recommended reading

How a BYOD Telework Policy Could Put Your Agency at Risk


More than one-third of the American workforce has worked remotely, a Gallup poll finds -- but accessing an employer’s assets via smartphone, tablet or laptop could make the organization vulnerable to cyberattack.

The National Institutes of Standards and Technology is revising its guidance on telework to address the cyber risk associated with “bring your own device” policies. This week, NIST issued a draft of the revision.

Nextgov spoke with NIST researcher Murugiah Souppaya about safe teleworking. This conversation has been edited for length and clarity.

NG: Tell us about the threat landscape. Why can BYOD be risky?

MS: End-user devices are spread out, outside of what I call the “trusted boundary,” the enterprise network. The exposure is a lot higher, because of the level of access and the type of data that the user can get to from the devices. It opens up a larger attack surface for the organization.

NG: NIST’s original teleworking guidance was issued in 2009. Why is NIST just now updating it? Is there an increased threat to organizations allowing telework and BYOD?

MS: Back in 2009, 2010 was the introduction of smartphones and all those devices. We didn’t really cover that space in the original publication. We’ve been working on updating these publications for a while now, for over a year.

A lot of the attack vectors are coming in from the end-user devices that are outside of the corporate network. People are using these devices at home, on the road.

NG: So, what are the challenges of implementing BYOD policy safely?

MS: A lot of organizations are moving toward that model because of user demands. Users these days have access to some really nice consumer devices. Consumers update their devices more often, and those devices are getting a lot of capabilities on them.

The challenges with organizations is the device, because the organization does not have physical control over them. They try to minimize risk ... to at least try to isolate or segregate the corporate data and application away from the general purpose operating system.

There’s always this notion that they’ll be saving money because they’ll no longer have to provide those physical devices, but on the other hand they need to enhance their security control capabilities.

NG: Even with these guidelines, is a BYOD policy inherently riskier than using agency-issued devices?

MS: I wouldn’t say it’s riskier. I would say organizations need to take a risk-based decision to decide if they want to allow access to enterprise data and applications. Organizations may decide not to give the end-user access to everything.

For example, if it’s government-furnished equipment, they have much better control over that device because they provision it. They manage it, they can have full access to that device, which means they can do better enforcement of the security control around those devices.

But if the user is using their personally owned device, the organization may want to minimize the risk and only allow the user, on a potentially untrusted device, to have less access to sensitive information.  

[Organizations] also want to make sure they have documented policy and processes so that the system owner or the data owner or the decision-maker within that organization understands the type of risk they’re accepting.

The idea is not really for the organization to go out and build brand-new infrastructures and get a whole new set of resources and people to manage it. It’s more about leveraging what they currently have and adding some additional capabilities.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.