Nearly everyone has a smartphone and a laptop these days. With large portions of the workforce taking on hybrid or fully remote positions, many are using these devices to complete their work and access company data. This practice can save your organization when it comes to hardware costs… but is it worth the cybersecurity risk?
Bring-your-own-device (BYOD) programs experienced significant popularity in recent years. LinkedIn's Information Security Group, and Crowd Research Partner's BYOD & Mobile Security study found that cost isn't always the biggest motivator behind BYOD adoption, with security leaders citing the following motivations:
- Increased employee mobility (63 percent),
- Employee satisfaction (56 percent)
- Productivity (55 percent)
Despite the benefits, over one-third of security pros admit that their company's BYOD program imposes a major burden on their security resources, according to the same study.
BYOD Security Risks: Trends in BYOD
In many organizations, BYOD is a decision that's made for many reasons that have nothing to do with security. If you're at the helm of a program that allows, or is considering allowing, employees to use personal devices for work, you're probably concerned about the security risks.
Employees feel strongly about their work devices. According to one study, 89% of respondents stated they would take a pay cut to use a device of their choosing.
The increase in remote work following the pandemic lockdowns of early 2020 resulted in a comparable increase in BYOD. Though employees appreciate the option of using their own devices to complete their work, workers have concerns surrounding their own privacy. Employees want to know that their personal data is safe even when they are using their devices for work.
There are pros and cons to implementing BYOD in your organization. In this blog, you'll learn the difference between hype and reality in regard to current BYOD security fears and how to protect your organization.
1. Data Leakage
Regardless of whether your employees need to access their corporate email or protected payroll information via mobile, data leakage is a possibility when personal devices come into play. Data can be lost or exposed when devices are misplaced or stolen, or if a personally-owned device has malware on it. While cloud technology has mitigated most data loss due to device damage, security barriers and backups are crucial to a healthy BYOD program.
Ways to prevent data leakage include:
- Mobile device management: In case of loss or theft, an MDM program can enable IT to remotely "wipe" a device to ensure sensitive information is not exposed.
- Smarter data provisioning: Minimum necessary access is the smartest way to limit exposure. Role-based provisioning is optimal for security.
- The use of app segregation and/or a VPN: Segregation and VPNs prevent sensitive data from being leaked via sketchy public wireless hotspots, and can create barriers between personal and work content on a personal device.
- File integrity monitoring: Agent-based file integrity monitoring software that operates at the kernel level can notify IT the moment malware gains access to a device, allowing you to take action before it impacts your network.
2. Malicious Apps
Not all personal apps are what they appear to be, or have any business being on your end users' mobile devices. Some may remember the Pokemon Go craze that took over a few years ago. A large quantity of fake and malicious apps accompanied this craze. TechCrunch reports that some of the confirmed malicious apps included titles such as "Pokémon Go Ultimate," "Guide & Cheats for Pokémon GO,” and “Install Pokémongo," in order to appeal to fans of the game.
In some cases, malicious apps have the potential to take control of the user's mobile device. This can result in surveillance, unexpected data or call charges, or loss of personal or work information. Your users need training on app best practices. This knowledge-based training should include the importance of only downloading content from app stores. In many cases, malicious mirror or personal apps are downloaded through web pages.
3. Device Management Challenges
With any mobile device, employee or company-owned, there are risks associated with a loss of control. When an endpoint walks out of your company's building, it can be difficult to control whether it's used on questionable free wireless connections or whether it will be misplaced and stolen.
Protecting mobile and laptop endpoints from exposure requires IT pros to focus on a mix of device security, layered protecting, and smarter provisioning. Your team must also train end-users in the safe use of personal devices for business purposes.
Some management and training opportunities you should pursue to keep your company data safe include:
- Mobile device management: MDM allows employees to remotely control the content and security of an employee's device. When coupled with file integrity monitoring, IT pros can establish an optimal level of control.
- Enterprise Apps Stores: Providing employees with easy access to the right apps approved for business use can mitigate the risks of "shadow IT," or employees using apps outside approval or your VPN.
