A cryptocurrency exchange suffered a data leak of 30,000 customers’ personal information when an employee’s personal computer was hacked. This case highlights the risk employers take when employees use their personal devices for official purposes. Is it wise to Bring Your Own Device to work? Or rather, should organisations allow employees to use their own devices for work?
The question is no longer important. Mobile devices, typically phones but also tablets, and even laptops, have made mobile workers more productive (37-81 minutes per week), and organisations who don’t wish to provide such devices, or associated training, for their employees embrace BYOD because they gain productivity while avoiding the cost of the device – a win-win. Employees also prefer using a device they are familiar with.
It’s a marriage of convenience and cost savings. That’s why the BYOD market, valued at $94.2 Billion in 2018, is expected to reach $337.5 Billion by 2025.
Who doesn’t like BYOD? Anyone responsible for IT security. If you’re reading this, that’s most probably you.
Why BYOD Will Give You Sleepless Nights
You most probably already know why you have cyberthreat induced insomnia, but let’s recap:
- The Device’s Security Status is Unknown – Manufacturers may not provide timely (or even any) updates, leaving the device, user, and data highly vulnerable to attack
- Users May Install Dubious Apps – Phone users may install apps without checking reviews, what permission they ask for, and what other services they integrate with
- Personal Cloud Storage Can Be Used for Business Data – Data sovereignty and confidentiality can be difficult to enforce as the terms and conditions of such cloud service providers are unknown
- Use of Accessories Cannot Be Controlled – USB ports are fully functional when employees use their personal laptops or phones that supports USB OTG, allowing storage media to connect and transfer data
- The Device is Physically Vulnerable – A laptop, phone, or even thumb drive can be misplaced or stolen
An attack surface like that is the stuff of nightmares. Simply put, BYOD makes you vulnerable to a cyber incident at anytime, anywhere.
How to have BYOD and Sleep Peacefully
It would be easy to say that BYOD is not for the enterprise, but that isn’t a practical approach. BYOD, in varying degrees, is here to stay, and a risk mitigation strategy is essential.
This is how you can have BYOD and cybersecurity too:
- Create a Comprehensive BYOD Policy – Putting it down on paper avoids users misunderstanding what is permitted, and who is responsible for what. Compliance with the policy should be mandatory and it needs to be understood, including penalties for non-compliance, and signed by everyone who wishes to use their personal device for work. This is a good starting point for what your policy should cover
- Define a Minimum Viable Device – Older devices with outdated or unpatched operating systems that are riddled with vulnerabilities shouldn’t be eligible for BYOD
- Lay Down a Tough Password Requirement – An employee’s phone or laptop that is used for work should have stringent password requirements similar to a laptop issued to him by the company because it is used for the same purpose, and handles the same data
- Enable Account Lockout – A maximum number of login attempts after which an account is locked should be defined to protect against brute force password cracking
- Restrict Application Installation – Users should accept some restrictions on how they use their devices, such as not installing apps from 3rd party app stores or only installing whitelisted apps
- Enable Device Locator, Remote Wipe – To prevent a missing device being compromised, the ability to locate the device should be enabled along with the ability to remote wipe all the data on the device. Employees should understand that they run the risk of their personal data being wiped off their device when they opt for BYOD
- Encrypt and Backup Device Data – Device encryption should be enabled to protect the data on the device if it is stolen. Data on the device should also be backed up in case it is damaged by a virus or encrypted by ransomware
- Use Antimalware – Even a phone can be infected with viruses or other malware. Implementing effective malware protection should be mandatory for all devices
- Revoke on User Exit – When a user leaves your organisation, confidential data should be removed from the device and the ability to sign into company networks or accounts from the device should also be removed.
- Implement Mobile Device Management – A larger organisation with many users opting for BYOD may wish to implement Mobile Device Management (MDM) which makes it easier to manage, control, and secure mobile devices and corporate data
BYOD will always carry an element of risk for the employer, but these steps help reduce the risk. Reach out to us if you need assistance with implementing secure BYOD in your organisation. We’ll be glad to help.