It is completely normal for all employees to bring one or more personal devices to the office. However, this practice poses serious risks to the cybersecurity of a company—whether it is a small firm or a multi-national corporation.
The top BYOD (Bring Your Own Device) cybersecurity risks for companies include:
- Data Leaks: Personal devices can leak data due because they do not typically have strong encryption or secure storage. This means that intellectual property or private data can be unintentionally exposed or stored in apps or cloud services.
- Malware Cross-contamination: Personal devices are more likely to be used for entertainment, shopping, and in airports or cafes with unsecured WI-FI, amongst other non-work activities. This means that untrusted websites, apps, or emails can easily deposit malware on the devices. An infected device can act as a conduit into the company’s network or simply deposit captured company information directly to a hacker.
- Below Standard Security Controls: Corporate security standards are reliably more robust than what is on the typical personal device. Therefore, a device with an outdated operating system, lack of antivirus, and poor password hygiene is like a smelly shoe in a fine dining restaurant: it can easily contaminate.
- Unsecured Network Access: If a device is connecting to a network over unsecured WI-FI or VPN-less connection, the risk of interception or authorized access multiplies rapidly. Lack of a password or lack of multi-factor authentication is another issue regarding unsecured network access.
- Compliance Violations: Violations of HIPPA, GDPR, etc can occur if personal devices mishandle regulated data or lack audit trails for compliance proceedings.
- The Threat Inherent if a Device is Lost or Stolen: Does the device have remote wipe capability? If not, sensitive data may be exposed should it be lost or stolen.
- Nefarious Employee Behavior: A disgruntled employee can obtain sensitive company data and information on their personal device without detection.
- Accidental Exposure (Shadow IT): An employee can utilize personal cloud storage or messaging apps that bypass proper company security and compliance controls.
- Limitations in Response to Incidents: Due to limited control and visibility, tracking, containing, and remediating security incidents involving personal devices is more complex and slower when personal devices are involved.
- Bluetooth Vulnerability: Airpods and other wireless devices can permit an attacker within Bluetooth range to spoof a device that was previously paired, potentially leading to eavesdropping and unauthorized access. Manufacturers have since released updates to protect against this.
Prevention and Mitigation Strategies
Company-sponsored Security Protocol for BYOD:
• Employee training re basic cybersecurity
• Network segmentation: isolation of BYOD devices from the network
• MDM tools: additional tools to control and manage the configuration of devices connected to a company’s network – Ask SMB Support to provide you a quote.
• Company-provided devices such as iPads, Laptops, cell phones
• Specific Security Requirements:
• updated passwords
• remote-wipe capability
• antivirus software installation
Personal devices are extremely common in the workplace. Let us know how we can help you mitigate cybersecurity concerns for your company. Contact us or call 908.895.0273 with any questions or to talk about next steps to take to protect your company.
