sadly in this day in age it is, that view is slowly changing and becoming more frontal in the eyes of the public and powers that be. We should always be looking forward to ways to curb the tide of attacks and lessen the stress on the business. It can be quite simple if the fundamentals are in place. I think in time we will have a seamless blend with BYOD/IoT and the business environment working together. Take the steps to make life simple and make the technology work for us not against us.
Work Cited
1. Todor Tagarev, Dimitrina Polimirova. (2019). Main Considerations in Elaborating Organizational Information Security Policies. Retrieved from https://dl.acm.org/doi/abs/10.1145/3345252.3345302
2. Shachar Siboni, Asaf Shabtai, Yuval Elovic. (2018). An attack scenario and mitigation mechanism for enterprise BYOD environments. Retrieved from https://dl.acm.org/doi/abs/10.1145/3243064.3243065Ripton, J. T. (2014, October 13). How to Properly Implement a Secure BYOD Policy in Your Small Business. Retrieved from https://blogs.cisco.com/smallbusiness/how-to-properly-implement-a-secure-byod-policy-in-your-small-business
3. 60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here’s How to Protect Yourself. (2018). Retrieved from https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html
4. Marcucci, P. (2019, March 5). 5 Ways to Protect Your Network Against BYOD and IoT Intrusion. Retrieved from https://www.coranet.com/byod-iot-intrusion/
5. Security Policies and Implementation Issues; Chapter 1, Information Systems Security Policy Management; Chapter 2, Business Drivers for Information Security Policies; Chapter 3, U.S. Compliance Laws and Information Security Policy Requirements. (0000). Retrieved from https://stevevincent.info/ITS3050_2018_8.htm
6. Kelly, W. (2013, February 28). 10 considerations for BYOD cost/benefit analysis. Retrieved from https://www.techrepublic.com/blog/10-things/10-considerations-for-byod-cost-benefit-analysis/
7. Palo Alto Networks. (2015). Breaking the Cyber Attack Lifecycle Palo Alto Networks: Reinventing Enterprise Operations and Defense. Retrieved from https://gantech.com.br/wp-content/uploads/2017/01/breaking-the-cyber-attack-lifecycle.pdf
8. E. (2020). Ember?: The World’s First Temperature Control Mug. Retrieved from https://ember.com/
9. Trend Micro. (2015). https://blog.trendmicro.com/byod-security-dealing-with-targeted-attacks-and-zombie-apps-on-mobile/. Retrieved from https://blog.trendmicro.com/byod-security-dealing-with-targeted-attacks-and-zombie-apps-on-mobile/