Are you aware of BYOD security risks?
Bring Your Own Device (BYOD) is the concept whereby employees use their own computing devices for work purposes. In other words, the use of personal devices to access organizational networks, work-related systems. In some cases, sensitive or confidential data are accessed through employees’ personal devices (which from now will be referred to as BYODs). The use of BYODs has not only created a more heterogenous environment but has also enabled greater flexibility by permitting employees to work remotely while still maintaining full functionality. While BYOD is not a new concept, not all organizations have welcomed such a trend. However, the sudden shift to remote work caused by the Covid-19 pandemic has meant that even enterprises that were once opposed to the BYOD concept have had to make concessions and quickly adopt BYOD policies. Before we look at the BYOD security risks, one cannot ignore the many benefits of the concept.
Primarily, BYOD policies have enabled enterprises to continue operations during the pandemic; a time where many were not so lucky and, as a result, had to permanently close due to a devastating loss of revenue. In general, BYOD policy adoption has cut costs for enterprises as funds allocated towards employee equipment decreases. Furthermore, the use of personal devices has improved productivity. Employees’ familiarity with their own devices means less time figuring out how to work the device, and more time working. Statistics show that 50% of employees feel more productive when using their own devices for work purposes. Additionally, research by Samsung and Frost & Sullivan found that the use of personal smartphones enables employees to gain almost an hour more work time each day. This results in a 34% boost in productivity.
For employees, most importantly, the flexibility that comes with BYOD policies has improved the work/life balance. According to research, 80% of employees believe that managing a single mobile device aids in balancing their personal and professional lives. The spillover effects that come with a more balanced life bring benefits to both the employee and the organization. However, BYOD does not come without its setbacks. The biggest concern, and the primary reason behind the choice not to adopt BYOD policies, is that of security.
Research by Bitglass found that more than 74% of organizations lack a plan to secure BYODs. Since BYODs act as an entry point for malicious actors, this figure is worrying as the attack surface increases. More so, as will be explained, such entry points are typically less secure, thus making the attacker’s job easier.
The inability to secure BYODs is even more concerning when organizational data is stored on such devices as, even when not used for work purposes, BYODs still pose a threat to the organization. Below is a non-exhaustive list of some of the security vulnerabilities that will later be related to BYODs.
Typically, BYODs will have fewer security features than company-owned devices. As BYODs are also used for personal purposes, the presence of multiple security features greatly obstructs the user’s experience and are therefore often forgone. In doing so, however, the device is more vulnerable to attack. And, in some cases, lacks the necessary security software or features to notify the user when an attack is taking place.
Furthermore, employees are one of the greatest security risks to organizations. Carelessness and negligence when using BYODs can have extremely harmful consequences for the enterprise; especially when considering the other BYOD security risks. The lack of security features on such devices, and the other concerns listed below, mean that employee awareness can sometimes be the only barrier between a malicious actor and a successful attack.
Since BYODs are owned by the employee, the employee has full discretion as to which devices and peripherals are used. This of course depends on the BYOD policy. Whether it be for financial or aesthetic reasons, or something else entirely, an employee might be inclined to purchase devices and/or peripherals from site such as Amazon or AliExpress. And, although such websites offer a variety of options, they also offer manipulated and compromised devices. That glow in the dark keyboard selling for $10 is likely not the most secure.
While the sudden shift in remote work was the result of a pandemic which meant that most remote workers were working from home (which, by the way, is not as secure as one might think), many organizations are adopting work from home (WFH) policies on a more permanent basis. In fact, according to Gartner, 47% of organizations will give employees the choice to WFH on a full-time basis. Furthermore, over 80% will allow employees to WFH at least one day a week.
With lockdowns easing, and depending on the organization’s WFH policy, remote work can essentially mean working from anywhere with a good internet connection. This, however, means employees are working in unsecure environments such as coffee shops, public libraries, and group workspaces. In fact, as BYODs enable the ability work anytime anywhere, almost everywhere becomes an unsecure location. Think about how many times you have checked work emails while waiting for a flight or at a restaurant. In cases where data is stored on the device, the organization is at risk anytime said device is used; yes, watching Netflix at the airport on the same device that stores company data puts the enterprise in a vulnerable position.