- Single Sign-On: A password-protected lock screen is likely not enough protection for endpoints. IT pros can enable smart user authentication without disrupting productivity by segregating and protecting your mobile apps via a single sign-on (SSO) requirement.
- Multi-Factor Authentication: MFA requires employees to verify their identities through a password and a second measure such as a mobile application. This measure helps ensure that only verified parties access your organizational data.
4. Device Infection
The vast majority of users with an infected smartphone don't know their device is carrying malware. Even more concerning, feelings of "app fatigue," or excess exposure to mobile content, can make users careless about mobile security. They may not read the terms of service on new apps or think twice before granting excessive permissions when downloading new content.
Outdated mobile operating systems can be a major risk factor, with some of the most vicious forms of malware primarily affecting outdated OSs. With any BYOD program, IT pros should ensure that mobile OSs are kept up to date. Even new OSs have vulnerabilities, so it's also crucial to use file integrity monitoring to immediately detect and act on device infection.
5. Insufficient Policies
It may be possible to attempt a BYOD program without effective security policies in place, but it's certainly risky. If your organization is required to comply with PCI DSS, HIPAA, or any other regulatory requirements, an effective policy is necessary to avoid fines.
With a combination of written policy and policy-based administration, IT pros should address each of the following:
- Passwords, lock screens, and single sign-on
- Network connectivity
- Required use of a VPN
- Real-time updates and patching
- Location tracking
- Mobile device management
6. Mixing Personal and Business Use
With BYOD, mixing business and personal use is inevitable. You can't control whether your employees decide to shop online at compromised websites or whether they will misplace a device. While you can educate heavily on security best practices, you can't guarantee that your employees won't loan their devices to a friend or use public wireless connections to save data.
Security teams should plan to control for personal use, including times when employees don't follow best practices. The smartest methods of protection against employee behavior likely include:
- App segregation: Creating a strong barrier between personal and private use of the device can prevent accidental access to work data.
- Use of a VPN: A VPN can protect communications from interception, even if employees are trying to use a coffee shop's wireless network.
- File integrity monitoring: IT pros can gain access to negative changes to critical system files or security, allowing them to act immediately.
7. Inability to Control Devices
What if an employee leaves the organization? In many BYOD programs, the majority of the security stress comes from a lack of control around devices. Employees are not always careful, and disgruntled staff can do a lot of damage with too much access.
Mobile device management and smarter access governance are important. If an employee is terminated or begins exhibiting questionable behaviors, policy should support your ability to immediately revoke access to sensitive data before it's leaked.
8. Lost or Stolen Devices
Lastly, you must consider what happens if an employee loses their mobile device. According to one survey, sixty-eight percent of healthcare data breaches happened due to the loss or theft of an employee device or file.
Train employees to protect their devices with passwords or biometric security measures. This way, even if a thief gets their hands on an employee’s device, they will not be able to access the data.
Is BYOD Security Possible?
Bring-your-own-device security isn't simple.
Yes, it's much easier to exert control over company-owned mobile devices, especially if your employees are all using a uniform model and operating system. However, BYOD security is possible with the right tools to assess security and detect compromises.
In addition to best technical practices like the use of a VPN, an SSO, and an MDM, security teams need tools for assessing device integrity, especially as new employee-owned devices are brought onto your company's network. Mobile has some inherent risks, but allowing an employee to use a jailbroken device for work can mean that built-in security measures are effectively null.
Your organization needs the ability to monitor employee-owned devices at the device level from the moment they're provided with access to your company data and every minute of the time they're used for work or personal activities off-site.
Overcoming BYOD Security Risks
CimTrak is a solution for total compliance and security, even within complex situations that BYOD policies can create. Your employees need mobile access 24/7. With agent-based file integrity monitoring, CimTrak enables security administrators to access real-time alerts about negative changes at the device level in real-time. With one easy-to-use tool, you can enable integrity monitoring, the full ability to remediate negative changes, and auditing capabilities.
To learn more, download our FIM guide today.
January 12, 2023