BYOD Security Risks are paramount in the concept of employees using personal devices for work, accessing sensitive data and organizational networks. While BYOD fosters a heterogeneous and flexible environment, the sudden remote work shift during Covid-19 prompted widespread adoption, even by previously resistant enterprises.
Despite its benefits, the practice brings concerns of data breaches and compromised security. Balancing convenience with robust measures is essential to safeguard against potential risks. Ensuring that the advantages of BYOD can be harnessed while mitigating vulnerabilities. Before we look at the BYOD security risks, one cannot ignore the many benefits of the concept.
BYOD Security Benefits
Primarily, BYOD policies have enabled enterprises to continue operations during the pandemic. A time where many were not so lucky and, as a result, had to permanently close due to a devastating loss of revenue. In general, BYOD policy adoption has cut costs for enterprises as funds allocated towards employee equipment decreases. Furthermore, the use of personal devices has improved productivity.
Employees’ familiarity with their own devices means less time figuring out how to work the device, and more time working. Statistics show that 50% of employees feel more productive when using their own devices for work purposes. Additionally, research by Samsung and Frost & Sullivan found that the use of personal smartphones enables employees to gain almost an hour more work time each day. This results in a 34% boost in productivity.
For employees, most importantly, the flexibility that comes with BYOD policies has improved the work/life balance. According to research, 80% of employees believe that managing a single mobile device aids in balancing their personal and professional lives. The spillover effects that come with a more balanced life bring benefits to both the employee and the organization. However, BYOD does not come without its setbacks. BYOD security risks are the foremost apprehension and primary driver behind the decision to abstain from adopting BYOD policies.
BYOD Security Risks
Research by Bitglass found that more than 74% of organizations lack a plan to BYOD security risks. Since BYODs act as an entry point for malicious actors, this figure is worrying as the attack surface increases. Furthermore, as we will explain, these entry points usually have lower security levels, thereby facilitating the attacker’s task.
The inability to secure BYODs is even more concerning when organizational data is stored on such devices as, even when not used for work purposes, BYODs still pose a threat to the organization. Below is a non-exhaustive list of some of the security vulnerabilities that will later be related to BYODs (Remote Working Security Risks).
Typically, BYODs will have fewer security features than company-owned devices. As BYODs are also used for personal purposes, they are frequently neglected. In doing so, however, the device is more vulnerable to attack. In some cases, lacks the necessary security software or features to notify the user when an attack is taking place.
Furthermore, employees are one of the greatest security risks to organizations (Human Factors in Cybersecurity). Carelessness and negligence when using BYODs can have extremely harmful consequences for the enterprise. Especially when considering the other BYOD security risks. The lack of security features on such devices, and the other concerns listed below, mean that employee awareness can sometimes be the only barrier between a malicious actor and a successful hardware based attack.
BYOD security risks are evident in this context:
As employees own the BYODs, they have complete discretion in choosing which devices and peripherals to use. This of course depends on the BYOD policy. Whether it be for financial or aesthetic reasons, or something else entirely, an employee might be inclined to purchase devices and/or peripherals from site such as Amazon or AliExpress. And, although such websites offer a variety of options, they also offer manipulated and compromised devices. That glow in the dark keyboard selling for $10 is likely not the most secure.
BYOD security risks are a relevant factor:
With workers working from home (which, by the way, is not as secure as one might think), many organizations are adopting WFH – Work from Home policies on a more permanent basis. In fact, according to Gartner, 47% of organizations will give employees the choice to WFH on a full-time basis. Furthermore, over 80% will allow employees to WFH at least one day a week.
With lockdowns easing, and depending on the organization’s WFH policy, remote work can essentially mean working from anywhere with a good internet connection. This, however, means employees are working in unsecure environments such as coffee shops, public libraries, and group workspaces. In fact, as BYODs enable the ability work anytime anywhere, almost everywhere becomes an unsecure location. Think about how many times you have checked work emails while waiting for a flight or at a restaurant. When data is stored on the device, the organization is at risk whenever the device is used. Yes, watching Netflix at the airport on the same device that stores company data puts the enterprise in a vulnerable position.
Speaking of unsecured locations, pick-pocketers thrive in busy places like airports. And pickpocketing might not only be the criminal activity the perpetrator engages in. Stealing a laptop or phone might be just the first step in their attack. Accessing the device could be the actual goal. Even a lost device can find its way into a cybercriminal’s hand. Either way, if the BYOD gets stolen or lost, the company finds itself in a precarious position when the device contains company data.
