How nice is it to be able to access all of your business or client contacts, emails, calendar events, files, company resources, and network tools without having to maintain multiple devices? To be able to use your preferred device—one you’re accustomed to and likely more productive with—is a must. With the rise of hybrid and remote employees, bringing your own BYOD (Bring Your Own Device) to work has been a growing trend in business. It provides a certain level of convenience to employees.
Organizations are increasingly allowing employees to manage their own BYOD devices, such as laptops, tablets, and smartphones. In an enterprise culture that promotes or encourages the use of personal devices, there is an added risk to these businesses and their data assets that you should know about.
For a company to ensure the safety of its users and data, it needs to exert some control over BYOD devices. The first step to protecting the business and its data is to develop comprehensive security protocols, ensuring the safety of data assets across the entire organization. Information security policies are documented principles that govern an organization’s security practices.
All business decisions and security efforts should be based on the principles outlined in an information security policy. Not only should the policy explain the precautions employees should take with their personal devices, but what to do should there be a security breach.
If you’ve ever read a novel by Kevin Mitnick, you’ll learn that through the use of low-tech social engineering, people can often be the weakest point in even the most secure organizations. Learn how to educate your team, set clear security expectations, mitigate security vulnerabilities, respond to data breaches, and implement a comprehensive BYOD security policy.
What Are BYOD Devices?
BYOD (Bring Your Own Device) is any personal device, not issued by a company, that an employee may use to conduct business. The range of devices may include (but is not limited to) laptops, tablets, wearables, and IoT. Any one of these kinds of devices can pose security vulnerabilities to an organization’s data assets. BYOD security policies should be drafted to include all of these devices and outline usage requirements.
In some cases, a company may need to set restrictions on the types of devices employees can use for business purposes; this is called CYOD (Choose Your Own Device). In this case, the security policy should include such language and specific policies related to those approved devices.
On one end of the spectrum are personal computers as they are often the most vulnerable. Personal computers or laptops are subject to an employee’s own internet usage behaviors; including downloads, emails, and games. On the other hand, there are IoT devices that typically communicate wirelessly, enabling the use of automation in home and commercial tasks.
Transmitting sensor data one-directionally allows an ecosystem of connected devices to monitor and report data. Every type of connected device has its own set of security challenges that should be addressed in a BYOD security policy.
Risks of Bringing Your Own Device
There are a host of risks involved with a BYOD company culture. Understanding these risks to company data assets, customers, and employees can help organizations better prepare and take preventative measures. Below are some of the most pressing issues when it comes to BYOD vulnerabilities.
Unclear Security Expectations
Oftentimes humans are the first line of defense against cybersecurity threats. Putting the responsibility of information security in the hands of employees should come with education or training in the company’s security policies. Social engineering is a common attack where threat actors can manipulate employees into compromising their access to sensitive information, bypassing IT security measures. Giving employees the tools and knowledge to spot and combat these types of threats can save your organization potentially costly time and energy.
Phishing Attacks
Phishing is a form of social engineering to gain access to a computer or network of computers, for the purposes of stealing sensitive user data, login credentials, or credit card information. These threats usually come in the form of mass emails, instant messages, text messages, or phony customer support calls. The phishing victim often clicks a malicious link, prompting the user to unknowingly install malware on their computer. This malware is often used to steal data, freeze a computer until a ransom is paid, and even continue to send phishing emails from the infected system.
Phishing attacks are often used to gain access to corporate or government networks as a part of a larger attack. When an organization falls victim to a phishing attack, it typically suffers financial loss, possible loss in market share, reputation, and customer trust. In extreme cases, phishing can lead to an attack so devastating that the organization may never be able to recover.
Unsecured Networks
For hybrid, remote employees, and even employees who take their work home at the end of the day, there are significant security risks when using Wi-Fi outside the office. Employees using free Wi-Fi at coffee shops or public spaces should be using a VPN. Organizations can often provide their own VPN access to help ensure the safety of employees’ connections. If this is not an option, stress the importance of changing Wi-Fi network login credentials whenever possible. Never use default Wi-Fi equipment login credentials, as oftentimes these are easily guessable by someone with knowledge of the Wi-Fi equipment.
Common types of Wi-Fi attacks include “Snooping” and “Honeypots.” Anyone who connects to an unencrypted Wi-Fi access point is vulnerable to snooping attacks. Honeypots, on the other hand, are fake Wi-Fi hotspots that, when connected to, start monitoring the data packets sent or received from the vulnerable device. For the best protection against these types of attacks, be sure to only connect to trusted secure Wi-Fi hotspots or connect to your access point using a hardwired connection.
Malware
Not only can malware affect personal computers, but it can also wreak havoc on mobile devices. Most people never even know that their mobile device has been infected with malware. Due to the nature of mobile phones and apps, this malware can often gain access to device location data, contact information, and sensitive emails, and can even uninstall security applications.
BYOD Security Strategy
Clearly defined policies
While there is a variety of possible BYOD devices an employee may use, an organization should do its best to set forth a standard of data security best practices. A BYOD security policy should be concise and thorough, to remove any ambiguity in the security requirements of employees who use personal devices for business purposes.
Education
As employees are typically the first line of defense against cybersecurity threats, educating them is of the utmost importance. Whatever security practices your organization implements, be sure to stress the significance of those practices and educate them as to the possible outcomes and risks associated with not following the policies.
Data segregation
BYOD devices are subject to personal attacks; leading to the need for clear definitions of how and where to store different types of data. BYOD security policy should be strictly adhered to in all business applications and data storage, segregating organizational data from personal data, and preserving privacy.
Oversight
There are a couple of ways to define BYOD oversight security policies. Organizations can implement oversight practices such as real-time device monitoring, remote access, and device audits. This allows companies to ensure the integrity of the systems interacting with sensitive data assets. Organizations reserve the right to access and audit devices used to conduct business on their behalf, ensuring compliance with BYOD security policies.
Lost devices
A BYOD security policy should outline a plan of action for lost devices; clearly defining measures for remote wiping, locking, and/or locating lost devices. Employees should report any device used to conduct business when it is lost.
Encryption
Data encryption across all devices and connections should be mandatory. Sometimes a company will offer VPN access for employees working off-site. If it is not offered, there is a vast array of trusted VPN services to choose from. There is no excuse not to encrypt data, as it provides the best protection against data falling into the wrong hands.
Network security
Avoid snooping and honeypot Wi-Fi attacks by only connecting to trusted networks. Change default Wi-Fi equipment login credentials before conducting any business over a network. Always use a VPN, especially when connecting to a public Wi-Fi access point.
Creating a BYOD Security Policy
When developing your own policies and regulations, begin with the device. Be sure to include any and all devices that your organization will support with security protocols. Define responsibilities for the purchase of the device and any connection costs.
Define who owns the device and who is responsible for support. Depending on the level of control the organization needs to have over the device, it’s possible that IT may need to install monitoring applications and restrict user permissions on the device. An educated employee with a strong understanding of the organization’s BYOD security policies can sometimes be enough to allow an employee to self-govern their behavior while using their device.
Lastly, document exactly how BYOD devices are integrated into an organization’s workflow. There should be clear definitions of what applications are permitted and which ones are restricted. BYOD security policies should have clear outlines of roles and permissions as it relates to network access, by personal devices.