Business professionals have moved from corporate offices to their homes and other remote locations and back again, with many now splitting their time through new hybrid workplace models. Regardless of location, workers often use their personal devices to get the job done.
[Diversified: Companies Underinvesting in Workforce Technologies]
You may be surprised to learn that an overwhelming 89% of associates employ their own devices or apps for work due to better ease of use compared to company-provided options, according to the Diversified Technology Maturity Survey of more than 1,600 U.S. employees. Given the widespread BYOD usage—and all that we have learned about remote and hybrid work—you might think that enterprises had BYOD security solved.
The reality? That’s typically not the case. Many businesses still lack the controls needed to protect their organizations in a BYOD world. Here’s how BYOD creates business risk and what companies can do to address it.
Split Tunneling Concerns
Several business and IT leaders have told me they trust their employees not to visit or download materials from inappropriate or illegal websites. Trusting your employees to behave ethically and responsibly is a good instinct. But what these company and department heads often fail to understand is that most cyber incidents result from mistakes, not malicious intent.
For example, if an employee incorrectly keys in a website address, or maybe their child uses their device to play videogames and downloads a plug-in, their machine can get infected. Even the most innocent actions by your employees can create cyber risk.
The savings you gain by not buying equipment may be eroded with additional security costs.
During the pandemic, a lot of companies enabled split tunneling to reduce their bandwidth costs. These split tunneling adopters instructed their employees to use VPN to connect to corporate networks, but encouraged associates to use their own connectivity when doing internet work using browsers such as Google Chrome, Internet Explorer, and Mozilla Firefox.
However, home networks are some of the most vulnerable networks on the planet. They often include home automation devices that have never been patched. Home routers may not be password protected, or a technician who installed the router may have seen the password on the back of the device and used it later to log in, so outsiders may already be lurking within the home network.
If a laptop that’s using split tunneling is not correctly configured and monitored, an adversary could attack that machine and use it to jump into your corporate network. The best approach to split tunneling is to avoid using split tunneling.
BYOD Corporate Standards
Some companies bought and configured computers for people who had to work from home during the pandemic. But a lot of businesses didn’t have the resources to do that, so they advised their associates to buy laptops online or from a big box store.
Businesses taking this BYOD approach now must contend with a mixture of machines, many of which are not owned or managed by the company, and most of which are not enterprise-grade. Plus, now that people are on the move again and many companies have hybrid work environments, employees often use these devices to log in from corporate and home offices, as well as airports, coffee shops, hotels, and more. That creates risk; in these situations, companies lack the security controls they had when people worked on stationary desktop computers at the office.
Gain control of your BYOD environment and secure your IT environment (and company) by limiting the use of devices to corporate-approved machines. Ask employees to sign a document explaining that you will allow them to use their own device, but during their employment with your company, it will adhere to your corporate standards. This includes the company’s ability to install a corporate “image” on the device, which should include all of the security and management software that is used on standard corporate systems.
Security over Convenience
If you’re a CIO or CISO, you’ve likely heard employees say that they want to use a particular application, rather than what you have invested in and provided, because it’s better, faster, or easier. They might even go ahead and get the legacy or freeware version of their tool of choice and start using it for work.
But in a corporation, free rein comes with significant risk. If employees use freemium or individual versions of software for business—with or without your knowledge or consent—your company may be in violation of the software supplier’s licensing rules.
Avoid legal and cybersecurity risks by removing administrator rights on BYOD devices to prevent employees from administering their own patches and installing their own apps and software. While the removal of local administrator rights will raise the level at which an IT organization must operate, it removes a lot of risks on your end points.
To combat cyber risks, you have to involve IT, human resources, legal, the executive team, and your associates, as there are a lot of factors to consider. The best tools in the world will be useless if you do not ensure everyone is aligned with the risks and the compensating controls. Depending on where you operate, you may also need to address privacy rules like GDPR.
Take a cross-departmental approach as you work to address the BYOD security challenge and ensure that you take the right approach to securing devices and your business. Also, ensure you are doing a cost benefit analysis, as the savings you gain by not buying equipment may be eroded with additional security costs. Put the proper policies in place that are approved by the heads of your IT, human resources, legal, and other relevant functions, as they will go a long way in protecting your corporation.
[Cloud Power: Cybersecurity and Pro AV Priorities]
Proactively secure and protect your technology, data, and operations with cybersecurity solutions that are matched with strong and reliable industry experience, and always ensure you partner with a security organization that understands your industry. There are differences in what you need to protect and how you protect it, depending on your vertical.