Cybersecurity Considerations with Bring Your Own Device (BYOD) Implementations

Bring Your Own Device (BYOD) refers to allowing end users the ability to use their own personal mobile devices (e.g., phones, tablets, laptops, etc.) to conduct business instead of having a corporate device issued to them.  BYOD is often seen as a cost savings and a step toward a “21st Century Workforce” by executives.  On face value, BYOD could save money and give users more flexibility.  By eliminating the cost of wireless service contracts, devices, accessories, and repairs, it doesn’t take long to see financial advantages to BYOD.  Users generally promote BYOD because most people do not want to carry multiple devices.  Some organizations even offer a stipend to employees toward a mobile device contract and still find it less expensive than managing devices and contracts at the organization level.  Our job however, as information security professionals, is to ensure that our executives understand the pitfalls and risks associated with a BYOD program. 

 I was asked to conduct a risk analysis and review of a proposal to move the agency I support to BYOD, and thought I would share information I used in this process.  At the completion of my review, the agency made the decision to stay with issuing mobile devices and disallowing BYOD.  For full disclosure, I am a contractor and Chief Information Security Officer (CISO) for a federal national security agency that deals with sensitive unclassified and classified information.  The stakes may be higher with my agency than your organization, but in my opinion the loss of personally identifiable information (PII), protected health information (PHI), payment card industry (PCI) data, or intellectual property (IP) can be just as disastrous to any organization.

 BYOD is plagued with a number of security and legal problems.  Below are the main points I raised when reviewing the BYOD proposal which resulted in the agency executives deciding against BYOD and continue to issue government furnished equipment (GFE).

 Requirement for Mobile Device Management

 The only way I would ever consider a BYOD implementation, regardless of the organization, is through the use of a mobile device management (MDM) solution.  There are many MDM solutions on the market today from several vendors (look at VMware’s AirWatch or Samsung’s Knox as examples).  In fact, I would require the use of an MDM solution even on a corporate or government owned device for reasons I will discuss.  An MDM essentially sandboxes business data from the rest of the device.  If the device is compromised, the data within the MDM container is safe as data (including copy/paste, etc.) cannot freely move between the device’s memory and the MDM.

 MDM solutions can be very expensive and also require IT support and infrastructure.  MDM tools should be setup so that logs of user activity and security events such as malware, jailbreaking, or app installation are sent to the organization’s security team.  Typically, within an MDM will be organization resources such as internal web applications, email, network resources, etc.  Users must be put on notice of this real-time monitoring of their device through the MDM, regardless of it is a business owned or personally owned.

 MDM solutions are excellent, but they still do not protect against users losing devices, device theft, shoulder surfing, or malicious software such as keystroke loggers and screen scrapers.  Some MDM solutions do provide protection against these issues, like having the ability to remotely locate a device or remotely wiping the MDM container, so it is important to look at the features of each MDM against your organization’s requirements.

 The other benefit to an MDM is that the organization can completely control what is within the sandbox and if an employee leaves employment without coordinating with IT, or turns in their device to a repair facility, the sandbox and all of its data can be removed remotely (as long as the device is connected to the Internet). 

 eDiscovery and Litigation Considerations

 I have been involved in my share of eDiscovery requests and litigation and mobile devices are being requested more frequently by attorneys.  The isolation of organizational data inside of an MDM can be very helpful during a legal hold or data request.  It may be an option to have an IT executive (CIO, CISO, etc.) write an affidavit that all organizational data is stored within the MDM and not on the actual device.  By providing a copy of any stored data within the MDM as well as the other requested data from backend systems such as email content and file shares, the subpoena may be satisfied without having to hand over the mobile device.    

 The problem with the above argument though, is that many people use a mobile device for more than just checking email or accessing organizational Intranet pages.  Features like cameras, short message service (SMS), and call logs may be part of an eDiscovery request and the data for these functions are not stored within an MDM.  As soon as an end user stores data outside of the MDM for work-related purposes, they have just opened the door to having that device seized during litigation or in an investigation.

 Consider this scenario: your company is being sued for wrongful termination by a disgruntled ex-employee.  The ex-employee is alleging that their manager and another employee conspired to terminate them.  The ex-employee hired an attorney, who issued a legal hold and subpoena to your company asking for email content, phone logs, SMS messages, hard drive images, and any removable storage devices to be acquired from the ex-employee’s manager and the other involved employee.  As the company’s information security leader, you are served this eDiscovery request and contact the manager and other employee.  They have BYOD, however they admit to sending SMS messages to each other regarding work.  Their personal phones, will now be seized and all SMS messages downloaded as part of this legal subpoena.  In most cases, the entire phone will have a physical or logical forensic copy made of it, which will include all application data, pictures, videos, SMS, call logs, etc. 

