NetworkTigers on BYOD policies that allow employees to bring their own devices to work.
The work-from-home revolution has had a wide-ranging impact on how organizations do business, how employees communicate, and the overall culture of employment in general. With benefits that include increased productivity, greater flexibility, lower equipment costs, and greater worker satisfaction, it’s little wonder that the work-from-anywhere and bring-your-own-device (BYOD) policies that took root during the pandemic are here to stay.
However, BYOD policies also present unique cybersecurity challenges that many organizations allow to slip through the cracks. As always, one can count on cybercriminals and hackers to take advantage of any opportunities to steal data, launch ransomware attacks, or inject systems with malware.
The following factors inherent to BYOD policies can set the stage for security incidents, make safety difficult for network administrators to guarantee, and offer hackers a multitude of options when it comes to illegal activity:
1. They offer a wide range of targets and entry points
In a more standardized tech environment, a workforce would be largely using the same hardware and the same software and doing so through a network that is contained and subjected to carefully planned security protocols. This means that, for the most part, hackers will find themselves up against the same walls no matter how they attempt to gain system access.
A breadth of BYOD hardware types makes this kind of security extremely challenging. Different operating systems may respond to new threats uniquely, updates may affect different devices in unpredictable ways, and some vulnerabilities may only be present under specific configurations.
2. They result in inconsistent security habits
Even if an organization mandates that specific security measures remain in place, these tend to come down to an individual’s willingness to adhere to them consistently. Protocols are only as effective as their implementation, and ensuring that every worker complies to the fullest extent on a phone, tablet, or computer they have purchased themselves can be a monumental task.
Some workers may adhere stringently to automatic updates, while others may go months or even longer without ever considering data safety.
With a swath of targets to choose from, it only takes a single employee’s deviation or lapse of judgment to bring an organization to its knees potentially. Something as simple as a reused password or an account without multi-factor verification could spell disaster.
A BYOD workforce offers an environment within which a threat actor will encounter devices from various manufacturers running platforms and software versions that may be expired or improperly set up.
3. Personal device use can expose company data
When an employee owns a device, it’s only natural to use it personally. This can include visiting websites that pose security risks or connecting to public networks that may allow hackers to look at what’s on their machine.
If an employee downloads malware or inadvertently exposes their device to intrusion, any company data, login credentials, passwords, or contacts could be exfiltrated or used to engage in further attacks.
Stolen contact information can be used for spear phishing campaigns. Compromised accounts can be weaponized and used to trick colleagues into believing they are communicating with a trusted associate or superior.
4. Social engineering is more effective through a personal device
While proven to be a risk even in what one would assume to be watertight corporate environments, a social engineering attempt can be especially effective when someone experiences it via a personal device.
Alarm bells may ring if an employee encounters questionable correspondence or requests through a standardized and familiar business platform or account. Still, people are more likely to absentmindedly engage with or believe a fraudster is communicating with them through a personal device.
Social media scammers, phishing emails sent to personal accounts, and fraudulent phone calls can all lead to a damaging data breach.
5. Standardized corporate security is harder to implement
A benefit to a standardized, traditional network is that the admins in charge can create an environment that simplifies implementing company-wide security principles. When all workers use the same operating system and platforms and connect to the same network in the same place, updates can be pushed as needed, and other modifications can be automated.
However, this becomes a much more complicated task when a BYOD workforce uses a variety of diverse devices. It can be challenging, if not impossible, to ensure that security remains uniform when a network is anything but.
This inconsistent application of security offers hackers several opportunities to achieve unauthorized access to personal devices and, in turn, corporate networks.
6. Use of public wifi can be weaponized
Coffee houses, hotels, airports, and other locations offering free public wifi can pose serious security risks. These businesses prioritize the convenience of their internet access over the security of their customers. This means that an employee accessing an organization’s network in a public space may be doing so directly under the view of a hacker snooping in on the business’ traffic.
Additionally, some information can be seen or photographed directly from a worker’s device. If a threat actor is aware of an individual’s habits and is incentivized to attempt to access their employer’s data, they may simply have to sit behind them in a cafe and look at their screen.
7. Shadow IT on BYOD machines can result in loose security
Shadow IT, a term used to refer to workers using software or other resources without the approval or knowledge of the IT department, opens up employee devices to exploits that an organization’s admins would have no idea even to be aware of.
On a traditional network, how work is done and how employees communicate can be regulated. Apps that have not been approved can be blocked, and the usage of those that are permitted can be monitored and features adjusted as security concerns evolve.
However, BYOD policies open the door for workers to sidestep approved software in favor of their own preferences. For example, an employee may find an organization’s internal messaging system less convenient than using a different app or sending correspondence via text.
This circumvention of company policy is hard to prevent, and employees may be sharing sensitive data or messages through platforms that aren’t protected. A breach of one of these platforms, or an error made by an employee, could result in a threat actor gaining the information they need to create a convincing phishing email or gain system access.
8. Personal devices are more easily stolen
When a company entrusts a worker to keep their device safe, they’re subjected to the possibility of the device being stolen under more circumstances than a dedicated work-only machine would typically encounter.
A phone or laptop stolen from an automobile or accidentally left at an airport poses a serious risk, primarily if the owner hasn’t implemented baseline security measures to prevent someone other than them from accessing their account from the device.
Additionally, it then falls to the employee to disconnect a lost device from their account and take all appropriate measures to prevent their files from being viewed by a stranger. While an IT department is quick to sever ties with a lost work device, someone who has misplaced their personal computer or tablet containing photos, videos, etc., is much more likely to let more time pass in hopes of having their device returned and therefore, increase the potential for data exposure.
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com
