Bring your own device (BYOD) had been steadily increasing for some time, but the pandemic has undoubtedly resulted in a faster transition to it becoming common practice. When you consider this alongside the widescale adoption of Cloud services, it’s clear to see we are presented with a major cybersecurity risk.
What are the main issues?
There are two reasons why this is causing such a problem. The first is perhaps the more obvious one, if you have computers accessing corporate data without the correct security controls installed, they pose a far higher risk. Examples include malware being brought into the corporate network or systems (only 42% of BYOD have malware protection), a vulnerability being exploited or malicious websites not being blocked. There is also the issue of data being lost, either due to lack of encryption or from it remaining on the personal device of an ex-employee.
The second reason is a lot more subtle, but arguably poses even more of a risk. If you are unintentionally setting a standard where it is acceptable for ‘special devices’ to access corporate systems without any security controls, isn’t it a clear sign to all the teams that the business doesn’t really pay attention to cybersecurity? This kind of company culture can have a detrimental effect on your cybersecurity posture.
Is there a solution?
I think the first step is to recognise that ‘corporate devices’ are not really any different from BYOD, except that they have the correct security controls installed. Most BYOD workstations are either the latest version of Windows 10 or OSX and have access to the same data as the corporate computers.
Whilst you may think that only letting employees access corporate email via a browser is ok, if a phishing email has a malicious link and they access it from their home PC then their email account could be compromised. This is normally the first stage of a ransomware attack.
Instead of splitting out BYOD and corporate devices, which both access corporate data, you could look to protect them in the same way. It’s just that some devices you have paid for and some you haven’t. And actually, if you haven’t paid for the device in the first place, is spending around £10 a month on the correct security tools such a big thing?
Monitoring your BYOD
Once you have the correct security tools in place, you then need to monitor that they are all functioning correctly, and this is where a platform such as ThreatAware can really help. One of the main advantages of ThreatAware is that it is agentless – there is no need to install an agent on personal devices, which may not be welcome. This means it is not reliant on agents to build a full picture of all of the assets, and therefore requires no installation. It simply monitors the security tools by accessing the security consoles, not the computers themselves.
If you are curious to see how many devices there are accessing your corporate data that you have no control over, then please reach out for a 7 day trial of ThreatAware.