 After having forensically examined thousands of devices in my career, I can say that people store highly personal things on their devices.  Most people do not want these items being given over to opposing counsel, the ex-employee (through discovery), their own employer, or any number of other people in the legal process. 

 The same scenario is true with a company-owned or GFE device being provided to an employee; more than just the MDM may be obtained during an internal investigation or legal request.  With this said, hopefully users who have an issued device use the device strictly for business purposes and leave the personal items for their personal devices.

 Compatibility with Investigative Methods and Tools

 If you do choose to implement BYOD, it is imperative that your cybersecurity team has the ability to forensically examine any device allowed.  Organizations should have an “approved list” of devices that are allowed to be used by employees.  The approved list should be created based on the compatibility with MDM solutions as well as the compatibility with the forensic tool of choice used by the organization (e.g., CelleBrite, Susteen, XRY, EnCase, FTK, etc.).  A forensic examination may be necessary in eDiscovery requests, employee misconduct investigations, or criminal investigations.

 Classified Spillages

 Many government contractors, federal agencies, and the military deal with classified data.  A “spill” refers to a security incident which occurs when classified data is placed on an information system that is not accredited for classified data (e.g., Secret data is found on an unclassified system).  If a BYOD system is found to be involved in a spill, the device will be seized and most likely physically destroyed depending on guidance from the specific agency.

 Policy Considerations

 Equally as important as all of the technical controls and considerations above, the administrative controls of a well-crafted policy for BYOD is critical.  BYOD policies should be made in concert with the CIO, CISO, Legal, HR, and other stakeholders.  A BYOD policy is much like an acceptable use policy (AUP) that should be read and signed by employees annually.  Some key points to include within this policy are:

• Employees are put on notice that they may only use approved mobile devices as part of the BYOD program.
• Employees understand that their personal device may be seized at any time in the course of an investigation or litigation. This is essentially telling employees they have no expectation of privacy on their device(s) and they are waiving their 4th amendment right by signing the document.
• If a stipend is offered, employees may be required to submit monthly billing statements to the employer. See this legal blog for further on stipends and other case law.
• In the case of classified spillage (geared toward the federal/military organizations) users acknowledge that their device may be seized and physically destroyed without compensation by the organization for the device.
• User’s acknowledge that personal phone records and call logs must be available to the administration upon them ordering the user to produce them. This would be in support of an administrative investigation surrounding the use or misuse of a device (e.g., some is involved in an accident and the organization wants to determine if they were talking or texting at the time, or there is an allegation that an employee is spending too much time on their phone at work).
• Which employees should be allowed to use BYOD? Many lawyers and HR professionals recommend that only exempt employees be allowed to participate as non-exempt employees may be able to claim they were not paid overtime for working outside of work if their email and other work information is available to them off the clock.  See this court case for further details of a successful suit on this point.
• HR should notify IT anytime an employee is being disciplined, terminated, or otherwise leaving employment so data can be wiped off the device.
• Employees must notify IT anytime their device will be outside of their control. For example, employees cannot go to their local Apple store and get a new iPhone while trading in the old device full of corporate data (even if it is within the MDM).  Employees must coordinate with IT, have the device sanitized first, then they can turn in the device for repair, replacement, or trade-in. 

 In my agency, I presented the above information to executives and stakeholders in a factual manner and they quickly made the decision to abandon BYOD.  Especially when users understand that they lose any expectation of privacy on their devices, many are not willing to take the leap to give up privacy for the convenience of carrying a single device.  Having a definite separation between personal devices and work-related devices presents the least risk to the organization and the individual user.

 There may be some organizations where BYOD does make sense.  While I still think implementing an MDM should be an absolute requirement regardless of the organization, some non-profit organizations and higher education institutions are generally good candidates for BYOD.

 Like everything else in cybersecurity, there must be a balance of security and convenience.  In my opinion the inconvenience of carrying two phones is far less than the security, legal, and reputational risks to an organization. From a financial standpoint even though the hard savings can be seen by switching to BYOD, the potential costs associated with non-compliances and data breaches from BYOD could far exceed any savings from BYOD.

 The courts are still catching up with BYOD, however there are many legal decisions that have been made within the last few years.  Here is a great blog post by an attorney regarding BYOD.  Before making any decisions regarding BYOD, ensure you are working with your legal counsel and all of these questions are answered before an incident occurs.