It was assumed by many the debate around Bring Your Own Device (BYOD) had ended in stalemate some time ago, with employees and security teams agreeing to disagree on its implications for malware infiltration, account compromise, data loss and a whole plethora of other issues, in light of the benefits and often the necessity of allowing users choice and flexibility of device.
Remote working may not be a new topic, but the pandemic has given the debate fresh impetus because of the spike in volume of privately-owned smartphones, laptops and tablets being used to access corporate environments and data. Some employees will make a full or partial return to office working, but it is now realistic to consider that the majority of employees will not be working regularly in an office; wherever the employee is working from, BYOD isn’t going away…
BYOD, What’s the risk
In terms of scale, BYOD is ubiquitous. Research has shown that 87% of companies expect employees to use their smartphone for work, for example. With around three billion people in the global workforce, the attack surface is vast.
The specific issues from BYOD originate from two related risk points.
First, there is the unintentional threat from employees themselves. Often devices are not configured with security in mind and lack appropriate technical countermeasures and security hygiene.
This can be anything from running outdated or insufficient endpoint protection software, to using unpatched operating systems. Consumer devices are rarely subject to the type of rigour of those owned by large organisations and many employees won’t be aware of the risk this presents.
The user is also distracted by a dangerous blended work / home mindset which can all too easily lead to the sharing of work information over consumer channels, as well as increasing the chances of social engineering.
For example, our own research found that 22% of people have shared work documents over personal channels such as WhatsApp and Facebook. Both are built to make it easy to disseminate information to large groups of people, the opposite of what is required to protect corporate information.
On the opposite end of the scale, there is the more explicitly malicious threat from targeted attacks which originate on consumer devices and then move to the corporate IT estate. For example, information harvesting malware which infects a home device can eventually manage to burrow into a corporate network, when connected.
With so much personal information now online, it is easy for a determined attacker to build a target list of people at companies who embrace BYOD, or consultants with their own devices, both of whom are vulnerable to attack.
Once this information is known, it is simply the case of refining a targeted approach. This will typically start with an innocuous phishing email attempting to trick a user into visiting an illicit site which will attempt to install malware or steal login credentials for cloud services such as Microsoft 365.
Reinforce a strong BYOD policy
Regardless of where employees are, and what device they are using, a centrally managed solution, born in the cloud, can offer rapid roll-out and immediate protection through endpoint agents or gateways; lockdown or no lockdown.
Given the plethora of issues that can arise from BYOD, there are a variety of defensive technologies, many of which can be combined in a progressive integrated solution.
Adaptive Multi-Factor Authentication (MFA) should be the first point of call for any organisation looking to ensure a solid defence against the problem of a remote workforce logging into corporate networks, applications and systems from a variety of devices.
MFA will mitigate the risk associated with password re-use across the array of applications the modern employee needs access to. It will also ensure that if an attacker does manage to acquire access to credentials maliciously, these cannot be used to gain unauthorised access to accounts.
The success of the deployment of any MFA technology, however, will live or die on ensuring a consistent and seamless experience for the employee, regardless of device. This means making sure any solution deployed delivers the second factor (such as a One Time Passcode) in a way the user is familiar with, using email, SMS, or a mobile app.
This should be combined with web security and cloud application security (CASB) to ensure granular visibility and management of user actions By reducing risk from the destinations an employee visits online and the actions they take while inside cloud applications, exposure of sensitive data can be minimised.
For more information on how security teams can minimise the risk from BYOD devices and the merits of MFA visit our Secure Authentication page.