Part 1 of Addressing Security Risks of Personal Business in the Workplace highlighted the risks associated with employee use of corporate connected devices in the execution of personal business. To summarize, employee use of a device connected to the corporate network, even a company-provided device, for personal business such as email, file-sharing, etc. exposes the organization to additional risks of malware, including ransomware, impacting the corporate network. The risks are similar whether the device is connected directly to the corporate network (on premise) or via VPN for remote workers.
There are numerous solutions organizations can implement to mitigate these risks. In this article, we will delve a bit deeper to explain the pros and cons of implementing a few of the more common solutions. It is important to note, that regardless of the solution, an effective awareness and training program for employees is the number one most effective safeguard for your organization.
Block Access using Technology
One very effective solution to protect your organization from the risks of non-business-related activities is to simply block them technically. Access to personal web-based email and file-sharing services through the corporate network can be prohibited by company policy and blocked by corporate firewalls.
Layer 7 firewalls are extremely proficient at providing technical safeguards to implement protections against use of personal web mail and file sharing services. One approach is to integrate the firewall with the enterprise's directory services and only allow specific groups to access these sites with a special Access Control Rule. Any user not a member of this group will be denied access. Membership to the group can be controlled via a risk-based approach by reviewing the need for the access and granting it either on a permanent or temporary basis.
Membership should be audited on a periodic basis to ensure only authorized team members have access. In addition, if SSL decryption is enforced, attachments can be scanned for malware and information can be scanned by DLP technologies if available.
There are often valid business reasons for these non-corporate email and file-sharing solutions. One example might include the case of interaction with a customer in a B2C environment that makes their documents available via a file-sharing service such as Dropbox and requires use of that solution to exchange documents. Adding exception approval processes for this access leads to delays in information exchange. There may also be cases where an employee gets an exception approved by management for a personal reason and access is often not revoked in a timely fashion. These exceptions require technical procedures for enabling, tracking and eventually revoking access. They also require implementation of change control and providing specific training for the employee on the risks of using these services.
The pros of Layer 7 Firewalls include creating a technical barrier that protects the organization by stopping the potential risk at the perimeter. Access can be controlled and monitored, with revocation processes as simple as disabling the rules that granted the access or removing users from the group membership.
These solutions, however, require additional technical controls, change control and implementation of an exception process. In addition, SSL decryption technologies often do not work efficiently and may require that sites be bypassed from being decrypted. This will prevent scanning of attachments and information and may defeat some of the protections in place.
While firewalls are a great solution for devices connected directly to the corporate network, they don’t completely solve the issue of remote users connected via VPN. If employees are accessing web mail, file-sharing services and other questionable websites using the same VPN device but through their home network, it still opens a pathway for malicious code or files to bounce from those services to the local machine and then to the network. The risk may be reduced because uploads from the device to the corporate network may be more effectively monitored, but it is not completely eliminated.
Require Personal Devices for Personal Business
Organizations may block access on the corporate network and/or require employees to use their personal device for any personal business via corporate policy. Most companies have a guest network that has no connection to the internal secured network. Companies may make the guest network available to their employees for execution of any personal business.
The benefits of this solution include keeping any risky behaviors by the employee away from the secure network. Conversely, most guest networks do not adequately protect one user from another and therefore raises the prospect of one guest network user affecting other guest network user(s) – depending on guest network configuration and how the relevant individuals connected to the guest network.
This solution remains an ideal one for remote users as they can continue to use their home network or cellular network without impacting the corporate devices and network.
Virtual Desktop (VDI)
VDI solutions, such as Citrix or Microsoft’s Remote Desktop Services, can be an effective way to minimize the risk of unwanted data transfer from the local device to the corporate network.
A big plus for this solution is that one can continue to use a company configured device for personal business, but that device can still be completely segregated, protecting the network from any questionable employee behaviors. In order for an employee to connect to the corporate files and resources, they would institute a VDI session, which essentially makes the local device a dumb terminal. Resources within the VDI are tightly controlled, and applications and other resources are available only via the VDI session. Any transfers to/from the local machine can be prohibited.
A downside of this solution is that it makes offline work by any employee more difficult. Prohibiting the download of in-progress documents, spreadsheets, etc. means the employee must be connected to do any work. Imagine a traveling employee who needs to do some work while disconnected. A VDI would make this very difficult.
This solution also requires additional servers and extensive network configuration for allocation and management of the VDI environments. As with other solutions change control, exception tracking and training all continue to play an important role with this solution.
Virtual Machine (VM) Solutions
Similar to VDI solutions, Virtual Machine configurations can segregate business activity from personal activity on a single device. Though not as popular due to certain complexities, it can be an effective configuration option.
Setting up a VM on the local PC essentially creates a separate virtual environment, almost like having a separate computer, that can be used to connect to the corporate network, allowing for segregation from other personal activities. Connections and activities can be tightly controlled in the corporate connected VM, thereby protecting the corporate network from risky personal behaviors.
A recent Computerworld extols the virtue of virtual machines from a management perspective, stating: “On a PC, you could have distinct VM instances for work, school, and personal use with differing levels of user freedom. The company VM would be locked down so that the firm is better protected from the other usage models. Viruses often come into companies carried by employees who aren’t careful with their personal use of their firm’s PC…”.
Maintaining and securing VM configurations and training employees on the proper use of the VM configurations add to the complexity of this solution.
Use of browser sandboxing technology has been gaining traction in the industry.
Microsoft added this feature to its operating system in the May 2019 Update of Microsoft Windows 10 (Version 1903). In addition, Microsoft Edge on Windows 10 natively supports hardware isolation capabilities. As part of Windows 10 Pro or Enterprise, Microsoft Defender Application Guard (Application Guard) runs untrusted sites in a kernel isolated from the local device and internal networks.
Maintaining company assets and protecting them from any sort of infection, whether malicious or unintentional, is paramount to a good security program. Whether you choose one of the options outlined in this article or some other method of protection, awareness of the risks employees can bring to the corporate network and taking proper steps to protect the network from these risks is vital to protect corporate assets.
Remember that no protections can be truly effective without proper staff awareness and training. Even the most secure technical solutions can be subverted, intentionally or unintentionally, by employees making use of exception processes and/or willfully working around well-implemented protections for their own convenience. Company culture and awareness of the dangers of personal business on a company network-connected device is the single best protection for the organization.