Over the past few years, bring your own device (BYOD) programs have increased in popularity as organizations aim to increase employee mobility. In 2018, some sources suggest that 45% of UK businesses allowed employees to use their own devices. As BYOD programs become more common, companies who implement official BYOD policies need to better understand the inherent risks and how to mitigate them.
Organizations need to recognize that despite policies that are in place, IT workarounds and business communications will likely occur on personal devices. This is even more probable during the coronavirus pandemic, when employees are working remotely and adapting to new IT systems. Large scale remote work has resulted in more relaxed rules (or less direct oversight of rules) concerning certain devices including personal laptops, thumb drives and printers. As a result, understanding cyber risk associated with BYOD has seldom been of greater importance.
Lack of separation between personal and corporate data and increased chance of data leakage
- Ideally, entirely separate devices should exist for corporate and personal data. However, most organizations that did not follow a policy of issuing employees separate corporate devices prior to the coronavirus outbreak are highly unlikely to incur the costs of doing so now. Hence, employees will use personal devices for company work if corporate devices are unavailable, or even if they possess significantly slower connection speeds.
- As a result, there is an increased risk of data leakage particularly if personal devices are shared between family members or insecure network connections are being used. This risk increases further given the sheer number of employees using personal laptops, and the fact that it is particularly difficult to monitor which files are transferred to thumb drives or sent to printers while people are working remotely.
- Furthermore, it becomes very challenging to separate personal and corporate data since there is no clear partition that exists between the two on the same device, especially if users enable (commonly used) features such as cloud backups. This lack of separation becomes particularly problematic in the context of litigation involving an individual’s organization. Here, employees may be obliged to hand over their personal devices which could bring light to issues concerning data privacy.
- Companies should ensure that they have stringent security policies in place that take into account the increased numbers of employees using personal devices, and the reduced levels of oversight during large-scale remote work. They should consider the security posture of the firm, the privacy concerns of their employees and the increased chance of data leakage when personal devices are used. Organizations should communicate policies very clearly so that employees are fully aware of the potential repercussions of using their own devices for corporate work.
Endpoint management is key
- Effective endpoint management is necessary to guarantee a high security standard. For example, it can ensure the presence of strong firewalls, antivirus software and the ability for IT to remotely wipe devices in case of loss to prevent the spread of sensitive information.
- When each employee is assigned a corporate laptop and mobile phone, the fact that individuals use very similar models of devices makes it significantly easier to deploy effective endpoint management systems at scale. With employees using devices that span a wide variety of makes and models, IT teams are very likely to run into compatibility issues when any endpoint management systems are installed and subsequently patched.
- Furthermore, on corporate endpoints, it is simple to manage features such as billing and data usage. This becomes increasingly complex when personal devices are in use; it can be very difficult to distinguish between costs incurred for personal or company use if all activity occurs on the same device.
- Organizations should test endpoint management systems to be aware of and work towards solving any compatibility issues. They should ensure employees are well-educated on the importance of features such as antivirus software and strongly encourage those employees to install such security features if they are using personal laptops for corporate work.
Privileged Accounts and Operational Security
- In these unprecedented times, companies need to assure that they narrow their cyber risk exposure without deprecating their operational functionality. Security and functionality are closely entangled and if one were to take on an uneven weight over the other, an imbalance would mean a deprecated state in operations. With an increased reliability on personal devices, there is less oversight in addition to a greater level of remote-access to resources. Hence, the threat of malicious insiders increases. To combat this, companies must assure that clients, employees and users are given appropriate time-bound access to data only when pertinent to completing their function.
- Furthermore, enhanced remote-access to resources could allow threat actors to escalate their privilege within a system. Hence, companies must closely manage any privileged access across their networks. Systems must be equipped to filter requests effectively and securely elevate the privileges of users only when necessary. IT personnel need to limit invalid requests while consistently providing information to validated users.
- In order to mitigate concerns, employees must be made aware and guided to all resources available for requesting and communicating data. This would ensure a healthy and monitored operational baseline and is especially relevant as regulatory shortcomings can often be attributed to a lack of employee training.
- Reviewing, logging and monitoring interactions with entities outside a company’s own network is paramount. Having a trained and updated staff can ensure that everyone involved with handling, processing or providing client information practices due diligence, especially when using a personal device.
With these challenges in mind, there are a few steps that companies can take to limit their cyber risk exposure. They should:
- Perform extensive security testing on systems that are designed to be used by employees working on personal devices, and ensure they are adequately patched.
- Make sure companies are prepared for potential security incidents through conducting activities such as tabletop exercises.
- Ensure a high level of employee education so that people are aware of risks associated with using personal devices and fully understand relevant policies. If employees are fully aware of security risks, they are more likely to install antivirus software and firewalls despite the lack of company oversight.
- Invest time into researching Mobile Device Management systems that can be successfully deployed onto a wide range of personal laptops and mobile phones. Use these systems to alleviate the pressure on IT administrators to monitor, secure and enforce policies on employee endpoints. This is particularly useful during the pandemic as IT staff are likely to be overstretched.
- Over the longer term, it would be prudent to conduct a security assessment of BYOD policies and practices so that companies are fully aware of their security posture and how to improve.
- Further NCSC guidance can be found here.
New systems and policies undoubtedly need to be developed to mitigate inherent risks associated with BYOD, several of which have been exacerbated by the coronavirus outbreak. Security issues centered on BYOD – in particular, repercussions of downloading corporate data on personal devices, general endpoint management and operational functionality – are very important for organizations to focus on. These concerns need to be effectively addressed so that companies cope with the way in which day-to-day work has changed during the pandemic. Indeed, certain policies may stay in effect long after COVID-19, when employees wish to take advantage of enhanced BYOD capabilities, thus encouraging the need for organizations to pay particularly close attention to this area.
To learn more about how to assess and mitigate the risks to your organization associated with BYOD and remote working, please contact Aon.
Authors: Zainab Ali Majid and Panagiotis Skoufalos
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.