By: Nihad Hassan
October 27, 2021
Risks From Bring Your Own Device
By: Nihad Hassan
October 27, 2021
As digital technology continues to advance daily, the number of mobile computing devices is increasing steadily. According to Statista, the number of mobile devices operating worldwide has reached 15 billion in 2021, while this number is expected to reach 18.22 billion by 2025. People will utilize them to conduct most of their daily functions, including work functions (schedule meetings, check emails on the go, group chat, access work files remotely, etc.). In addition, emerging technology such as 5G has also efficiently boosted the dependence on mobile devices because of its unprecedented speed rate that made transferring a large volume of data easy and quick.
In recent years, especially since the start of the COVID19 pandemic, personal computing devices at work have become common. Using employee's devices in the workspace brings numerous advantages, such as:
- Increase employees productivity
- Increase work efficiency
- Saving the license costs of software programs
- Reduce the hardware & software purchase bill
- Cut the various costs associated with the management of organization owned-computing devices.
Bring Your Own Device (BYOD) is the practice of allowing employees to use their computing devices, such as laptops, tablets, smartphones, and other mobile devices, at work or to use them when working remotely (e.g., from home or on the go). Despite the apparent advantages of using BYOD, however, it also introduced various security risks. They should address well to prevent malicious actors from exploiting them to gain unauthorized access to sensitive work resources.
This article will shed light on the most prominent threats and mitigate them to balance the working environment and preserve security.
Top Four threats of BYOD
Lost of employee-owned Device
Employees utilizing their mobile devices for corporate access could be subject to different physical threats. For example, a user may lose their laptop at the bus or airport. In contrast, another could lose it because of theft. These situations could end in unauthorized access.
If you think losing mobile devices is not a big problem facing organizations of all types and sizes, read the following statistics:
- 1 in 10 US smartphone users has been victims of phone theft.
- 70 million smartphones are lost each year, with only 7 percent recovered.
- 80 percent of the cost of a lost laptop is from a data breach.
To prevent sensitive information from being accessed on lost devices, the following security measures must be enforced:
Try locating the device via GPS; this applies to smartphones, tablets, and some types of Internet of Things (IoT) devices with a GPS sensor.
Install applications to lock the device remotely to prevent unauthorized users from accessing its data.
Install a program on all employee's devices that remotely wipe clean the sensitive data when the thief tries to access it. If the device is a smartphone or tablet, the wiping procedure can be triggered after performing some actions, such as changing the SIM card.
Keep in mind, these actions should be taken instantly after reporting the missing device to avoid giving enough time for thieves to gain access to stored data.
Aside from these security precautions, encryption must be enforced on all employee's devices with access to corporate resources. Encryption provides a strong layer of defense that prevents unauthorized users from accessing protected information. Full disk encryption provided by BitLocker on most Windows editions is an example of such a mechanism.
The problem of malicious software has existed since the early days of the internet. Infecting laptops and desktop devices with malware is expected; however, non-tech-savvy users may not be aware that mobile devices such as smartphones have become a more lucrative target for hackers. For instance, unaware users commonly install various applications on their smartphone from the internet, such as social, sports, and other productivity applications. Cybercriminals disguise malicious code in some legitimate applications and deceive the users into installing it using different social engineering tactics. Once installed, the cybercriminal will have full access to smartphone data. Mobile malware is more dangerous than traditional malware, as it can control a smartphone camera, microphone and record a person's physical movements by monitoring its GPS location.
To lower this threat, follow these steps:
- Develop a BYOD policy containing a list of allowed and not allowed applications that employees can install on their devices.
- Install security programs on mobile devices, and make sure it remains up to date.
- Use Mobile application management (MAM), so your security team can access all employee's mobile devices used for work purposes. MAM gives the security team access to configure the security of mobile operating systems and installed applications, so your company can ensure no risky applications are installed inadvertently. Popular MAM solutions include MaaS360 and Digital.ai App Management.
Use cloud storage
Cloud storage allows a convenient way to access sensitive work files at any time and from any place. Giving remote employees access to cloud data can solve storing sensitive files on employees' devices. However, using the cloud to store data without a proper security policy can devastate corporate data. To use the cloud safely, your organization should have a clear security policy regarding cloud access in addition to the following:
Use Access and Identity Management solution (IAM). It ensures all employee's cloud access credentials are saved centrally in a secure location. IAM is also used to track employees' access to protected resources, govern this access based on each user identity, and enforce various security measures.
Use encryption to protect cloud data; anything that goes to the cloud must get encrypted first.
Do not allow storing sensitive work files in free cloud accounts. For example, some employees may use Google Drive and Dropbox to store work documents. Instead, ensure your employees use your private cloud.
Using different versions/types of devices
When allowing employees to use their devices at work, we cannot expect all employees to use the same device type and operating system version. For example, not all employees will use Android on their smartphone, and if some employees use Android smartphones, they may not all use the same Android version (e.g., Android 8 or 9, 10, etc.). Therefore, creating a risk assessment to measure employee devices risks becomes challenging in such a diverse environment.
A BYOD policy should clearly define what types of devices are allowed, along with a list of approved operating systems. Specifying the technical details of mobile devices OS and other installed applications is essential to prevent malicious actors from exploiting unsupported applications/OS vulnerabilities. For example, A company may not allow using a laptop with Windows 7 OS because Microsoft no longer supports it.
Another critical aspect of securing employee-owned devices is including these devices in the organization's overall patch management plans, so all employees-owned devices remain up-to-date, which minimizes the possibility of leaving open vulnerabilities.
BYOD has become an essential component in future digital transformation; most organizations allow using BYOD in one way or another. As we saw during this article, BYOD provides numerous benefits for its adopters. However, its risks will almost weigh its advantages. For example, BYOD will significantly reduce the IT purchase bill, but if a data breach results from an unmanaged employee device, the fines imposed by regulatory bodies such as GDPR and PCI DSS can be even more significant.