Speaking of unsecured locations, pick-pocketers thrive in busy places like airports; and pickpocketing might not only be the criminal activity the perpetrator engages in. Stealing a laptop or phone might be just the first step in their attack; accessing the device could be the actual goal. Even a lost device can find its way into a cybercriminal’s hand. Either way, whether the BYOD is stolen or lost, the company is in a perilous position if that device stores company data.
But why are these factors a security concern? It all comes down to Rogue Devices and hardware-based attacks.
Rogue devices, which are the tools used in hardware-based attacks, are those which have been manipulated to act with malicious intent; they are harmful by nature. And, since hardware-based attacks require some form of physical access, BYODs are the perfect target for the reasons mentioned above; not only are they less secure, but they are more easily accessible.
A spoofed peripheral is a type of rogue device that impersonates a legitimate HID. Having been manipulated on the Physical Layer, which is not covered by existing security software solutions, the spoofing device is not recognized as malicious by the endpoint. Of course, to the human eye, the device looks inconspicuous and thus raises no alarms to the user, either. So, when your phone dies while working in a local coffee shop, think twice before using some stranger’s USB charger. Though your phone might be injected with life, your endpoint could be injected with malware.
As mentioned, BYODs can be a target at any time, not only when used for work purposes. When your phone dies at the airport, it is not usually a problem thanks to the many charging stations nearby. But, again, that charger could have been manipulated to do more than just charge your phone. If your phone stores company data, the manipulated charger can access such data without you having the faintest idea. This attack is known as Juice Jacking.
Maybe you are the type to always have a charger nearby, so you think this does not apply to you. But your own device could have been manipulated. The cheap, aesthetically pleasing USB stick, keyboard, or mouse you bought on Amazon might have been a win at only $10… But the losses will be much more than that when the device starts preforming a malicious cyberattack. Yes, sometimes Amazon finds really are too good to be true.
Network implants are another type of rogue device. As network implants sit on the Physical Layer, they run under the radar of existing network security solutions. This includes NAC, thereby going completely undetected. Again, whether you’re connecting to a WiFi hotspot for work purposes or not, one of the major BYOD security risks is how vulnerable it is to an attack. With no protection against network implants, you cannot be sure that the access point (AP) is secure. Acting as a man-in-the-middle, the network implant enables the perpetrator to intercept traffic, inject data packets, and even exfiltrate data, all without the victim knowing.
A BYOD policy with strict rules can regulate the use of BYODs by restricting which devices can be used, as well as where and how, through an Acceptable Use Policy. Furthermore, a BYOD policy can address the issue of insufficient security by requiring BYODs to have specific security measures in place. Although such measures will not be able to detect the presence of a rogue device, they can reduce the damage a hardware attack can cause. Anti-malware software, for example, can notify the user when malware has been detected. This allows a remediation process to come into effect quicker than if the software were not in place. Policies, however, are ineffective if not enforced properly which is, in itself, a challenge.
One of the vulnerabilities that hardware attack exploits is the carelessness of employees when connecting. This is whether they are connecting a peripheral to their endpoint, or their endpoint to a network. Enhancing employee awareness of such attacks will, hopefully, make them more cautious when connecting. This, however, is not a full proof solution as attackers use extremely deceitful social engineering techniques that even some of the most highly trained professionals fail to recognize.
Sepio’s Hardware Access Control solution (HAC-1) provides the perfect solution to the security problems associated with BYODs. Using its unique in-depth probing capabilities, Sepio’s HAC-1 solution provides detailed Hardware level visibility and verification for IoT/OT/IT devices across the network and peripheral infrastructure, whether the device is managed, unmanaged or hidden. By covering unmanaged devices, HAC-1 enables the enforcement of Zero Trust (ZT) on BYODs when applicable.
Furthermore, the solution’s policy enforcement mechanism enables Hardware Access Control by enforcing a strict, or more granular, set of rules based on the device’s characteristics. And, importantly, HAC-1 instantly detects any devices which breach the pre-set policy, automatically instigating a mitigation process to block the device, thus preventing malicious actors from successfully carrying out an attack. And, with BYODs providing so many entry points for attackers, it is essential to have a solution in place that detects an attack, no matter where it comes from.