The growing trend of bringing your own devices (BYOD) to work, fuelled by the pandemic induced hybrid work environment, means organizations are now having to deal with threats posed by shadow IT systems
Even seemingly harmless downloads of applications such as Zoom or Teams onto an employee’s personal device can create a security risk to businesses. And, as BYOD usage continues to grow, this problem will only become more prevalent.
However, by taking appropriate measures, all businesses can mitigate the security risks posed by this trend. In order to help you effectively navigate and mitigate these risks, here are five steps all businesses should consider when designing their BYOD security policies.
Educate your employees of the risks
Many BYOD risks stem from the fact many employees don’t know how to identify threats and how to mitigate them. For example, data leakage can occur when employees download sketchy applications containing malware, use unprotected wifi servers, or simply have their device stolen. You need to make a concerted effort to explain to your employees what the risks are and have them buy into a company-wide BYOD policy designed to mitigate these risks.
We recommend you develop and deliver BYOD-specific security workshops for your employees, so they have the awareness and tools to identify risks and take mitigating actions when required. What’s more, this is a great value-add to your employees, as it will help them keep their personal data more secure online – so it should be an easy sell.
Restrict VPN usage on mobile
Many companies use virtual private networks (VPNs) to help prevent data leakage. While this makes sense on company-provided devices such as your primary PC, we do not recommend VPNs on personal mobile devices (BYOD.)
In fact, we recommend that access to the company network (e.g. on-premises servers) on personal mobile devices be prohibited, and that VPN client software should not be allowed to be installed on BYOD at all. This should be clearly outlined in your BYOD policy.
However, this situation changes when employees are accessing cloud applications (as opposed to on-premises apps) which is more and more common. In this case, accessing your cloud applications through a browser is acceptable.
In general, personal mobile devices should not be considered the employee’s primary device – they should only be considered a convenience to access chat, email and other cloud apps when using a more secure device is not an option.
Note that a VPN is needed when in a public place and an unsecure Wi-Fi network is the only option. Again, it is recommended the employee use their company-provided and managed laptop, not a personal mobile device. Many usage policies actually prohibit employees from connecting to unsecured Wi-Fi in the first place, which solves the problem.
Develop a BYOD offboarding process
Another major BYOD security risk is when an employee leaves an organization, but is still able to access private company information via their personal devices. This is something that needs to be clearly addressed in a business’s BYOD security protocols.
Your existing employee offboarding process may not be robust enough to protect against this risk – especially if it’s primarily centered around the retrieval of work devices prior to an employee’s exit. Clearly you are not able to retrieve an employee’s personally owned device.
Therefore, your offboarding process must also ensure that an employee’s access to cloud-based servers, corporate emails, and all other company systems are removed the day of their exit – not after they exit
Make sure all devices are known and secure
Another important step to protecting your business against BYOD risks is to create a list of accepted devices for accessing company data. Without a thorough list of the number of BYOD devices in use within an organization’s ecosystem, it’s extremely difficult to effectively measure and mitigate the risk that this poses.
Knowing the number of personal devices being used for business tasks allows you to require specific security measures for each type of device. Of course, you also need to insist that every employee takes every precaution when doing things such as choosing passwords and screen locks.
You should also require that every employee uses two factor authentication when accessing company data. This simple measure drastically reduces a hacker’s ability to access a device’s information, adding an additional layer to your BYOD security.
Install mobile device management software
A final but no less important step is to make effective use of mobile device management (MDM) software. This software allows a company to protect their data in the event that a device is lost or stolen.
MDM software allows a company to remotely wipe data from a stolen device. However, this needs to be activated beforehand, as the device owner needs to opt in to giving your company access to it – so this should be activated as part of your BYOD onboarding process.
Ultimately, now that the BYOD genie is out of the bottle, it’s not going back in. The benefits can be significant, such as improved productivity and lower costs for businesses. And while there are specific security risks posed by BYOD, appropriate protocols and policies can mitigate these down to levels that most organizations would feel comfortable with.
About the Author
Frank Smith, CISSP is Security & Consulting at Ntiva, an MSP providing IT services, cybersecurity services and IT consulting for today’s technology-dependent businesses.
Featured image: ©Green Butterfly