A 'bring your own device' policy in the workplace can cause chaos when things get out of control. Since the beginning of the pandemic, cyber attackers benefitted from our changing 'work from home' patterns, resulting in a huge surge of cyber attacks in 2020, a trend which we are yet to see reverse. Since organisations reopened their offices, and implemented new hybrid working policies, 'bring your own device' has become a popular arrangement which enables employees to transition more easily between home and office working by utilising their personal smartphones, tablets, and laptops.
However, most organisations are starting to look carefully at their IT ecosystem for vulnerabilities, and BYOD policies are one of the key areas where many businesses are compromising their cyber security. Anthony Green, CTO of cybersecurity consultancy firm FoxTech, explains:
"External and personal devices are a major chink in many companies' armours when it comes to protecting against cyber attacks. BYOD means that employees are accessing and storing data owned by the company on devices that are not company property. In the IT professions, any device that connects to your network is known as an endpoint. A study by the Ponemon Institute found that 68% of organisations experienced one or more endpoint attacks in 2020, coinciding with the boom in home working. This means that insecure and unprotected personal devices could be a real threat to the security of your data.
"It would be best to not have a BYOD arrangement at all, but this isn't always realistic with personal devices becoming more and more embedded in office life. With that in mind, there are actions you can take to minimise the risks inherent in using personal devices for work."
Here, FoxTech provides their tips for making your BYOD policy cyber security friendly:
Know the risks
Educating yourself on the specific risks of BYOD is extremely important and will ensure that you don't sleepwalk into a cyber security crisis. The main risks include:
- Easier malicious withdrawal of data e.g. users allowing malicious applications to access data
- Higher potential for accidental data loss e.g. work data being shared in device backups, personal devices being shared with family
- Higher likelihood of devices being unsupported or out of date
- Users being less willing to report security incidents because they are worried that their personal data will be intruded upon
- Increased risk of device theft and loss
Think it through
Don't make it up as you go along. Just as you should develop written policies around the use of company devices, you need to create rules and obligations around your BYOD scheme. The National Cyber Security centre (NCSC) has an excellent guide to creating a Bring your Own Device policy here.
Work with your employees
One of the biggest challenges of securing your employees' personal devices is the conflicting interests between the company and the device owners. As personal devices are not company property, the employee has the right to refuse device monitoring and the installation of security features.
Users will commonly worry that the installation of security packages could slow down their device and affect its usability. They may also be concerned that too much company monitoring will infringe on the privacy of their personal data.
For these reasons, it's important to get your employees on side when it comes to securing their devices. One way to do this is to offer the alternative option of a company device. This means that if employees still choose to use their personal device, they may be more inclined to agree to security measures, as they won't feel as if they are being forced upon them.
Communicating the risks of BYOD and the mutual responsibilities between organisation and employee will also be crucial to encouraging the safe use of personal devices.
Be cautious with your data
Don't give anyone more access to your data on personal devices than is required for their job role. There are some aspects of your data, such as an employee's financial information, that it would be wise to keep within a fully managed environment. When you are planning your BYOD policy, you should conduct an audit of each employee and department to establish where it may not be appropriate. Don't be afraid to extend the policy to some departments and not others - the key is to communicate why you have made each decision.
Invest in cyber security monitoring
The Ponemon Institute's annual Cost of Data Breach Report found that in 2021 it took companies an average of 212 days to identify a breach, and a further 75 days to contain it. The faster a breach is identified and contained, the lower the overall cost of the damage will be. This means that if a malicious actor has managed to infiltrate your system through a personal device, there is still time to prevent a full-scale attack if you are able to quickly identify a breach.
The best way to monitor your system for potential breaches is to invest in cyber security monitoring by an expert cyber security consultancy.
Anthony Green is a CREST practitioner and a recognised thought leader in cybersecurity.
He has designed and implemented some of the most secure systems in the UK, including global corporations, the UK government and a variety of SMEs.
His career has spanned software development, infrastructure, technical leadership and security. He is a founder and CTO of FoxTech.
©
SecuringIndustry.com