WOOF! Newsletter

February 13, 2023

BYOD May Be Popular, But It's Still a Security Risk

Bring Your Own Device (BYOD) has regained popularity in the past few years. While some businesses might see this as a plus, it's our job to remind you of the risks, and provide ways to help you mitigate those risks.

TIME TO READ: 6 MINUTES


The nation's business outlook is...uncertain.  Recession fears, news of layoffs, lingering supply issues, and team struggles...all influence our 2023 decision making.

With the year ahead of us, and budgets formulating, we wanted to revisit one of the bigger IT debates facing businesses—Bring Your Own Device, or BYOD.

If you're unfamiliar with BYOD, it means allowing (or requiring) employees to use their personal mobile phones and/or personal computers for work. Instead of issuing them a company phone and computer.


The State of BYOD – Not Like Before, More Commonplace

We saw a major change in the working world between 2019 and today—remote work going mainstream.

When millions switched to working from home in 2020, many companies issued laptops to remote employees. Others let them use their home computers. All those computers remotely accessed business networks, securely or insecurely, for years.

Surveys say employees often find it more convenient to work on their personal devices.
Using one mobile phone, for instance, instead of carrying two.
Working on their personal Mac, instead of their company’s Windows laptop.

BYOD-friendly employers do enjoy a cost savings.  Employees using personal mobile phones for work saved companies an average of $350 a year per employee. Using a personal computer recoups a similar per-employee savings.

In uncertain economic times, BYOD seems like a good way to save money and share the IT responsibility with your employees. But is it?


The Big "BUT" with BYOD

While convenience and cost savings rank high when it comes to IT hardware, so do company security, employee privacy, and support costs.  Since your company does not control the purchase or maintenance of BYOD computers, these devices introduce a number of risks.




Security is Compromised


The #1 BYOD risk is and always will be IT security.  According to one survey, only 32% of BYOD companies require employees to register their personal computers with the IT department, and to install security protections (e.g., antivirus, antimalware, remote monitoring & management).

The amount of phishing and malware targeting every business—including yours—tripled in the past 3 years. The less protected a computer, the more likely it is to become “patient zero” in your next cyberattack.

---

Does the employee run regular software and firmware updates on their computer?  If not, it could be more susceptible to attack.  Who is responsible for maintaining and troubleshooting an employee’s BYOD computer?  If it’s your company, your support techs will have to deal with a myriad of support issues they wouldn’t normally see in a standardized IT environment.

---

Does your employee use a weak, easily-hackable password on their personal computer?  You can’t enforce a "complex password " policy on their personal device.  If the computer is lost or stolen, would a hacker easily gain access to your network through that weak password, and any saved passwords on their computer?




Near-Zero Management Control


You have no control over what software an employee uses on their personal computer.  Employees may download games, gambling apps, or adult content with hidden malware or viruses. Those can then pass through to your network the next time they log in.

---

Does your BYOD employee save work files locally, instead of to your cloud/server?  What if they leave the computer at an airport, or it gets stolen from their car? How much of your corporate data is as risk of permanent loss/theft?  (The example situation below shows just how serious of a threat this risk becomes.)

Companies are liable for damages when they publicly expose health (HIPAA) or identity/financial information. Even if the exposure comes from lost/stolen devices. 




Potential for Poor Computer Performance


Is the computer "home grade "? Does it have enough processing power to handle your company's preferred apps? With the variety of hardware and software choices your employees can make, low-powered devices cause more IT-related issues and slow the employee's work down.




Employee Privacy


It’s your data, but their personal property.  Many companies put cloud backups on employee computers where critical data is stored (accounting, R&D, legal, HR, C-level, etc.)  Cloud backups typically back up all files & folders and the OS, but that would capture the employee’s personal files/photos.  If you put your anti-virus solution on their machine, it may block some of their personal downloads and then they may ask to have it removed.

---

Litigation. If your company has a legal matter to settle, discovery requests may include all files/emails on an employee’s BYOD machine.  Do you want to be responsible for your employee having to expose their personal files/photos during discovery?



