It’s an emergency. Nobody expected that overnight, millions of employees would suddenly be forced to stay home, requiring organizations to choose between allowing remote work or simply closing shop. There was no time to purchase and deploy corporate-owned devices for all of these new remote workers (or budget, for that matter).
Fortunately, many employees have their own computers and phones and are willing to use them for work. “Bring your own device” BYOD has enabled many organizations to adapt quickly and continue operating — but it introduces significant BYOD security risks, such as:
- Malware & Viruses
- Unauthorized Access
- Physical Security Risks
- Out-of-Control Data
We’ll tackle each of these BYOD security issues in this article and offer tips for quickly reducing your risk.
Malware & Viruses
Personal devices are more likely to be infected with malware, because people may engage in higher-risk activities, such as sharing pirated movie/music or surfing to inappropriate or illegal web sites. Cybercriminals can capture the employee’s passwords as they are typed, or steal sensitive data stored on the local computer or in attached cloud repositories. Since personal devices don’t have the same security and device management software as company-owned devices, you need BYOD security policies in place to avoid creating network vulnerabilities.
In one recent case that LMG Security’s ransomware response team handled, a biotech firm was infected with ransomware and their network was destroyed because a single IT administrator logged into the company’s network from his home computer (against company policy). He frequently used his personal computer to download pirated movies and was infected with info-stealing malware. The criminals found his administrator password saved in Chrome, used it to infect the company’s network, and demanded a six-figure sum to release the decryption key. (If you are hit with a ransomware attack and need help, contact us right away. To learn the latest on ransomware trends, read our ransomware blog or watch our on-demand webinar.)
What can you do to reduce the BYOD security risks associated with malware infection on employee devices?
- Implement two-factor authentication (2FA) whenever possible, so that even if an employee’s password is stolen, attackers can’t login to their cloud or remote access accounts as easily. (See our blog post, “Not All Two-Factor Authentication Is Created Equal” for more details.)
- Ask employees to install antivirus software on personal devices in order to reduce BYOD security risks. Many organizations purchase enterprise antivirus licenses for employees, to make sure they have effective protection.
- If employees use a VPN to connect to your network, consider leveraging VPN tools that scan remote systems to ensure that they meet minimum security standards before connecting.
In the home environment, it’s easy for roommates or family members to (accidentally or purposefully) access your employee’s computer. Perhaps your employee steps away to get lunch, and a family member decides to use his or her computer to surf the web. Or maybe a personal computer is normally shared between multiple family members and several people have access to it. All of these instances can quickly lead to unauthorized access and data breaches. Fortunately, you can take simple BYOD security precautions to protect your data:
- Set a strong PIN or passcode on all devices used to access sensitive data.
- Train employees to lock their screens.
- If employees must share a personal device that contains company data, ensure that they are at least setting up a separate, password-protected account for your sensitive data.
Physical Security Risks
Lost and stolen devices are always a risk, particularly given that many people have roommates or security gaps in their home environments. While laptops and phones are typically encrypted these days, many desktops are not, further increasing the risk of a data breach. Here are some tips for mitigating these new physical BYOD security risks:
- Encourage employees to leverage any lockable doors or filing cabinets in their homes.
- Consider issuing helpful physical security tools such as privacy screens and laptop locks whenever appropriate.
- If you have the time and the resources, deploy a full-featured mobile device management (MDM) solution for personal devices so that you can remotely manage and/or wipe your data off of a device if it is lost or stolen.
- Make sure that users have an easy way to report suspicious activity or a lost/stolen device to the appropriate contact.
You have to keep control of your data in order to secure it. One of the biggest BYOD security risks is that data can quickly escape your boundaries when employees have access from personal devices. For example:
- Employees may copy sensitive information to their own personal devices, and then leave the organization, taking your data with them.
- They may print data on a home printer, not realizing it is stored on their printer’s hard drive forever. This can lead to unauthorized access and costly data breaches.
- In order to transfer files to personal devices, many employees turn to familiar methods and upload your sensitive data to their own cloud accounts or email it to themselves using personal email. The problem is that many cloud and email providers automatically scan and analyze customer data and sell distilled results to marketers or use it for other purposes. By uploading sensitive data to a cloud provider without approval, employees can cause an instant data breach and put the organization at risk of costly fines or lawsuits.
Take control of your data by implementing the following security measures:
- Consider restricting downloads so that employees can only access information remotely and edit it in the cloud or on remote desktops.
- If file transfer is essential, provide employees with an approved cloud provider that enables them to easily transfer files to their personal devices in a safe way, without violating contractual or regulatory obligations.
- Take advantage of Mobile Device Management (MDM) features that are already built into your cloud suites or existing software. Many applications such as G-Suite and Office365 have built-in MDM capabilities, so that you can remotely wipe company data from the employee’s device if needed.
- Train employees so they are familiar with your policies and know how to follow them.
You’re not alone. Every organization is grappling with sudden work-from-home challenges, including “emergency BYOD.” Now that employees are successfully working remotely, the next step is to help make this new work setup safer. There is no such thing as perfect security, and you don’t need to implement every security feature overnight. By making incremental progress, we can slowly work towards a safer environment.
As always, if you need help securing your remote work setup or developing your policies, contact us. We can help.