Handling BYOD Risks – Mitigating Rogue Devices
Author: Sepio Systems
Handling BYOD Risks: Bring Your Own Device (BYOD) is a trend whereby employee-owned devices are being used within an organization. BYOD policies enable employees to use the same devices for personal and office use, allowing them to work remotely if need be. This is a trend that is growing rapidly due to the myriad of benefits it provides both the business and the employee. As of 2015, 82% of organizations are accepting the use of personal devices for work-related purposes, and the BYOD market is estimated to increase by 15% every year until 2022, from a starting value of $30 billion in 2014.
BYOD policies precipitate numerous advantages to the employee and, in turn, to the organization. The employee benefits include workplace flexibility, which is a key selling point to prospective employees, especially millennials, who are often highly sought after. Results of workplace flexibility are increased loyalty, morale and employee engagement. Furthermore, around 80% of employees believe that managing a single mobile device aids in balancing a personal and professional life. These benefits afford employees with higher job satisfaction, indirectly serving the company since satisfied employees will be more productive and more engaged with their work, leading to higher levels of efficiency.
Statistics show that companies do avail from higher productivity when implementing BYOD policies, with over 50% of employees feeling more productive when using their own devices at work. As BYOD allows employees to work remotely, absence from the office due to bad weather or doctor’s appointments, for example, will not hinder productivity since employees can still continue to work, almost unaffected. Likewise, employees with lengthy commutes can work from home a few times a week, thereby increasing their efficiency rather than wasting time getting to and from the office.
In addition to greater productivity, BYOD policies provide organizations with cost reductions. Funds no longer need to be allocated to providing equipment for employees. It has been found that employers can save more than $1,000 per employee with BYOD policies which, especially for small and medium-sized businesses, can be immensely helpful. Finally, implementing BYOD policies can allow organizations to be better prepared for global pandemics, such as COVID-19, which require those who are still working to continue to do so remotely.
BYOD policies, however, do present downfalls. Importantly, BYOD can mean that employees are not using uniform devices. As such, the varying devices will all have ranging operating systems and be of different quality, resulting in disparities in terms of functionalities, capabilities and security features. In certain cases, some devices might not even be adequate to carry out specific tasks.
Security concerns are highly problematic and, for the companies that did not implement BYOD, this was the primary reason why. This, therefore, is the greatest weakness of BYOD. Employee devices will not have the same security measures that an organization’s device will have, and any security measures a personal device has will not be suitable to protect against corporate data breaches or network intrusion. Additionally, personal devices often have poor authentication since substantial authentication measures can act as a hindrance when being used for non-work-related purposes. They might only have single-factor authentication which most likely will be a password, and this is a serious risk to organizations. Even if devices have biometric authentication features, a password is almost always in place as an alternative, which is easy to crack for hackers.
Lack of security is a grave threat, demonstrated by the fact that 50% of companies that allowed BYOD were breached by an employee-owned device. BYOD policies allow for a significant amount of data to be obtained on employee devices outside of the office and this, coupled with careless/uninformed employee action, is extremely threatening, based on the above-mentioned fact that there are, typically, low levels of security on BYOD devices. Confidential data might be dealt with, or shared, by employees therefore making the BYOD device a target for an attack. Malware attacks, man-in-the-middle (MiTM) attacks, Advanced Persistent Threat (APT) attacks, network sniffing and data breaches are all serious threats for organizations that allow BYOD policies. Whether the perpetrator is an external actor, an unwitting employee or a malicious insider, these attacks can be carried out in various forms, including by utilizing Rogue Devices; and BYOD only makes it easier since there are greater entry points and fewer security measures.
Rogue Devices – spoofed peripherals or network implants – are designed to act purely with malicious intent and are increasingly becoming the weapon of choice for bad actors. These devices can cause serious, long-term damage to an organization when they carry out any of the aforementioned attacks. Besides these attacks, Rogue Devices are extremely perilous since they are almost impossible to detect. Spoofed peripherals, such as manipulated USB devices, are recognized as legitimate human interface devices (HIDs). Network implants, on the other hand, go completely undetected as they operate on Layer 1 – the Physical Layer – which is not covered by existing security software solutions. As such, Rogue Devices do not raise any alarms. Awareness is vital when aiming to reduce the risk of these attacks occurring. However, these attacks, although becoming more frequent, are less publicized and therefore even staff that do have cybersecurity training might not be aware of hardware attacks. Since uninformed/careless staff cause around a quarter of all cyberattacks, this ignorance can be extremely risky when dealing with spoofed peripherals since they look legitimate to the human eye. The cheapest mouse or keyboard being sold online might be too good to be true and might, in fact, be a Rogue Device. Similarly, connecting to public WiFi hotspots at a local coffee shop can be dangerous as the router might have been manipulated.
To lower the risks of BYOD, a company policy should be put in place. Policy creation is essential to an organization that implements BYOD. However, prior to implementing a policy, stakeholders – including employees – should be involved in the development process. Different departments will have varying interests and their contributions mean that a policy created solely based on the company’s interests can be avoided. The policy should include an Acceptable Use Policy, defining how personal devices should be used by employees to avoid any security risks coming from unsecured sources. Additionally, the Policy should require that employees make use of the native security features on their devices, such as locking screens and all forms of authentication, including the biometric ones. Importantly, the organization’s BYOD Policy should outline which security applications are required on personal devices. Fundamentally, all devices must have an up-to-date antivirus software. Should a malware attack take place, the most updated antivirus software would be more likely to detect it.
A crucial step in reducing the risks associated with BYOD is to increase employee training. The majority of security breaches are caused by trusted employees, of which most are down to human error. Employees must read and sign the company’s BYOD Policy to further enhance their knowledge on the topic, and the risks associated with it, of which some they themselves can easily prevent. Additional training concerning mobile vulnerabilities and how to identify various hacking attempts will further reduce BYOD risks. For additional protection, organizations should educate staff on how to defend devices against unauthorized access.
Since an organization cannot fully rely on education as a comprehensive preventative measure, other solutions are available, including data encryption. Encrypting data that goes beyond the control of the organization is necessary and it should be performed throughout the data’s life cycle. 76% of companies do not encrypt mobile devices, which makes them extremely vulnerable. By encrypting the data, it means that, should an attack take place, the information acquired is rendered meaningless to the perpetrator. To further protect company data on an employee-owned device, the method of containerization can be greatly beneficial. Containerization segregates a portion of the device into its own protected bubble which requires password access, thus isolating and regulating – with a separate set of policies – specific files, folders and applications.
An imperative preventative measure to BYOD risks is to have comprehensive security enforcements, including Rogue Device Mitigation (RDM), which will provide protection for undetectable hardware attacks. Personal devices are extremely susceptible to these attacks as it is easier for a perpetrator to target them, rather than the devices secured within an organization. Rogue Devices pose a perilous risk to an organization since they do not raise alarms to existing security software, and almost any organization can be the target of this type of attack. A suitable RDM software will be able to detect these types of attacks – whether they originate on the network or the endpoint – and take action to block them, preventing any damage that might have been caused, thus providing considerable protection for the organization.
Although the risks of BYOD have been highlighted above, the fact that BYOD can be extremely useful for organizations should not be ignored, especially during today’s current situation where a large majority of businesses are having to conduct operations remotely. Organizations simply need to enforce sufficient security measures (emphasis on measures, plural) to ensure they have as much protection as possible and, with this, they can enjoy all the benefits that come with BYOD.
Handling BYOD Risks – Mitigating Rogue Devices