recommended reading

How a BYOD Telework Policy Could Put Your Agency at Risk


More than one-third of the American workforce has worked remotely, a Gallup poll finds -- but accessing an employer’s assets via smartphone, tablet or laptop could make the organization vulnerable to cyberattack.

The National Institutes of Standards and Technology is revising its guidance on telework to address the cyber risk associated with “bring your own device” policies. This week, NIST issued a draft of the revision.

Nextgov spoke with NIST researcher Murugiah Souppaya about safe teleworking. This conversation has been edited for length and clarity.

NG: Tell us about the threat landscape. Why can BYOD be risky?

MS: End-user devices are spread out, outside of what I call the “trusted boundary,” the enterprise network. The exposure is a lot higher, because of the level of access and the type of data that the user can get to from the devices. It opens up a larger attack surface for the organization.

NG: NIST’s original teleworking guidance was issued in 2009. Why is NIST just now updating it? Is there an increased threat to organizations allowing telework and BYOD?

MS: Back in 2009, 2010 was the introduction of smartphones and all those devices. We didn’t really cover that space in the original publication. We’ve been working on updating these publications for a while now, for over a year.

A lot of the attack vectors are coming in from the end-user devices that are outside of the corporate network. People are using these devices at home, on the road.

NG: So, what are the challenges of implementing BYOD policy safely?

MS: A lot of organizations are moving toward that model because of user demands. Users these days have access to some really nice consumer devices. Consumers update their devices more often, and those devices are getting a lot of capabilities on them.

The challenges with organizations is the device, because the organization does not have physical control over them. They try to minimize risk ... to at least try to isolate or segregate the corporate data and application away from the general purpose operating system.

There’s always this notion that they’ll be saving money because they’ll no longer have to provide those physical devices, but on the other hand they need to enhance their security control capabilities.

NG: Even with these guidelines, is a BYOD policy inherently riskier than using agency-issued devices?

MS: I wouldn’t say it’s riskier. I would say organizations need to take a risk-based decision to decide if they want to allow access to enterprise data and applications. Organizations may decide not to give the end-user access to everything.

For example, if it’s government-furnished equipment, they have much better control over that device because they provision it. They manage it, they can have full access to that device, which means they can do better enforcement of the security control around those devices.

But if the user is using their personally owned device, the organization may want to minimize the risk and only allow the user, on a potentially untrusted device, to have less access to sensitive information.  

[Organizations] also want to make sure they have documented policy and processes so that the system owner or the data owner or the decision-maker within that organization understands the type of risk they’re accepting.

The idea is not really for the organization to go out and build brand-new infrastructures and get a whole new set of resources and people to manage it. It’s more about leveraging what they currently have and adding some additional capabilities.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.