Is your company allowing employees to bring their own devices and use them to log onto the corporate network? If so, do you know what is happening on your network as well as how many devices are on your network?
Recently, I ran a network discovery at a company and found some interesting things. First, I ran the discovery during the “off hours,” meaning there should have been no one in the facility and only the automation and security systems operating. Instead, the scan showed 70 computers, instruments, and printers running on the network.
Next, I ran the same scan during business hours ― full production and full staff – resulting in 120 devices being found on the network. What were the additional devices? Some of the devices were corporate workstations which get turned off overnight, and the remainder of the ‘new’ devices were personal cell phones.
Now, depending on how your networks are configured, that might not be a problem. In a properly segmented network, company-owned devices would have their own segment, and employees’ personal cell phones, laptops, and tablets would be on one or more additional segments. In this case, however, the staff members’ devices were also on the production network, introducing significant risk for the organization. Phones are susceptible to all the same types of malware and viruses as computers. Yet, phones and tablets are much less likely to be running anti-anything (e.g., anti-virus, -malware, or -spyware).
Additionally, many cell phones support tethering, which would allow the user to exfiltrate data via the cell phone to another computer, server, or cloud repository without the company being able to detect it. This would be done by connecting the device to the internal network and then tethering the device to the external network. Once connected, data can flow both directions, e.g.: Good data (company confidential data) going out and Bad data (viruses, malware, spyware) coming in. Or worse yet, someone else could establish a presence, which would allow them to attack other companies while disguised as your company or establish a server from which they transmit spam from your network.
The lesson to learn is that things are never as easy or as secure as you think they are. Be diligent about policies, processes, and knowing what should be flowing where on your network. Not sure what your level of security is? Take our 2 minute Cyber Quick Check to get started on a path toward Cyber Confidence.