Organizations have recently been forced to rethink the way that they handle remote access and at-home work. Bring-your-own-device (BYOD) policies were put to the test when many organizations were forced to allow employee-owned hardware to access local network resources. A BYOD policy gives employees the flexibility to work on a personal device, so it is proven to increase productivity, but it also adds risk to the organization’s infrastructure and data privacy. In 2020, the cost of a data breach skyrocketed and 85% of reported breaches were caused by human error. BYOD users are the most vulnerable to accidentally exposing data to outside threats and increasingly sophisticated attacks.
User Devices Add Huge Risk to Data Protection
In a corporate environment, any device issued to a user can be locked down and updated based on administrator policies, but a user device is free from many of the enterprise-level cybersecurity controls standard with company-issued laptops, tablets and smartphones. A user device likely does not have enterprise-level antivirus applications, hardware encryption, mandatory software patches, and other cybersecurity controls that address common threats.
T-Mobile, which recently suffered from a major data breach, has long studied BYOD policies and reported that 41% of data breaches can be traced to lost laptops, tablets, and smartphones. Their most recent breach exposed personal identifiable information (PII) for over 40 million people, including social security numbers, drivers license data, and more. Breaches like this cost companies an average of $4.2 million, in addition to lasting brand reputation damage and loss of consumer trust. With corporate devices, administrators can set the device to lock after a set amount of time, and they can remotely wipe the disk of any data should users lose their devices. With personal devices, administrators have no remote access and cannot ensure data is stored in an encrypted state.
Outdated software is another huge risk factor with BYOD. With corporate devices, an administrator can force updates on devices to keep software patched. With user devices, an employee can leave software outdated for months, leaving a long window of opportunity for any threats that exploit old vulnerabilities on unpatched software. When users connect to insecure public Wi-Fi hotspots, use unencrypted connections, fall prey to man-in-the-middle attacks and drive-by downloads from malicious sites, they put device data at risk.
Shoulder surfing in public places is also a concern. As users connect to the network, view sensitive information on their devices, and type communication text onto the device, this data could be disclosed to anyone within sight of the screen. As other people take pictures from their smartphones, screens with sensitive data could be included in the image. For this reason, many corporations do not allow pictures in areas where corporate machines are in view, but this policy cannot be enforced when employees work in public locations with their own devices.
For more information on protecting your organization from human error, download our guide: Human Factor in Cybersecurity.
Reducing Risk While Allowing BYOD Access to Corporate Resources
Research into BYOD and data breaches indicates that one in five enterprises admits to user devices being at fault of a compromise. Although BYOD increases productivity, the research shows that it comes at the cost of security and risk of employees connecting to malicious Wi-Fi hotspots. These risks put an increased workload on administrators who have the responsibility of protecting network assets while providing flexibility for users to connect with any personal device from anywhere including public locations.
No cybersecurity policy reduces risk 100%, but administrators can take the necessary steps to help stop many of the human errors responsible for BYOD data breaches. Some controls block access when necessary cybersecurity tools aren’t present, but others rely on the user. For example, administrators can’t control application updates on a user’s device, but they can require VDI or DaaS connections.
Users should be required to connect to a virtual desktop when working remotely. Should the user lose a device, they should have a remote wiping service so that any data stored on the local device can be removed.
The newest layer of security for organizations with sensitive data is continuous authentication verification using facial recognition for second-by-second user authentication is a new layer of cybersecurity to enter the VDI/DaaS landscape. SessionGuardian, the pioneer of continuous identity verification, entirely eliminates uncertainty about the user’s identity. SessionGuardian’s software also blurs and locks the device whenever an unauthorized user is detected in the background, mitigating the threat of shoulder surfing.
So What Next?
BYOD is here to stay, but it’s necessary to implement the right remote workforce security to protect local network resources and sensitive data. With these security steps, it’s also important to have a policy that lays out proper cybersecurity for users. Users need to be educated on the dangers of outdated software, anti-malware, and social engineering. With education and the right physical security on devices, users can have the flexibility to use their laptops and mobile devices while keeping their devices secure from threats.
Click here to schedule a demo to see how SessionGuardian addresses the human risk factor.
