Given that personal devices within corporate networks are a potentially combustible mix, a cavalier approach to BYOD security will not be enough.
February 6, 2024
6 minutes. read
Since it has helped organizations overcome the disruptions caused by the pandemic, remote work (which often later transformed into hybrid work) has consolidated its sustainability. With the boundaries between work and home Becoming more blurry than evermany people want, or even need, access to business resources not only from anywhere and at any time, but also from any device – enter the use of personal devices to complete work and access company data.
On the other hand, using personal devices for work purposes, whether exclusively or with employer-provided devices, carries increased cybersecurity risks, even more so if not supported through robust safety practices and precautions. Although concerns about BYOD (bring your own device) arrangements are by no means newThe increased reliance on personal devices for work has breathed new life into the potentially daunting challenges of securing enterprise data and necessitated a reassessment and adjustment of existing policies to adapt to the changing environment of work.
So how can employees and organizations mitigate the cyber risks associated with employee-owned devices and avoid putting company and customer data at risk? While there is no one-size-fits-all solution, a few steps will go a long way in protecting businesses from harm.
Reduce the enterprise attack surface
Employee use of non-IT devices, especially if left unchecked, becomes a major threat to company data. In an age where bad actors are constantly looking for chinks in companies’ armor, limiting the number of these potential entry points is a no-brainer. It is therefore important for organizations to take inventory of every device accessing their networks, as well as define security standards and configurations that employee devices must meet to ensure a basic level of protection.
Unauthorized applications or other software on employee-owned devices are a common source of risk that shadow computing as a whole represents the integrity, availability and confidentiality of company data and systems. To thwart unregulated third-party access to sensitive data, organizations can benefit from creating a “fence” between personal and corporate information on devices and applying blacklist (or whitelist) controls. applications. There are also other ways to keep control of employee-owned devices using dedicated mobile device management software, which brings us to our next point.
Update software and operating systems
The importance of installing security updates to quickly patch known vulnerabilities cannot be overstated, as hardly a day goes by without new discoveries of vulnerabilities in widely used software being published.
It’s certainly easier to ensure employees are working on up-to-date devices when they’re using company-issued laptops and smartphones and can count on support from IT to stay current and install updates. update software on their machines shortly after their release. These days, many businesses rely on device management software to help them not only install updates on their employees’ devices, but also improve their overall security.
While the task of keeping the software installed on their devices up to date falls on employees themselves, at the very least, organizations can be diligent in reminding their employees that patches are available, by providing them with practical guides. to apply updates and track progress.
Establish a secure connection
If a remote employee needs to access the organization’s network, the organization should be aware of this. Remote workers can use not only their home Wi-Fi networks, but also public Wi-Fi networks. In either case, a properly configured virtual private network (VPN) that allows remote workers to access company resources as if they were sitting in the office is a simple way to reduce the organization’s exposure to weaknesses that could otherwise be exploited by cybercriminals.
Another way to enable remote connectivity in an organization’s IT environment is to use Remote Desktop Protocol (RDP). When much of the world’s population shifted to working from home, the number of RDP connections increased sharply, as did attacks on RDP endpoints. There was a good number of cases Attackers are finding ways to exploit misconfigured RDP settings or weak passwords to gain access to corporate networks. An effective cybercriminal can use these openings to siphon off intellectual property, encrypt and hold all company files for ransom, trick an accounting department into wiring money to accounts under their control, or wreak havoc on backups of company data.
The good news is that there are many ways to protect against RDP-mediated attacks. RDP access must be configured correctly, including disabling Internet-accessible RDP and requiring strong, complex passwords for all accounts that can be connected via RDP. There’s much more to proper RDP configuration, and our recent article has you covered:
Protecting the Crown Jewels
Storing confidential corporate data on a personal device clearly poses a risk, especially if the device is lost or stolen and is not password protected and its hard drive is not encrypted. The same goes for letting someone else use the device. Even if it’s just a family member, this practice can still lead to the company’s crown jewels being compromised, whether the data is stored locally or, as is common in era of work from anywhere, in the cloud.
A few simple steps – like requiring strong password protection and auto-locking and teaching employees the need to prevent anyone from using the device – will go a long way in protecting company data from harm.
To limit the risk of unauthorized individuals accessing confidential information, organizations should encrypt sensitive data in transit and at rest, implement multi-factor authentication, and secure network connections.
Secure video conferencing
Video conferencing services have seen a boom thanks to the pandemic, as all meetings that were initially held in person have been moved to the virtual world. Organizations should create guidelines for using video conferencing services, such as what software to use and how to secure the connection.
Specifically, it is advisable to use software with robust security features, including end-to-end encryption and password protection for calls, which will protect confidential data from prying eyes. It goes without saying that video conferencing software must be kept up to date with the latest security updates to ensure that any software loopholes are plugged promptly.
Software and people
We’d be remiss if we didn’t mention that forgoing reputable, multi-layered security software on devices accessing company systems is a recipe for disaster. Such software – especially if managed by the company’s security or IT team – can save everyone a lot of headaches and, ultimately, time and money. Among other things, this can provide protections against the latest malware threats, secure company data even if the device is misplaced, and ultimately help system administrators keep devices compliant with company security policies.
Ensuring devices and data are backed up regularly (and testing backups) and providing security awareness training to staff are other no-brainers – technical controls would not be complete if employees did not understand the risks increased costs that accompany safeguarding. use of personal devices for work.