But why do these factors trigger security concerns? The answer lies in the realm of BYOD security risks, specifically Rogue Devices and hardware based attacks.
When delving into BYOD security risks, the significance becomes especially evident in relation to Rogue Devices. These devices, instrumental in hardware-based attacks, represent tools that have been tampered with to carry out malicious actions. They are harmful by nature. And, since hardware based attacks require some form of physical access, BYODs are the perfect target for the reasons mentioned above. Not only are they less secure, but they are more easily accessible.
The significance of BYOD security risks is particularly pronounced in relation to spoofed peripherals. A spoofed peripheral is a type of rogue device that impersonates a legitimate HID (bad USB). Having been manipulated on the physical layer, which is not covered by existing security software solutions, the spoofing device is not recognized as malicious by the endpoint. Of course, to the human eye, the device looks inconspicuous and thus raises no alarms to the user, either. So, when your phone dies while working in a local coffee shop, think twice before using some stranger’s USB charger. Though your phone might be injected with life, your endpoint could be injected with malware.
The realm of BYOD security risks emphasizes that BYODs can become targets at any moment, not solely during work-related activities. When your phone dies at the airport, it is not usually a problem thanks to the many charging stations nearby. But, again, that charger could have been manipulated to do more than just charge your phone. If your phone stores company data, the manipulated charger can access such data without you having the faintest idea. This attack is known as juice jacking.
Maybe you are the type to always have a charger nearby, so you think this does not apply to you. But your own device could have been manipulated. The cheap, aesthetically pleasing USB stick, keyboard, or mouse you bought on Amazon might have been a win at only $10… But the losses will be much more than that when the device starts preforming a malicious cyberattack. Yes, sometimes Amazon finds really are too good to be true.
Network implants are another type of rogue device. As network implants sit on the Physical Layer, they run under the radar of existing network security solutions. This includes NAC, thereby going completely undetected (Moving Beyond NACs). Again, whether you’re connecting to a WiFi hotspot for work purposes or not, one of the major BYOD security risks is how vulnerable it is to an attack. With no protection against network implants, you cannot be sure that the access point (AP) is secure. Acting as a man-in-the-middle, the network implant enables the perpetrator to intercept traffic, inject data packets, and even exfiltrate data, all without the victim knowing.
BYOD Security Solutions
Navigating BYOD security risks can be managed through a stringent BYOD policy. A BYOD policy with strict rules can regulate the use of BYODs by restricting which devices can be used, as well as where and how, through an Acceptable Use Policy. Furthermore, a BYOD policy can address the issue of insufficient security by requiring BYODs to have specific security measures in place. Although such measures will not be able to detect the presence of a rogue device, they can reduce the damage a hardware attack can cause. Anti-malware software, for example, can notify the user when malware has been detected. This allows a remediation process to come into effect quicker than if the software were not in place. Policies, however, are ineffective if not enforced properly which is, in itself, a challenge.
Addressing BYOD security risks, hardware attacks often capitalize on the negligence of employees during the connection process. One of the vulnerabilities that hardware attack exploits is the carelessness of employees when connecting. This applies whether they are attaching a peripheral to their endpoint or linking their endpoint to a network. Enhancing employee awareness of such attacks will, hopefully, make them more cautious when connecting. This, however, is not a full proof solution. As attackers use extremely deceitful social engineering techniques that even some of the most highly trained professionals fail to recognize (Internal Threats).
In the context of BYOD security risks, Sepio’s platform (HAC-1) provides the perfect solution to the security problems associated with BYODs. Using its unique in-depth probing capabilities, Sepio’s solution provides detailed Hardware level visibility and verification for IoT/OT/IT devices across the network and peripheral infrastructure, whether the device is managed, unmanaged or hidden. By covering unmanaged devices, Sepio enables the enforcement of Zero Trust on BYODs when applicable.
Furthermore, the solution’s policy enforcement mechanism enables Hardware Access Control by enforcing a strict, or more granular, set of rules based on the device’s characteristics. And, importantly, Sepio instantly detects any devices which breach the pre-set policy, automatically instigating a mitigation process to block the device, thus preventing malicious actors from successfully carrying out an attack. And, with BYODs providing so many entry points for attackers, it is essential to have a solution in place that detects an attack, no matter where it comes from.