Updated: Apr 14
You ever heard of the ‘Bring Your Own Device’ policy? It is a policy where organizations allow employees to carry out official duties and access company information using their personal devices. This includes bringing the devices to the work place, and working on them from home? Sounds familiar?
It is a popular practice as about 59% of organizations practice it? As at September 2020, TechJury had some interesting BYOD stats; you can view them here. Due to the COVID-19 pandemic, it also now appears to be a practice that will not be going away any time soon. Organizations especially into this policy because according to an article on staffbase.com, it not only increases employee productivity but it also saves the enormous cost that would be acrued should a company attempt to buy work place devices (mobile phones and PC) for all their employees.
As reasonable as the advantages of BYOD are, this policy still isn’t without its challenges; security challenges to be exact. And with the pandemic now forcing most of the world’s work froce to work from home, BYOD has become more widespread, and even more dangerous.
CYBERSECURITY RISKS OF BYOD
According to Cimcor, when organizations make the decision to adopt BYOD policies, most of them are not thinking ‘security’ in those moments. It is mostly out of a drive to increase productivity and cut costs! However, this non-consideration doesn not make the associated risks go away. In fact, BYOD policies completely put the Confidentiality and Integrity of an organization’s data under great risk and to an exent, violating 2 pillars of the CIA security traid. Some of these risk factors include:
a. Third-Party and Pirated Applications
From third-party apps given undue read/write permissions to a user’s device, to modified APKs to pirated PC software; these are some of the many avenues through which sensitive data gets compromised.
Most enterprise apps (such as Microsoft and Adobe products) require paid access which users shy away away from. In the event that an organization does not make available these resources, users end up going for free pirated versions which are easily obtainable. Beyond data breaches and modification which could occur as a result of employees using pirated software to access sensitive company information, organizations are also at risk of legal fines when associated with piracy activities. This blog post explores the dangers of software piracy in depth.
b. Rooted Mobile Devices
Rooting or Jail-Breaking a mobile phone means by-passing all restrictions and limitations that cell phone manufacturers may have placed on a device. It gives the user unlimited modication and configuaration access to the device.
Some of the security implications of jail-breaking or rooting include inability to run updates and by extension, increased susceptibility to virus and other malware attacks. This means sensitive files being accessed on rooted devices might as well be spread out in public.
c. Unsupervised Child Access to Devices
One thing that has surely seen massive screen time as a result of the pandemic is increased screen time for kids. This is as a result of virtual schooling, but also mostly because it’s the safest way for kids to safely have some form of human interaction. Digital devices are now also the new baby-sitters, because they keep the little ones engaged long enough for the parents to get some work done.
It is therefore not uncommon for older folks to hand over their devices to kids to play with. Noble and convinient as the gesture is, it is not at all secure. Kids lack of cyber awareness can easily lead to drive-by attacks which could result in virus infections, ransomware attacks, etc.
d. Use of Insecure or Public WiFi
Whether it is because constantly working from a coffee shop (while using their WiFi) compromised a user’s device, or neglecting to change the default username and password on their home router compromised their network; it is never a good thing when an organization’s data is accessed over an insecure network. It is one of many famous recipes for a data breach.
e. Poor Security Awareness/Hygeine
According to an article by ZDNet, human error is reportedly responsible for the worst data breaches. This matter no matter how good your technical defenses are as an organization, you are only as secure as your most insecure human link!
It does not matter if an organization has the best data protection policies around; their cybersecurity basically non-existent if they also have a BYOD policy and their employees frequently visit insecure websites, have poor passoword practices, do not use Multi-Factor Authentication (MFA), can not recognize a phishing email, etc.
MITIGATING BYOD RISKS
The good news is, BYOD is not hopeless and can actually be a great assest if managed properly. We discuss some ways organizations can best handle BYOD and Remote Worker policies.
a. Employ the use of File Integrity Monitoring software
File Integrity Monitoring (FIM) software regularly check on system files/states and compare them to previous versions. They are designed to flag down and send intrusion alerts the moment unauthorized or unusual changes are detected. So in the event that a device is infected with malware, FIM software can detect them in a timely fashion and alert you to promptly handle it before it negatively impacts your network. Organizations should invest in FIM software in order to effectively manage all devices on the network.
b. Protect all Enterprise Apps with Single-Sign-On (SSO) feature
A crucial benefit of SSO according to Cisco is that it ensures companies deal with fewer help desk requests for things such as password resets, lost passwords, etc. It therefore eliminates non-productive tasks while also saving support cost
c. Use of Mobile Device Management solutions
Organizations can use Mobile Device Management (MDM) solutions to remotely monitor the security of an employee's device. When coupled with FIM software, an optimal level of control can be established. In the event that an employee’s device gets stolen or compromised, MDM can also be used to remotely wipe the device.
d. Consistent and Relevant Staff Trainings
Untrained employees can be the worst insider threats an organization can face. Some things to consider when organizing employee awareness trainings:
i. How to recognize phishing and other social engineering threats.
ii. Teach them good password practices and enforce the use of password managers.
iii. How to maintain staff values and attitudes that align with the organization’s mission and ethics.
iv. Enforce the use of VPNs and regular data backups.
v. Only to download apps from official app stores and never third-party apps from websites or randomly distributed APKs.
vi. Send regular email reminders with cyber hygeine tips on how to stay safe online.
Are you a manager or owner of an organization that has a BYOD policy? Well now you have a few more tricks up your sleeve!