Whilst bring your own device (BYOD) policies have allowed startups to quickly scale without having to invest quite as much in computers for employees, the risks involved in allowing unchecked devices onto company systems are a major concern for IT departments. When employees use the same devices for work as they do at home, organizations open themselves up to threats that would otherwise be contained by their cybersecurity measures.
Outside of the office these devices are unprotected, let into the open and at risk from cyber-threats. It takes just one careless or unwitting employee to introduce dangers that can wreak havoc on an organization’s otherwise strong defences.
Now, these risks aren’t exclusive to BYOD, but such policies weaken otherwise robust security systems and, as such, must be taken into account. So let’s take a look at some of the most significant issues.
Threats arising from BYOD
The problem with BYOD is that you rely on employees keeping their devices secure and up to date, which many people just don’t do. Android devices can be encrypted very easily, for example, but most people don’t bother. It may not seem important at first, but a phishing attack could indeed target the physical device of a specific employee if the attacker is aware of lax security policies. Even theft of a device is a worry when employees are walking around with unsecured data in their pockets.
Physical access, however, plays a very small part in the many dangers presented by BYOD. Many people still click links in emails already marked as spam, which can quickly lead to compromised devices and data loss. Recent studies show that hospital employees still open one out of every seven phishing emails, despite the large number of hospitals that have fallen victim to ransomware attacks in recent years.
Furthermore, imagine the number of apps on an average person’s phone. It could be 20, or it could be 100+, each requiring permissions that could create a wide-open doorway to a company’s sensitive data. Compromised apps and major hacks go largely unnoticed by the general public, who seem to believe that it’s the developers’ problem. From the perspective of this article, that would be fine if it were only their data that was exposed as a consequence, but when they’re using vulnerable devices at work, the organization must respond quickly and decisively.
Theft, phishing and vulnerable apps are still just a drop in the ocean of countless potential problems that arise with BYOD policies, so let’s focus on what can be done to avoid devices becoming insecure in the first place.
BYOD threat prevention and countermeasures
The most effective method to reduce the risk of employees either facilitating a data breach through carelessness or introducing malware to company networks is education and discussion. If IT security is held as extremely important at a company, employees are more likely to consider the implications of how they use their devices when not at work.
Basic training should be made compulsory, even taking short courses online can help to instill a security focused mindset. Frequent refresher courses in end-user security, along with team sessions, can make a big difference in employee awareness where cybersecurity is concerned.
Alas, education alone isn’t enough. Just because you’re aware of a threat, doesn’t mean you won’t fall victim. Technological adaptations must be implemented to minimise risks further.
Setting clear boundaries helps a lot. A total ban on routing and jailbreaking employee devices will stop them becoming the easiest of targets that happens when removing the access limitations of a device’s operating system, and discouraging the use of Bluetooth, a notoriously insecure technology, can go some way towards keeping devices secure.
Thankfully more people are aware of the need for strong passwords nowadays (although uptake is woefully low), and there are many password management solutions available that allow access to those who need it to be shared or rescinded easily.
To mitigate individual risks from potentially compromised devices such as MITM attacks, even small offices should have hardware solutions in place such as an encrypted internet connection which can be achieved at a low cost with a security focused router such as those offered by Sabai Technology, along with a firewall and up-to-date firmware and anti-virus on all hardware.
At an individual level, employees should understand that leaving their WiFi on to automatically connect to any open network is a big no-no. The use of a mobile VPN can go some way towards reducing this threat but this really goes back to education and consideration.
Secure cloud storage should be an absolute must and all thumb drives destroyed. I say this because thumb drives are very rarely encrypted, yet very easy to lose. This is not a good combination, you don’t want a load of customer data being left in Starbucks. The problem doesn’t even end with potential loss, it’s easy to load malware onto a USB stick and just wait for someone to stick it into their laptop. In fact, the biggest ever US military breach happened just like that.
Finally, make sure all employees have up-to-date malware protection on their laptops (do this anyway, even if they don’t take them home), and enforce a strict download policy. Now, it may be unlikely that you’ll be able to stop all employees downloading pirated seasons of Game of Thrones, but you can have an IT person for them to run it by first. You really don’t want someone bringing malware into the office.
Employees bringing their own devices is inevitable for almost all businesses large and small nowadays. Mobiles are the most prevalent threat because they are carried around all the time, are not usually very well secured, and often automatically connect to any open WiFi network. However there is also major risk involved with allowing employees to take home a work laptop or bring their own laptop to the office to work from.
Education will help to prevent avoidable problems that come as a result of carelessness and ignorance, but only works if it is instilled as an important company value.