We’ve had a tumultuous first quarter in 2023, with a rash of high profile breaches — almost on par with the SolarWinds debacle that consumed tech headlines through most of 2021.
Read more of my #AskJJX content at Packet Pushers!
The most notable being LastPass’s barrage of breaches, culminating in a final attack against a DevOps engineer’s home computer, through an unpatched Plex server. The targeted developer was one of only four employees who held the keys to the kingdom. Using information from the first breach (earlier in the year), the attacker was able to capture the developer’s credentials and emulate a legitimate connection to LastPass’s cloud assets including production data.
So, to recap — the worst of LastPass’s year-long battle with an attacker occurred through a personal device, on a home network.
The LastPass saga is the latest case study in the complexities of privileged access management (PAM) and the use of personal devices for conducting business. We won’t know the long-term financial impact of the breach to LastPass for some time, but we’ve seen a mass migration from the service to other password managers, and that trend hasn’t slowed. I can only imagine it’s a huge gut punch to the company, and a major hit to their bottom line.
And for the past three months, most boards, CIOs, and CISOs I know are taking the opportunity to reevaluate their Bring Your Own Device (BYOD) policies.
So it’s with great pleasure I have this opportunity to answer the question posed to me, “Who should create an organization’s BYOD policies?”
The answer is “everyone.”
Here’s how, why, and a lesson learned from Lynyrd Skynyrd.
Perhaps not quite literally everyone, but close. Everyone should be involved, but ultimately the organization will have to make a risk-based business decision detailing the use of personal devices in conducting business, and to what degree it’s permitted. I’ll explain who “everyone” is shortly.
The term “BYOD” is used to describe many models. For some organizations, it simply means a personal device is allowed on an Internet-only network at the office. Other organizations allow limited access to certain corporate resources from a personal devices, such as using a smartphone to access email and calendar. Still others use BYOD to describe a model where some or all business activity is conducted on or through a personal device.
For today’s purposes, I’m going to use “BYOD” to encompass any model that involves accessing any type of business resource from a personal device, or from a device which is not fully owned, issues, and maintained by the organization.
As your organization tackles BYOD, it will be important to start with definitions of BYOD and a lexicon the entire company can use consistently to describe the various models of using personal devices for, or at, work.
Don’t Ask “What is Everyone Else Doing?”
Creating a BYOD policy is a very personal thing for all involved—the organization and each employee. I almost cringe every time I’m requested for a consulting call and they ask, “What is everyone else doing for BYOD?”
It doesn’t matter what everyone else is doing because their environment, user population, culture, intellectual property, platforms, and business model may be completely different than yours.
It’s feasible to make a few sweeping generalizations, but ultimately creating (and enforcing) a BYOD policy necessitates the organization’s legal counsel, human resources, and executive leadership get involved.
A Lesson from Lynyrd Skynyrd on BYOD
In a tragic 1977 plane crash, two members of the rock band Lynyrd Skynyrd were killed. The survivors and families made a blood oath that no one should ever again perform as “Lynyrd Skynyrd,” and that oath was legally memorialized in a 1988 Consent Order.
What can Lynyrd Skynyrd possibly have to do with BYOD? Well, almost thirty years later, one of the few survivors, drummer Artimus Pyle, began consulting with a production company (Cleopatra Films) for a biopic about the band’s 1977 plane crash. Other members from the original blood oath took legal action against Cleopatra Films, and won, blocking production of the movie. One large body of evidence was related to text messages exchanged between Pyle and the main writer (a contractor of Cleopatra Films)— the text messages (evidence in the case) were lost when the writer changed phones.
Shortening the story; the court found Cleopatra Films guilty of “spoliation of evidence” by not having control over their contractor’s text message as critical evidence in the case. The writer wasn’t an employee of the film company, nor was he using a company-provided device. But there was also no policy in place outlining expectations of the use of personal devices, or ownership of data (including texts) on that device. The court awarded an adverse inference against Cleopatra Films, saying it was “common sense” the contactor’s texts were in Cleopatra’s control. There is a happy ending though; in 2018, the judgment was overturned and in 2020 Street Survivors: The True Story of the Lynyrd Skynyrd Plane Crash was finally released.
It’s a fun story that brilliantly demonstrates the twisty legal issues organizations must navigate through BYOD policies.
Legal Considerations For BYOD
Organizations have a responsibility as stewards of their data, and they have a responsibility to ensure employee privacy is maintained — it’s all a delicate balancing act, and it’s why BYOD policies should have heavy involvement from legal and human resource teams.
These are just a few of the many legal considerations that go into planning
a BYOD policy:
- E-discovery requirements: defining what’s in scope on personal devices, processes, and employee obligations during litigation holds
- Data ownership and management: including what obligations the organization has to protect its data, and what legal entitlements it has to wipe or back up data from personal devices
- Data privacy: including what the company is legally allowed to do to, or view from a personal device such as texts, calls, photos, GPS tracking, or browsing history
- Employee lifecycle: including what happens to the corporate data when an employee separates from the company
- Illegal activity: including what the organization is allowed or obligated to do in the discovery of illegal activity
Teams to Involve in Creating BYOD Policies
If nothing else, I hope this post has thus far demonstrated the myriad complexities in creating BYOD policies. Of course, once the legal piece is out of the way, the technologists and security architects have their work cut out for them ensuring proper technical controls for access (whether restricted or allowed) and monitoring are in place.
Given all these considerations, here are the teams I suggest involving in creating or updating your BYOD policies.
- Legal counsel: Lynyrd Skynyrd already showed us how twisty the laws can be around the use of personal devices in business, and there are hundreds of other (possibly more boring) court cases to be referenced.
- Human resources: The HR team should be involved in early planning along with legal to lend guidance on the employee lifecycle, systems, and tracking available.
- Executive leadership: Whether it’s the President, CEO, board of directors, or all of the above, executive leadership should have an active role in determining the risk appetite of the organization.
- CISO: The office of the CISO (or comparable security leader) should provide the risk analysis of BYOD for executive leadership to consider, as well as the related written policies for the organization and users.
- CIO: The CIO or equivalent role will help translate security requirements to technical controls and participate in the implementation of technology. This person or team can also advise the CISO and executive stakeholders about what’s possible with today’s products and technical controls.
- The users: A subset of the user population, or the voice of the users should be considered in planning a BYOD strategy. The users can share their needs, challenges, and requirements, and offer feedback on viability of planned controls. If we know one thing it’s this — if policies prevent a user from doing their job, they’ll find a way around it. Corporate culture plays a huge role in how tight or flexible BYOD policies are.
Well friends, this was a long post, but I hope it did justice in answering the question about who should be involved, while adding a little context as to the why as well. You can find a more detailed dive into BYOD in my latest book “Wireless Security Architecture”, Chapter 8.
Read more of my #AskJJX content at Packet Pushers!