As personal devices within corporate networks make for a potentially combustible mix, a cavalier approach to BYOD security won’t cut it
06 Feb 2024
6 min. read
Since it helped organizations ride out the disruption wrought by the pandemic, remote work (that later often morphed into hybrid work) has cemented its staying power. With the boundaries between work and home becoming blurrier than ever, many people want, or indeed need, to access work resources not only from any location and at any hour, but also from any device – enter the use of personal devices to complete work and access corporate data.
On the flip side, the use of personal devices for work, be it exclusively or along with employer-issued devices, comes with increased cybersecurity risks, even more so if it’s not supported by robust security practices and precautions. While concerns around bring-your-own-device (BYOD) arrangements are by no means new, the increased reliance on personal devices for work has breathed new life into the potentially daunting challenges of securing corporate data and necessitated a re-evaluation and adjustment of existing policies to accommodate the evolving work environment.
So how can employees and organizations mitigate the cyber-risks associated with employee-owned devices and help avoid jeopardizing corporate data and the data of their customers? While there is no ‘one size fits all’ solution, a few measures will go a long way to shielding companies from harm.
Reduce the corporate attack surface
Employee use of devices outside of the purview of IT is, particularly if left unchecked, become a major threat to corporate data. In an era where bad actors constantly look for chinks in companies’ armors, limiting the number of such potential entry points is a no-brainer. Importantly, then, organizations need to take inventory of every device accessing their networks, as well as set security standards and configurations that employee devices must meet to ensure a baseline level of protection.
Unsanctioned apps or other software on employee-owned devices is a common source of risk that shadow IT as a whole represents for the integrity, availability and confidentiality of corporate data and systems. To thwart unregulated third-party access to sensitive data, organizations can benefit from creating a ‘barrier’ between personal and work-related information on the devices and enforce application blacklisting (or whitelisting) controls. There are also other ways of keeping employee-owned devices under control with the help of dedicated mobile device management software, which brings us to the next point.
Update software and operating systems
The importance of installing security updates to patch known vulnerabilities in a timely fashion cannot be overstated, as hardly a day goes by without news of discoveries of new vulnerabilities in widely used software.
Ensuring that employees work on updated devices is certainly easier when they use company-issued laptops and smartphones and can rely on support from the IT department that stays on top of and installs software updates on their machines soon after they are released. Many businesses these days tap into device management software to help not just with installing updates on employees’ devices, but with general tightening of their security.
If the task of keeping software on their devices up-to-date does fall to the employees themselves, organizations can, at the very least, be diligent when it comes to reminding their employees that patches are available, providing them with how-to guides for applying the updates, and monitoring progress.
Establish a secure connection
If a remote employee needs to access the organization’s network, the organization needs to be aware of this. Remote workers may use not just their home Wi-Fi networks, but also public Wi-Fi networks. In either scenario, a properly configured virtual private network (VPN) that lets remote workers access corporate resources as if they were sitting in the office is an easy way of reducing the organization’s exposure to weaknesses that could otherwise be exploited by cybercriminals.
Another way of enabling remote connectivity into an organization’s IT environment is through Remote Desktop Protocol (RDP). When a large part of the world’s population switched to working from home, the number of RDP connections rose sharply – and so have attacks against RDP endpoints. There were a good many instances of attackers finding ways to exploit poorly configured RDP settings or weak passwords in order to gain access to company networks. A successful cybercriminal can use these openings to siphon off intellectual property, encrypt and hold all corporate files for ransom, trick an accounting department into wiring money to accounts under their control, or wreak havoc to the company’s data backups.
The good news is that there are many ways to protect against RDP-borne attacks. RDP access needs to be configured properly, including by disabling internet-facing RDP and requiring strong and complex passwords for all accounts that can be logged into via RDP. There’s more to proper RDP configuration, and our recent paper has you covered:
Protect crown jewels
Storing confidential corporate data on a personal device clearly poses a risk especially if the device is lost or stolen and isn’t password-protected and its hard drive isn’t encrypted. Much the same goes for letting someone else use the device. Even if it’s “just” a family member, this practice can still lead to the compromise of the company’s crown jewels, regardless of whether the data is stored locally or, as is common in the work-from-anywhere era, in the cloud.
A few simple measures – such as making strong password protection and auto-locking a requirement and teaching employees about the need to prevent anyone else from using the device – will go a long way towards shielding the company’s data from harm.
In order to limit the risk that confidential information is accessed by unauthorized people, organizations should encrypt sensitive data both in transit and at rest, implement multi-factor authentication, and secure network connections.
Videoconferencing services experienced a boom thanks to the pandemic as all meetings that were originally in-person moved to the virtual world. Organizations should create guidelines for using videoconferencing services, such as which software to use and how to secure the connection.
More specifically, it is advisable to use software that comes complete with robust security features, including end-to-end encryption and password protection for calls, that will shield confidential data from prying eyes. Needless to say, videoconferencing software needs to be kept up-to-date with the latest security updates to ensure that any software loopholes are plugged post-haste.
Software and people
We would be remiss in not mentioning that forgoing reputable multilayered security software on devices that have access to corporate systems is a recipe for disaster. Such software – especially if managed by the company’s security or IT team – can save everybody many headaches and, ultimately, time and money. Among other things, this can provide safeguards against the most recent malware threats, secure corporate data even if the device is misplaced and, ultimately, help system administrators keep the devices compliant with the company’s security policies.
Ensuring that devices and data are backed up regularly (and testing the backups) and providing security awareness training to the staff are other no-brainers – the technical controls wouldn’t be complete if employees didn’t understand the heightened risks that come with the use of personal devices for work.