BYOD (Bring Your on Device) security involves measures to mitigate cybersecurity risks associated with using personal devices for work tasks. While BYOD fosters a flexible work environment, when connected to company networks it can pose great cyber security risk. Before we look at the BYOD security risks, one cannot ignore the many benefits of the concept.
BYOD Benefits
In general, BYOD policy adoption cut costs for enterprises as funds allocated towards employee equipment decreases. Employees’ familiarity with their own BYOD means less time figuring out how to work the device, and more time working. Statistics show that 50% of employees feel more productive when using their own BYOD for work purposes. Additionally, research by Samsung and Frost & Sullivan found that the use of personal smartphones enables employees to gain almost an hour more work time each day. This results in a 34% boost in productivity (Employees Say Smartphones Boost Productivity).
For employees, most importantly, the flexibility that comes with BYOD policies has improved the work/life balance. According to research, 80% of employees believe that managing a single mobile device aids in balancing their personal and professional lives. The spillover effects that come with a more balanced life bring benefits to both the employee and the organization. However, BYOD does not come without its setbacks. BYOD security risks are the foremost apprehension and primary driver behind the decision to abstain from adopting BYOD policies (Mobile Device Security).
Main BYOD Security Risks
Research by Bitglass found that more than 74% of organizations lack a plan to BYOD security risks (BYOD Security Report). Since BYOD act as an entry point for malicious actors, this figure is worrying as the attack surface increases. Furthermore, as we will explain, these entry points usually have lower security levels, thereby facilitating the attacker’s task.
The inability to secure BYOD is even more concerning when organizational data is stored on such devices. As even when not used for work purposes, BYOD still pose a security threat to the organization.
Below is a non-exhaustive list of some of the security vulnerabilities that will later be related to BYOD (Remote Working Security Risks).
Lax Security
Typically, BYOD will have fewer security features than company-owned devices. As BYOD’s are also used for personal purposes, they are frequently neglected. In doing so, however, the BOYD device is more vulnerable to attack. In some cases, lacks the necessary security software or features to notify the user when an attack is taking place.
Furthermore, employees’ role are one of the greatest security risks to organizations. Carelessness and negligence when using BYODs can have extremely harmful consequences for the enterprise. The lack of security features on such BOYD devices, and the other concerns listed below, mean that employee awareness can sometimes be the only security barrier between a malicious actor and a successful hardware based attack (Human Factors in Cybersecurity).
Vulnerable Peripherals Devices
As employees own the BYOD, they have complete discretion in choosing which peripherals assets to use. This of course depends on the BYOD policy. Whether it be for financial or aesthetic reasons, an employee might be inclined to purchase devices and/or peripherals from site such as Amazon or AliExpress. And, although such websites offer a variety of options, they also offer manipulated and compromised devices. That glow in the dark keyboard selling for $10 is likely not the most secure (Understanding Contextual Factors of Bring Your Own Device).
Unsecure Access Locations
With workers working from home (which, by the way, is not as secure as one might think), many organizations are adopting work from home cyber security policies on a more permanent basis. In fact, according to Gartner, 47% of organizations will give employees the choice to work from home on a full-time basis. Furthermore, over 80% will allow employees to work from home at least one day a week (Prepare for the Future of Remote Work).
Depending on the organization’s WFH policy, remote work can essentially mean access from anywhere with a good internet connection. This, however, means employees are working in unsecure environments such as coffee shops, public libraries, and group workspaces (Gartner Forecasts 39% of Global Knowledge Workers Will Work Hybrid by the End of 2023). In fact, as BYODs enable the ability work anytime anywhere, almost everywhere becomes an unsecure location. Think about how many times you have access to work emails while waiting for a flight or at a restaurant. When data is stored on the device, the organization is at risk whenever the device is used. Yes, watching Netflix at the airport on the same device that stores company data puts the enterprise in a vulnerable position.
Lost/Stolen Devices
Speaking of unsecured locations, pick-pocketers thrive in busy places like airports. And pickpocketing might not only be the criminal activity the perpetrator engages in. Stealing devices might be just the first step in their attack. Accessing the device could be the actual goal. Even a lost device can find its way into a cybercriminal’s hand. Either way, if the BYOD gets stolen or lost, the company finds itself in a precarious position when the device contains company data.
But why do these factors trigger security concerns? The answer lies in the realm of BYOD security risks, specifically rogue devices and hardware based attacks.
Rogue Devices
When delving into BYOD security risks, the significance becomes especially evident in relation to rogue devices. These devices, instrumental in hardware-based attacks, represent tools that have been tampered with to carry out malicious actions. They are harmful by nature. And, since hardware based attacks require some form of physical access, BYODs are the perfect target for the reasons mentioned above. Not only are they less secure, but they are more easily accessible (Raspberry Pi Risks – A Friend or Foe?, Hacked Device).
