How to Mitigate the Risks of BYOD for Your Business Customers

Bring Your Own Device

The Bring Your Own Device, or BYOD, revolution until recently was naively believed to be a problem affecting big business solely. Whether we like it or not, this just purely turned out to not be the case. While the earnest discussion about the problem began a few years back, this issue has been around for small businesses in some form for the better part of the last decade.

But more importantly, how does this trend affect your role as a consultant, and why should you be concerned? For numerous reasons, actually. The small businesses you support are likely seeing more devices enter their networks than ever before, which means  the possibilities for data leaks, mass infection, and security breaches are at an all time high. Ignorance is not a great plan for the long run.

This topic is quite timely on my own end, as customers of my company FireLogic are finally realizing the risks that all of these foreign devices pose. While it’s definitely not my place to play small business tech referee, as a trusted adviser, I do see fit to provide my honest opinion. Whether it be security related or in consideration of bandwidth limitations, BYOD is hitting small business hard. Here’s my top recommendations for easing the burden on your customers’ networks and offices.

Pitch Unified Threat Management (UTM) devices to replace standard SOHO routers

These bona-fide devices go under many different monikers, such as Unified Security Gateway (USG) by Zyxel, but their premise is roughly the same. Instead of beefing up security at the client-side as was the norm for the past decade or so, computer repair consultants now have a better option at their behest. These routers-on-steroids combine top notch firewall functionality with enterprise-level threat prevention to stop attacks and malware before it ever enters the network.

These small to mid-size business “all in one” router/switch/firewall+ devices not only have advanced filtering power, but they all have some flavor of subscription-based capability to tack on additional fringe benefits (for a cost, of course.) In example, Zyxel’s USG line of small business security routers can pull definitions for antivirus scanning, spam filtering, and intrusion (hacking) prevention. For a mere $150-250USD, small business customers can finally play with similar network security gear that the big boys have had for years.

Some of the popular other choices on the market include Netgear’s Prosecure UTM line, SonicWall’s TZ series, and the WatchGuard FireBox XTM line. I tend to like Zyxel’s bang for the buck, but each manufacturer offers differing benefits. Be sure to do your research before purchasing any of these firewalls.

Use VLANs and Guest SSIDs to separate network access by devices

Most decent SOHO routers (nearly any of the above recommended UTM devices) allow for the easy creation of VLANs to separate distinct safe (internal) traffic from insecure (guest) traffic by employee and visitor smartphones, laptops, etc. Many companies I work with are going a step further to also introduce separate wireless SSID broadcasts to segregate WLAN traffic. This division of traffic allows possibly-infected devices to keep trojans and other roaming nasties off the private internal network, while still providing necessary internet access for guests and their devices.

You can read further about the concept of VLAN segregation on Wikipedia.

Consider recommending a proxy server for your customers

Proxy servers still serve a valid purpose. If a small business you support is having a tough time with unregulated website access, a proxy server could be the difference between YouTube eating up all the bandwidth or business running smooth as silk. Sure, there are plenty of paid products out there, such as the Smoothwall line of appliances, but cheaper options exist.

I covered this dirty little secret in my article on refurbishing customer PCs into purpose-driven feats of magic. There are a bevy of freeware or open-source proxy server distributions out there. I covered IPCop in the aforementioned article, but Untangle is another wonderful option. That old Windows XP tower gathering dust could be easily transformed into a powerful proxy server at little to no cost for a customer. Talk about saving the day on the cheap!

Configure Posture Assessment functionality if available

Posture Assessment is a fancy term for something the enterprise IT world has been using for many years already, known also as Network Access Control (NAC). Many of the UTM devices I recommended above, like the Zyxel USG firewall routers, offer posture assessment capability. You know the saying “No shirt, No shoes, No service.” Well, PA is merely the network access equivalent.

You can specify the UTM device to require, for example, that any Windows 7 computers trying to get onto the internet over the company connection must have SP1 installed. Likewise, Vista systems could be asked to show proof of having SP2 before being allowed access. If they don’t meet the necessary requirements, the firewall can direct them to the proper place to download the necessary security updates.

Yes, these rules require some fine-tuned calibration to work properly, but I have implemented them at a few select locations with much success where infections commonly crawled in from guest devices. While they are not fool proof by any means, they do add an extra layer of security by keeping the worst security offenders at bay to a fair extent.

Don’t forget that solid HR policies on BYOD still work wonders

Not every technical problem needs to have a technical solution to be effective. For a lot of small businesses I serve, helping owners work up a solid BYOD policy is usually as good as implementing any of the above technologies. As long as management follows through and enacts consequences, workers tend to abide. Technology shouldn’t be a band-aid in place of good human resource leadership; it should merely be there to supplement the former.

