How can businesses redefine their BYOD IT strategy in 2022?

BYOD strategy

 

Pandemic “quick fix” BYOD strategies are simply not enough in 2022.

BYOD Policies have been a hot topic for a while now, even pre the pandemic. But now that the new working environment norm of hybrid and out of office working is here to stay, BYOD strategies need to be reconsidered.

 

Specific examples of BYOD/IT strategies and how these have worked practically, including benefits and drawbacks:

BYOD (Bring Your Own Device) strategies usually work best for organisations when they are limited to mobile phones. After all, the days when employees had a company mobile phone are coming to a close, and for good reason. Most people have their own personal mobile device that can be used for work tasks, so why have two phones?

Indeed, the rise of ‘soft phones’ means that giving out a mobile number over a business number is no longer necessary when dealing with corporate calls or texts. This allows businesses to keep better control of its telephone numbers which are, in effect, company assets.

Also, some employees might feel reluctant to use their phone data for business activities. Although, this issue has started to progressively fade, as most phone contracts now include unlimited calls and data bundles. Whilst businesses don’t need to cover the whole cost of data and calls, providing a nominal allowance can be a good way to deal with any reluctance.

 

Is there a flexibility versus security consideration to be had, or is this a false dichotomy?

With a large percentage of workloads, security that can be implemented on company devices is often significantly greater than a personal device. However, if businesses want to find a balance between flexibility and security, one option is to choose a CYOD (Choose Your Own Device) strategy, which gives employees a feeling of choice but one that is balanced by the secure controls required by an employer.

That said, we would expect BYOD strategies to be more widespread across businesses in the coming years. This is because more and more applications and systems are becoming either web or cloud-only solutions, particularly as interoperability and usability improves to support a hybrid workforce. Until then, the application stack in organisations isn’t quite where it needs to be.

 

Why are pandemic “quick fix” BYOD strategies not fit for purpose in 2022?

When the pandemic first hit, many organisations rushed into a quick fix by making BYOD arrangements in a bid to keep their staff and their business operating. However, a substantial number of companies simply haven’t re-evaluated their risk profiles since implementing these systems, nor have they evaluated the technical and policy-based controls that are required.

This is a significant concern that organisations should look to address urgently, alongside other measures they should consider taking, such as a review of methodology and ideally bringing in a formal IT security governance framework, such as ISO 27001 or IASME.

 

How can attackers take advantage of vulnerabilities and misconfiguration in devices and networks?

Any significant holes in an organisation’s security will be found and exploited by attackers in the current cyber threat landscape. These vulnerabilities may be as small as a simple missing security patch. Or an insecure home or public WiFi, misconfigured local firewall, or even an employee who is unaware of current threats. Whichever gap in security it is, a hacker or one of their automated systems will find it. Especially as they are incentivised by financial gain. Indeed, the global cybercrime industry is now worth over £6 trillion – three times the size of the crypto market, so companies have everything to gain from investing in their IT security to protect them from cyber threats.

 

If you’d like to talk IT Security or Consultancy with us, get in touch here.

David Clarke’s take on the new Product Security and Telecommunications Infrastructure (PSTI) Bill

 

QuoStar’s Head of Security and resident CISO David Clarke shares his views on the new piece of legislation to protect the consumer – The Product Security and Telecommunications Infrastructure (PSTI) Bill.

 

“The Product Security and Telecommunications Infrastructure (PSTI) Bill supports the rollout of future-proof, gigabit-capable broadband and 5G networks, and better protects citizens, networks and infrastructure against the harms enabled through insecure consumer connectable products.” [Department for Digital, Culture, Media & Sport, 24 November 2021]

This is a very interesting piece of legislation as the “Product Security Measures” apply to manufacturers, importers, and distributors in the supply chain for consumer connectable products.

“A consumer connectable product is an internet-connectable or network-connectable product.” [Department for Digital, Culture, Media & Sport, 24 November 2021]

 

The PSTI Bill

The government has stated that the security requirements will apply in relation to products including: 

  • Connected cameras, TVs, and speakers
  • Smartphones
  • Connected children’s toys and baby monitors
  • Connected safety-relevant products such as smoke detectors and door locks
  • Internet of Things base stations and hubs to which multiple devices connect
  • Wearable connected fitness trackers
  • Outdoor leisure products, such as handheld connected GPS devices that are not wearables
  • Connected home automation and alarm systems
  • Connected appliances, such as washing machines and fridges
  • Smart home assistants

 

The security requirements, to be set out in regulations, will:

  • Ban default passwords
  • Require products to have a vulnerability disclosure policy
  • Require transparency about the length of time for which the product will receive important security updates.

 

The scale of devices with weak security is absolutely huge, Kaspersky research says there were 1.5 billion attacks against IoT (Internet of Things) products in the first 6 months of 2021.

As we speak (7th December 2021) more than 300 SPAR convenience stores across the UK have either had to revert to cash-only payments – or shut altogether – following a cyber-attack that has meant all point of sale devices have had to be taken offline, meaning the stores are unable to take card payments. It’s not the first time a European supermarket has been caught up in a supply chain attack this year. Sweden’s Coop stores were all hit with REvil ransomware in July this year, as a consequence of the Kaseya breach.