Spoofed Peripherals
The significance of BYOD security risks is particularly pronounced in relation to spoofed peripherals. A spoofed peripheral is a type of rogue device that impersonates a legitimate HID (bad USB). Having been manipulated on the physical layer, which is not covered by existing security software solutions, the spoofing device is not recognized as malicious by the endpoint. Of course, to the human eye, the device looks inconspicuous. Thus raises no alarms to the user, either. So, when your phone dies while working in a local coffee shop, think twice before using some stranger’s USB charger. Though your phone might be injected with life, your endpoint could be injected with malware (USB Attacks, Spoofed Laptops).
Juice Jacking
BYODs can become targets at any moment, not solely during work-related activities. When your phone dies at the airport, it is not usually a problem thanks to the many charging stations nearby. But, again, that charger could have been manipulated to do more than just charge your phone. If your phone stores company data, the manipulated charger can access such data without you having the faintest idea. This attack is known as juice jacking.
Maybe you are the type to always have a charger nearby, so you think this does not apply to you. But your BYOD could have been manipulated. The cheap, aesthetically pleasing USB stick, keyboard, or mouse you bought on Amazon might have been a win at only $10… But the losses will be much more than that when the device starts preforming a malicious cyberattack. Yes, sometimes Amazon finds really are too good to be true (Destruct USB gadget, ZWIZX USB password reset).
Network Implants
Network implants are another type of rogue device. As network implants sit on the physical layer, they run under the radar of existing network security solutions. This includes NAC, thereby going completely undetected (Moving Beyond NACs). Again, whether you’re connecting to a WiFi hotspot for work purposes or not, one of the major BYOD security risks is how vulnerable it is to an attack. With no security protection against network implants, you cannot be sure that the access point (AP) is secure. Acting as a man-in-the-middle, the network implant enables the perpetrator to intercept traffic, inject data packets, and even exfiltrate data, all without the victim knowing.
BYOD Security Measures
BYOD security measures are critical to secure the company network, data and applications from any potential security threats introduced by BYOD devices.
Network Segmentation: Separate BYOD devices from critical company resources to contain potential compromises.
Access Control: Employ robust authentication methods to restrict access to corporate data on BYOD devices.
Encryption: Safeguard sensitive data by encrypting it both at rest and in transit.
Endpoint Security Solutions: Utilize antivirus, firewalls, and intrusion detection/prevention systems to defend against threats from BYOD devices.
Monitoring and Incident Response: Continuously monitor network activity and BYOD device behavior to detect and respond to security incidents effectively.
BYOD security also involves ensuring that BYOD devices themselves are adequately protected against malware, phishing attacks, and other security threats.
Policy Implementation
A BYOD policy with strict rules can regulate the use of BYODs by restricting which devices can be used, as well as where and how. Furthermore, a BYOD policy can address the issue of insufficient security by requiring BYODs to have specific security measures in place. Although such security measures will not be able to detect the presence of a rogue device, they can reduce the damage a hardware attack can cause. Anti-malware software, for example, can notify the user when malware has been detected. This allows a remediation process to come into effect quicker than if the software were not in place. Policies, however, are ineffective if not enforced properly which is, in itself, a challenge.
Employee Awareness
One of the vulnerabilities that hardware attack exploits is the carelessness of employees when connecting. This applies whether they are attaching a peripheral to their endpoint or linking their endpoint to a network. Enhancing employee awareness of such attacks will, hopefully, make them more cautious when connecting. This, however, is not a full proof solution. As attackers use extremely deceitful social engineering techniques that even some of the most highly trained professionals fail to recognize (Internal Threats).
Overcoming BYOD Security Risks – Sepio Solution
In the context of BYOD security risks, Sepio’s (Asset Risk Management) provides the perfect solution to the security problems associated with BYODs. Using its unique in-depth probing capabilities, Sepio’s provides detailed hardware level visibility and verification for IoT/OT/IT devices across the network and peripheral infrastructure, whether the device is managed, unmanaged or hidden. By covering unmanaged devices, Sepio enables the enforcement of Zero Trust on BYODs when applicable.
Furthermore, the Sepio’s policy enforcement mechanism enables hardware access control by enforcing a strict, or more granular, set of rules based on the device’s characteristics. And, importantly, Sepio instantly detects any devices which breach the pre-set policy, automatically instigating a mitigation process to block the device, thus preventing malicious actors from successfully carrying out an attack. And, with BYODs providing so many entry points for attackers, it is essential to have a security solution in place that detects an attack, no matter where it comes from.
See every known and shadow asset. Prioritize and mitigate risks.
Talk to an expert. It will help you understand how to use Sepio’s patented technology to gain control of your asset risks.
