The BYOD effect: the security risks of using personal devices for work
The rise of smartphones and tablets has meant that productivity never needs to stop. Whether you're on a train, in a coffee shop or working from home, you can log on to your device, access the emails, systems and the files you need, and get to work. The switch to remote working in 2020 means its more important than ever that the workforce can work on a variety of devices; but using your own device, also known as Bring Your Own Device (BYOD) can pose serious risks to security that need to be addressed by IT teams.
In our recent survey of more than 200 IT decision makers, 56% said they felt personal device use has left them more vulnerable to a security breach.
But with remote working here to stay and BYOD a firm fixture in that, organisations need to assess the risks and take steps to mitigate them.
So, here's a round up of the security risks of using personal devices for work and what can be done about them.
Loss and theft
Of course we all try to look after our personal devices, but we're only human; sometimes, that iPhone gets left in a cafe, or your laptop gets left on a train. Or if you're really unlucky, you might have your device stolen. However it happens, a device in the wrong hands can be a serious security risk to businesses. Personal devices used for work are basically mini computers, full of valuable and sometimes sensitive company information. To mitigate the risks of a device being lost or stolen, companies need to ensure any device being used for work has adequate security settings like two-factor authentication for apps and platforms housing company data, and protocols for lost devices, such as being able to remotely wipe a phone or laptop.
Because personal devices aren't part of a company's IT infrastructure, they aren't protected by the same security that protects the rest of the network - although they do contain much of the same data and information. And by their very nature, personal devices are designed to be used on the go. It's one thing for an employee to work from their phone, tablet or personal laptop in their home office - but when that device gets taken outside of the home, the security risks increase even more, either through connecting to unsecured WiFi networks, from being lost or stolen or even from prying eyes.
When an employee uses their personal device, they can access whatever they like on it; they can view any website and download any app, including those that would normally be restricted or blocked by an organisation for security, that might contain malware or viruses. And because staff members are using their devices outside of the office, it can be difficult to monitor which apps are being downloaded. For more on the risks of unsanctioned apps, read this blog.
If an employee is using their personal device to work, chances are they're outside of the office, in a public place (or it was, pre-Covid anyway). This means connecting to open WiFi that can leave the device vulnerable to hackers, who are known to create hotspots that dupe people into connecting. Once connected tot he network, hackers can see the user's passwords, login details and activity. Personal devices are also typical not encrypted, meaning data can be spied on. And having the most robust security often relies on people using the most current version of software. When staff are using corporate-issued devices in the office, this is often done for them. But when working remotely on their own device, it's down to the user to keep on top of updates and new releases.
Tips for protecting against data loss when staff use personal devices
Where possible, organisations should present the minimum services and data to staff using their own devices, by adjusting permissions or service access policies. Giving staff a remote view of information from their device is safer; doing so means if the device is lost or stolen then the amount of accessible data is limited.
Taking a serious approach to user authentication can also help. Multifactor authentication (MFA) should be deployed alongside the usual corporate credentials such as passwords to access data. Staff should use a different password for unlocking their device than they do to access corporate data.
Risk-based authentication adds a further layer of protection for personal devices and BYOD users. This works on an "if-then" basis, granting or denying access based on meta-identity such as the type of device, the location of the device being used and other request information. If suspicious activity is identified, alerts can be raised and access restricted.
There's also no substitute for IT teams keeping their ear to the ground in terms of the services and data being access by BYOD users. Keeping a record of IP addresses, logins, failed authentications and other requests can be helpful in identifying behaviour that might compromise network security.
Finally, organisations should be aware of the risks of BYOD culture. While using personal devices to work can allow people to be more productive - and is especially important during the pandemic - the myriad risks to security it presents shouldn't be underestimated. Staff need to know this too. Have procedures and processes in place - and communicate them clearly - so that staff know what is expected of them when using their own devices to work, and what they can do to reduce security risks when doing so.
Core's security workshops are designed to help your organisation plan its security roadmap for the year ahead - which might look different know we are working remotely.
We're also holding a webinar this February around security during remote working, looking at Data Loss Prevention and how to ensure secure and compliant collaboration within Microsoft Teams. Get more details and sign up for the event here.