Issue No. 126February 2023
The Danger of Uncontrolled BYOD
Many of our readers are familiar with the ongoing debate in Washington regarding whether the US Government should ban the popular social media app TikTok. Today we wanted to discuss a brief overview of that controversy, and why it is indicative of larger issues that any business owner should pay keen attention.
TikTok was originally released in 2016, and has steadily grown in popularity since. On its face, the app is similar in many ways to other social media apps of the recent past – it allows users to post short, time limited videos to be viewed by other users of the application. The main difference between TikTok and other popular social media apps is that it was made by ByteDance, a company based in China. Without getting into the larger geopolitical reasons behind their concern, the federal government, specifically the US Congress, has recently begun holding hearings to try to determine whether the app should be banned nationwide. The administration has already banned the app on government owned devices in use by federal government employees via executive order. The main cause for concern is that the app could be used by the Chinese government to both extract personal data on American users and potentially influence them via algorithmic video selection. Effectively, the US Congress is concerned that TikTok may be used to gather data on American citizens that could in turn be used to influence them in untold ways: spreading propaganda, influencing elections, steering them towards particular products, etc.
While passing judgement on the veracity of these claims is outside the scope of this discussion, they are illustrative of something that all business owners should be concerned about: the prevalence of end-user-owned devices inside a corporate network. Although TikTok is perhaps the highest profile example, the profusion of devices owned by employees that interact with the corporate network has grown exponentially in recent years. Cell phones, tablets, and smart watches all interact with the corporate network on a daily basis. Each of these devices represents a potential intrusion point. Malware on a mobile device can be used to extract data from that device, or from the network it is connected to. Mobile devices can also be utilized as infection vectors—installed malware may lie dormant on the device itself, only ‘activating’ once connected to a corporate network where it in turn wreaks havoc.
What then should a business do to guard against intrusions of this type? There are multiple means available – the simplest and most draconian is simply disallowing mobile device connections to a corporate network. Allowing these devices onto the network is sometimes referred to as BYOD (Bring Your Own Device). Many companies restrict their BYOD policy for this reason. Other methods include network segmentation, the usage of Mobile Device Management solutions, and conditional access policies that restrict the type of data available to employee devices. These restrictions and policies all require experienced IT professionals to implement and maintain. For more information on these or other IT related matters, please contact your IT services provider.