Let’s be mindful that the BYOD landscape is rapidly evolving still, and it’s anyone’s guess as to what the office of the next five to seven years will resemble. Acting as a trusted technology liaison to recommend cost-effective solutions where HR needs a helping hand is exactly the position you should be exemplifying. My list of recommended options above is not exhaustive by any means – I merely described the most common technologies I’m implementing at customer sites. Mix and match my recommendations, and consider some of your own, when dealing with similar situations and you will have more than a few tricks up your sleeve.

How do you handle BYOD and the risks it brings with your customers? What technologies do you turn to? Are there any suggestions I forgot in this article? Feel free to let us know in the comments area below!



Derrick Wlodarz

About the Author

Derrick Wlodarz
More articles by me...
Derrick Wlodarz is an IT Specialist that owns Park Ridge, IL (USA) based technology consulting & service company FireLogic, with over 8+ years of IT experience in the private and public sectors. He holds numerous technical credentials from Microsoft, Google, and CompTIA and specializes in consulting customers on growing hot technologies such as Office 365, Google Apps, cloud hosted VoIP, among others. Derrick is an active member of CompTIA's Subject Matter Expert Technical Advisory Council that shapes the future of CompTIA exams across the world. You can reach him directly at derrick@wlodarz.net.

Comments (10)

  • UprightTech says:

    I am configuring my first ZyXEL USG series appliance today (a USG 50). Will be installing it at the client later in the week. I have been hearing good things about them and decided to take the plunge and see how they work out. Glad to hear that you have been happy with them. I actually created a thread in the forums recently asking for opinions on ZyXEL products, specifically their UTM appliances. Some of your experiences/opinions would likely be a positive contribution to that thread (http://www.technibble.com/forums/showthread.php?t=44758).

  • Chris says:

    I have had overall good results with ZyXel USG except for when I had a client with 2 sites and the primary site had 2 WANs. There was a site-to-site VPN between the sites. I wanted it to that at the main site if one internet connection failed that the VPN would roll over to the secondary WAN and once the primary was back up it would roll back. I worked with ~5 different techs on this at ZyXel and they all said it should work and they could never get it to work properly.

    • Steve says:

      The Watchguard XTM devices can do this – I’ve set it up at a couple sites, and it works seamlessly.

  • Derrick Wlodarz says:

    Chris,

    Site to site VPN with WAN rollover is difficult regardless of the vendor. My other colleagues in the industry have all confirmed the same thing as various times. I don’t think this is an issue specific to Zyxel but industry wide.

    I’m sure Cisco probably has expensive units that don’t have as many problems but when you compare the cost between Cisco gear and Zyxel products, Cisco stuff BETTER work right!

    For the value and quality of the gear Zyxel makes, I’ll take them any day over Cisco or similar high end network vendors. We use them exclusively for our site to site VPN between our main office and my home office and it never goes down. We’re using a Zyxel USG50 for our office, and a Zyxel USG20 for my home office. Awesome products. I’m already preparing to install (2) USG100 boxes for a business client in the next month or so.

  • Tony says:

    I don’t understand fully what you are talking about? BYOD? Nor the problem you are trying to solve? I guess I am stupid.

    • Bryce Whitty says:

      BYOD means Bring Your Own Device. Some medium to large businesses allow their employees to bring their OWN (not business provided) mobile phone (Android, iPhone, Blackberry whatever) to use with work.
      This is good because its cheaper for the business rather than handing out thousands of Blackberrys plus people use the phone they want to use.
      If the business handed phones out (lets say Androids), you could lock them down appropriately so they dont present a security threat to the business. Maybe make it so people cant install apps on the phone. These phones are safe to use inside the business network, handle business data etc..

      Now, BYOD is when people bring their own device (lets say an iPhone) that is NOT locked down since it is their own personal device they purchased on their own dime. There may be an app on there that shares data (and thus confidential business data), maybe something badly written which takes too much network usage, maybe just Facebook so the person doesnt actually do the work.

      These employee bought devices can be a risk to the business and its IT infrastructure, but there are ways to limit/separate the devices from the main network, using VLANs, Proxies and whatnot.
      Basically, this article is about limiting the risks to the business that these employee brought devices present to a business.

      • Tony says:

        Thanks Bryce. I guess I had a brain fart…for some reason i was confusing myself with trying to equate it with a type of cheap raid bunch of cheap drives….

        now the article makes more sense to me.

  • Carpets Online says:

    Hello there, You’ve done a fantastic job. I