 

Ban Default Passwords

The question is, will this legislation make a difference? Removing default passwords will of course make a huge difference, yes. And no. It may just delay the inevitable. Will the devices have to have a standard for passwords e.g. minimum length or complexity? Will the device have a lock out period e.g.10 fails and you are locked out? If not, enumeration software will eventually crack the password.

 

Vulnerability disclosure

Good idea in principle, the difficulty will be whether these devices will auto update as it may be unlikely many users will have the technical capability to do it themselves.

 

Important security updates

If security updates are available for 2 years, similar to the average Android phone, what happens then? Will the consumers be alerted when the end of the 2 years is up? Will this then become part of built-in obsolescence, so new phones, doorbells, fitness wearables, washing machines need to be bought new again probably every 2 years.

 

“Ensure that consumer connectable products, such as smart TVs, internet-connectable cameras and speakers, are more secure against cyber-attacks, protecting individual privacy and security” [Department for Digital, Culture, Media & Sport, 24 November 2021]

This would seem to indicate that if there is damage to an individual’s privacy, there could be a group action against the TV manufacturer, importer, distributor, and manufacturers.

Should these devices go through a form of accredited security testing? In business-to-business relationships, there is usually a requirement that all systems should be updated within 14 days and be in support by the vendor.

In the age of Teleworking would the “work” supply chain be fully in scope? Home routers should not use a default password, and all software/firmware under the legislation must be in support by the vendor. Should smart speakers be updated? The doorbell, fish tank thermometer, alarm system, Wi-Fi Garden lighting? These could all potentially be in scope, especially where someone works from home, as a vulnerability for the corporate workspace.

Just one vulnerable point can allow criminals into a network.

In 2018, attackers were able to compromise a connected thermometer in a fish tank that had a default password. The fish tank was in the lobby of a US casino, and attackers used this vulnerability to enter the network and access sensitive details, such as bank details.

It’s very difficult to ensure that every link in the chain has appropriate cyber security measures in place and it only takes one vulnerable point to allow criminals into a network. Once they’re in, the knock-on effects can be catastrophic.

This is a step in right direction, but how do we manage the consequences, and will enforcement be likely?

Even in the Code of Practice for Consumer IoT Security there is some mention about encryption and cryptographic keys, but it’s not very detailed. Without encryption how will personal data and passwords be stored on IoT devices?

Hopefully, this will be the start of safer online world. Although is it enough? Probably not at this stage.

Will there now be a possibility of a class action against a device manufacturer for privacy infractions? Does this mean that the device manufacturer, importer, distributor could inadvertently (under GDPR) become a data controller if they are responsible or partly responsible for a breach? The bill raises more questions than it answers in the long term.

At Quostar we manage these types of issues for corporate clients regularly. Patch management, passwords, release management and regular upgrades as well as containing systems and devices that cannot be upgraded, so they need to be contained and segregated with special security layers.

David Clarke is the Head of Security and resident CISO (Chief Information Security Officer) consultant.

Find out about the security services QuoStar offers or contact us today for a free consultation.

Optimising manufacturing operations with the right IT Solutions

Optimising Manufacturing operations with IT solutions

 

Optimising manufacturing operations isn’t always easy, but it can be achieved with the right IT Solutions.

Manufacturing businesses are typically the best at seeking out efficiency and productivity in their operations, particularly on the shop-floor.  However, many still do not apply the same LEAN principles to the rest of their operations, and that can mean the optimisation of processes is more challenging because of a lack of consistency throughout the business.

Systems and process analysis, and automation can be used throughout an organisation to drive down inefficiencies. IT is certainly an enabler of an efficient and well-performing optimisation.

As QuoStar’s Robert Rutherford was recently quoted in the Manufacturer: “Finance operations, for example, are often very bloated, but IT can facilitate outsourcing or offshoring, not only reducing costs but also allowing the process to become quickly automated to a good extent.”

 

What types of IT solutions and services can help with Optimising manufacturing operations?

Historically, manufacturers were always at the forefront of technology. This has in many ways meant that they experienced the falls and disappointments that come with testing cutting edge solutions. However, technology systems have also been driving results for manufacturers in some areas – such as IoT, cloud services and CRM.

 

Internet of Things (IoT)

The Internet of Things (IoT) has certainly given advantage to manufacturers both on the shop-floor and within their products on customer sites – by helping in support and maintenance, but also in querying big data for insights and value. It’s driving decisions around productivity, wastage and research & development to deliver wins across the board.

Cloud Services

Cloud services are also still extremely valuable to manufacturers. Although many still keep heavy processing in a private cloud, the public cloud (particularly AWS and Azure) allows operations and development to flex, trial and scale-up (and scale-out) without the traditional costs and complexities of big kit in the server room. The pandemic has heavily accelerated change. Customers have demanded faster innovation, more data and information, greater integration, and increased security.

CRMs

CRM systems have moved on significantly and its greatly improving the service manufacturers are able to deliver to customers, whether it is on managing expectations, delivering value or collecting relevant information. They can also drive an increase in sales in terms of new business wins, cross-sales and real-engagement with marketing automation.

Big CRM projects were historically associated with large capex costs. However, now they virtually all come in a cloud-based delivery model on a price per user basis.

 

Digital Transformation Road Mapping & IT Consultancy

QuoStar specialise in IT solutions. We can help with Digital Transformation Road mapping, as well as offering IT Consultancy services. Don’t with QuoStar you also have access to a CIO Service too!

 

If you’d like help optimising your manufacturing operations, please get in touch with our team today.