Corporate security
With personal devices within corporate networks a potentially flammable mix, a cavalier approach to BYOD security won’t solve the problem
06 February 2024
•
,
6 minutes Read
As remote work (which later often morphed into hybrid work) helped organizations weather the upheaval caused by the pandemic, it strengthened their resilience. With the boundaries between work and home becoming more blurred than ever, many people want, or even need, to access work resources not only from anywhere at any time, but also from any device: the use of personal devices to complete work and access company data.
On the other hand, using personal devices for work, either exclusively or in conjunction with employer-provided devices, poses greater cybersecurity risks, especially if it is not supported by robust security practices and precautions. While concerns about Bring Your Own Device (BYOD) agreements are hardly new, the growing reliance on personal devices for work has breathed new life into the potentially daunting challenges of protecting corporate data and necessitated a reevaluation and adjustment of corporate data protection systems. existing policies to adapt to the changing work environment.
So, how can employees and organizations mitigate the cyber risks associated with employee-owned devices and avoid jeopardizing company data and that of their customers? While there is no one-size-fits-all solution, some measures will go a long way in protecting businesses from harm.
Reduce your company’s attack surface
The use of devices by employees outside the purview of IT becomes, especially if left uncontrolled, a serious threat to company data. In an era where bad actors are constantly looking for cracks in companies’ armor, limiting the number of such potential entry points is a no-brainer. Importantly, therefore, organizations must take an inventory of all devices accessing their networks, as well as establish security standards and configurations that employee devices must meet to ensure a basic level of protection.
Rogue apps or other software on employee-owned devices are a common source of risk that shadow IT as a whole poses to the integrity, availability and confidentiality of business data and systems. To combat unregulated third-party access to sensitive data, organizations can benefit from creating a “barrier” between personal and work-related information on devices and applying application blacklist (or whitelist) controls. There are also other ways to keep tabs on employee-owned devices with the help of dedicated mobile device management software, which brings us to the next point.
Update software and operating systems
The importance of installing security updates to promptly patch known vulnerabilities cannot be overstated, as hardly a day goes by without news of new vulnerabilities being discovered in widely used software.
Ensuring that employees are working on up-to-date devices is certainly easier when they use company-issued laptops and smartphones and can rely on the support of the IT department to stay up-to-date and install software updates on their machines soon after they are released. Many companies today use device management software to make it easier not only to install updates on employee devices, but also to generally strengthen their security.
If the job of keeping the software on their devices up to date falls to the employees themselves, organizations can, at the very least, be diligent when it comes to reminding their employees that patches are available by providing them with how-to guides. to apply updates and monitor progress.
Establish a secure connection
If a remote employee needs to access the organization’s network, the organization must be aware of this. Remote workers can use not only home Wi-Fi networks, but also public Wi-Fi networks. In either scenario, a properly configured virtual private network (VPN) that allows remote workers to access company resources as if they were sitting in the office is a simple way to reduce the organization’s exposure to weaknesses that could otherwise be exploited by cyber criminals.
Another way to enable remote connectivity in an organization’s IT environment is through Remote Desktop Protocol (RDP). As much of the world’s population transitioned to working from home, the number of RDP connections increased dramatically, as did attacks against RDP endpoints. There have been numerous cases where attackers have found ways to exploit misconfigured RDP settings or weak passwords to gain access to corporate networks. A successful cybercriminal can use these openings to steal intellectual property, encrypt and hold all company files for ransom, trick an accounting department into transferring money to accounts under his control, or wreak havoc on the company’s data backups .
The good news is that there are many ways to protect yourself from RDP-borne attacks. RDP access must be configured correctly, including disabling Internet-connected RDP and requiring strong, complex passwords for all accounts that can be accessed via RDP. There’s more to proper RDP configuration and our recent document has you covered:
Protect the Crown Jewels
Storing sensitive company data on a personal device clearly poses a risk, especially if the device is lost or stolen and is not password protected and its hard drive is not encrypted. The same goes for allowing someone else to use your device. Even if it is “just” a family member, this practice can still lead to the compromise of the company’s crown jewels, regardless of whether the data is stored locally or, as is common in the work-from-anywhere era , in the cloud.
A few simple measures, such as making password protection and automatic locking mandatory and teaching employees the need to prevent anyone else from using the device, will go a long way in protecting your company’s data from harm.
To limit the risk of unauthorized individuals accessing sensitive information, organizations should encrypt sensitive data both in transit and at rest, implement multi-factor authentication, and secure network connections.
Secure video conference
Video conferencing services have seen a boom thanks to the pandemic as all originally in-person meetings have moved to the virtual world. Organizations should create guidelines for using video conferencing services, such as what software to use and how to secure the connection.
More specifically, it is advisable to use software that has robust security features, including end-to-end encryption and password protection for calls, which will protect your confidential data from prying eyes. It goes without saying that video conferencing software needs to be kept up to date with the latest security updates to ensure that any gaps in the software are patched quickly.
Software and people
We would be remiss not to mention that forgoing reliable multi-layered security software on devices that have access to corporate systems is a recipe for disaster. Such software, especially when managed by the company’s IT or security team, can save everyone a lot of headaches and, ultimately, time and money. Among other things, this can provide protection against the latest malware threats, protect company data even if the device is lost, and ultimately help system administrators keep devices compliant with company security policies.
Ensuring devices and data are backed up regularly (and testing backups) and providing security awareness training to staff are other simple solutions – technical controls wouldn’t be complete if employees didn’t understand the increased risks that come with them. use of personal devices for work.