Sergey Nivens - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can proper BYOD and IoT device onboarding improve security?

The influx of BYOD and Internet of Things (IoT) devices into the workplace is calling for proper device onboarding processes. Expert Kevin Beaver offers helpful hints.

 With a number of never-before-seen BYOD/IoT devices entering enterprise networks, how should security programs deal with onboarding those devices?

Plainly and simply, if information security professionals are going to do something about the risks that bring your own devices (BYOD) and Internet of Things (IoT) devices introduce, they're going to have to find out what the risks are to begin with.

A lot of people I've heard and spoken with don't believe BYOD and IoT devices are a huge deal. In fact, many -- mostly executives that think they know more about security than you do -- will proudly and assertively proclaim these devices have nothing of value on them, and/or they don't use these devices in ways that create business risks. In addition, many people believe that because they are "compliant," then they are secure.

That said, I'd venture to guess that most people working in IT understand that if a device has an IP address, a URL or an on-off switch, then it's fair game for attack. Even if a coffee maker in the corporate break room or a physical security alarm system, for example, doesn't store customer information or intellectual property, you still have to consider how else it can be introducing risks -- i.e., weak network communication methods, lack of authentication and access controls, susceptibility to denial-of-service attacks and the like. Such vulnerabilities could be two or three "hops" removed from the enterprise network, but you have to determine how they can potentially be exploited. There's also a strong BYOD and IoT tie-in with security policies, business continuity and incident response; you have to be prepared.

That said, proper processes for device onboarding are critical to securing BYOD and IoT devices. Penetration testing and technical security reviews are the best way to find out how these mobile or otherwise non-traditional computing devices are creating risks (i.e. missing patches, open Web interfaces and weak authentication mechanisms) in your organization, so start there.

Much of information security is a mind game -- real-world human psychology. The trick to understanding this human side of security is to learn as much as you can about it and -- if you're able to master it -- the technical pieces will fall into place. Here's a piece I wrote on how to get your security messages across to management and another on selling the value of security to management for further reading.

Ask the Expert!
Want to ask Kevin Beaver a question about network security? Submit your questions now via email! (All questions are anonymous.)

Next Steps

Get more advice on securing the Internet of Things and BYOD endpoint security management.

Learn how onboarding tools are emerging as essential for employee retention and performance.

Dig Deeper on Internet of Things (IoT) Security Strategy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How has your organization handled the influx of BYOD and IoT devices?
Fairly well, thanks. We jumped on this as soon as it started becoming a real issue, informing our employees of the company stance and encouraging them to use good judgment before asking us to let them bring a new device in. We only allow employees to use new devices if they can adequately demonstrate the value of doing so. The burden of proof is on them, and they know it - this weeds out ill-conceived requests.
To handle the vast influx of BYOD and IoT devices, our organization has implemented proper onboarding procedures before the devices can be connected to the network. We have also named an on-site manager of mobile devices for our BYOD and IoT gadgets. This allows us to streamline the process of ensuring that every device has the latest in security updates and is set up to communicate with all of our other systems and gadgetry in the office as well as out in the field. Our proactive approach may continue to change as the IoT expands to wearables and newer technology.
Reminds me of a security analyst's saying that the only almost secure device has no access to communication networks and is turned off and buried. Almost...