No Control When Offboarding


When an employee decides to leave, you can’t ask them to turn over their personal computer. That means all company network connections, applications, stored passwords, and work-related files could stay on their device, for years. This mandates extra vigilance when turning down ALL network access after employee separations.


Example Situation – BYOD Causing a Data Leak

A customer's employee used their personal MacBook Pro laptop for work. They took it with them for a flight...and lost it in the airport.

Now a segment of the company's data is out in the world, with no chance to retrieve it.

Worse, we found that the employee refused to allow any backups of their laptop, for privacy reasons. The data on which they worked?  Permanently gone.

Now the employee needs a new laptop, but they can't afford to buy one (new MacBook Pros are over $3,000).  Who pays for the replacement?  Does the company's insurance cover the loss?

This is one example of dozens we've encountered since 2019.

 

Avoid the Risks Inherent in BYOD and Issue Company Hardware to Employees

Our best-practice recommendations:

  • Issue all team members a company desktop or laptop and smartphone (if needed).  This includes all on-site, hybrid, and remote employees.
  • Standardize your computer hardware selections for cost savings and easier support
  • Standardize your computer builds and install cloud backups (where needed), anti-virus, and remote monitoring & management so you can automate regular updates.
  • Track and manage all these devices using MDM (Mobile Device Management) or an endpoint management service like Microsoft Intune; be able to “remote wipe” any stolen devices (or ones that laid-off employees might refuse to return).
  • Provide remote employees with secure VPN access to the company network.
  • Make it company policy that no one can store business data on a non-company device.
  • Bar non-company devices from network access. Provide them with guest access instead, via a guest Wi-Fi network.
  • When employee separations occur, require that they turn company devices back in, then back them up and recycle them for another employee.

This approach closes the BYOD security hole.

We can attest to these standards, because we use them in our own network and for the majority of our customers. At PlanetMagpie, BYOD only stands for "Bring Your Own Dog! "

 

If You Can't Ban BYOD, Here's How to Manage It.

Be aware of the threats targeting BYOD (at all times):

  • Email-based attacks (ransomware, data theft, phishing)
  • Malware
  • Data leaks (from using non-approved apps, device theft, etc.)
  • Privacy risks
  • Unsafe apps/content
  • Unauthorized access to company data/network/ servers
  • Regulatory compliance

Actions to take against these threats:

  • Request all remote workers secure their own networks.
    • Turn on the router's firewall and Wi-Fi encryption
    • Create a strong Wi-Fi password and change it regularly
    • Change the default router login credentials
  • Launch a VPN. Hardware VPNs give stronger protection than a software VPN, so use one of those if possible.
  • Require that employees with critical company data on their personal computers allow you to set up cloud backups, but only on the folders where they keep company documents.
  • Implement features on the VPN which deny access to non-compliant devices.
  • Govern your critical data; keep it on secure services you control
  • Adopt standard apps. Require all employees to use those apps on their devices (personal or work).
  • Train everyone on cybersecurity awareness, particularly on email.
  • Require MFA to access the company network.
  • Replace older BYOD devices with company devices, as they age out. 80% of employees surveyed prefer separate devices for work and private use anyway.
  • Provide company smartphones with MDM installed. Allow employees to use these phones for personal tasks.

 

Every Organization is Different – But All Face the BYOD Risk

The intrinsic danger of BYOD is that you'll never know where your company data is 100% of the time.  You may find this an acceptable risk...depending on the value of your company data.

If you have data you MUST protect by law, or if you’re a cyber-target due to the nature of your work, it’s better to keep employee device procurement, security, and management within your control.

Your owners, investors, stockholders, and donors expect you to maturely manage your organization’s IT and protect their investments.  Imagine the worst, and develop a strategy to avoid it.

 

Sources:

 

Need to up your security game? Contact PlanetMagpie's cybersecurity experts at .

 

Robert Douglas, IT Consulting Team Lead