Staying cybersecure when 'bringing your own devices'

Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, describes how to remain secure whilst enabling personal devices

Throughout the past two years, many organisations have adopted a hybrid working model, whereby working from home most or all of the week is considered normal. While initial concerns focused on infrastructure, equipment, and bandwidth provision, it has become apparent that a huge number of organisations are far more vulnerable to security threats than ever before. With the reliance on personal devices, cloud networks, and remote access technology, it is fair to say that employees have been operating outside of the traditional IT safety-net.

Essentially, a bring your own device (BYOD) policy allows employees to use their own technology, such as a mobile phone or laptop, within the workplace. Although this provides a number of benefits including increased flexibility and reduce costs, there are security concerns which often need addressing.

The security risks at hand

There are a variety of threats organisations will likely face from BYOD culture, including ransomware, remote hacking, and phishing. According to recent research from Gov UK, of the 39 percent of UK businesses which identified a cyberattack in 2021, 83 percent were phishing attempts and 21 percent identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack. In addition, the survey found that organisations cited ransomware as a major threat, with 56 percent of businesses having a policy not to pay ransoms. These figures are a prime example of why recognising cyber risks has never been more important.

Register now for Computing's Cyber Security Festival, happening across June 2022!

When an employee uses a personal device to download various types of information and files, such as PDFs or applications, they are instantly putting themselves at risk of malware. For example, if a document or file containing a virus is downloaded to a device, it has the potential to pass this onto the company network when the employee next logs in from the infected device. Employees need to be extra careful when it comes to distinguishing between valuable corporate data and data used for personal purposes, as this could significantly compromise security throughout the organisation.

In addition to this, organisations are at great risk of data theft if personal devices are used without being checked in advance. For example, if a personal email account is hacked, this could result in exposing the organisations confidential corporate data. It is paramount that staff members are educated about this, as cybercriminals are constantly on the hunt for the most important information, they can gain access to.

Best practices for organisations

To better secure data in the current hybrid working world, there are some preventative measures that can be taken. These practices include educating employees about the associated risks, encrypting BYOD devices and corporate data, and investing in cloud-based malware protection tools.

To minimise the risk of attacks, organisations should implement a training session for staff members, so they can fully understand the associated risks with using their own devices. As remote working is still a relatively new concept for many, this will help staff members collectively understand the core best practices, including data security management, enforcing strong passwords on personal devices, and safer habits online. To keep the information fresh in all staff members minds, this could be carried out every few months, depending on the scale of the organisation.

Organisations that have introduced or are thinking about implementing a BYOD policy could consider a mobile device management solution which allows for security patching, application management, and updates to be performed on all enrolled mobile devices. This could also significantly help decrease the number of potential attacks to the enterprises network.

Another challenge for organisations is bad actors connecting to the device from an unsecure network. To combat this, the Federal Communications Commission (FCC) has shared some tips on how users can protect themselves online and recognise the validity of available Wi-Fi hotspots. To ensure data is encrypted, users should ensure all websites they exchange information with have "https" at the beginning of the web address. In addition, FCC suggests adjusting the settings on the device, so it does not connect to W-Fi networks automatically. By following steps such as these, organisations can significantly reduce the risk of being breached.

Despite the associated risks, the BYOD culture will unlikely stop soon. In fact, whether or not companies implement a policy around the use of personal devices, it is almost inevitable that employees will bring them to work and connect to the corporate network. Therefore, it is crucial that organisations recognise the risks and follow the necessary steps to proactively prevent these.

Kevin Curran is an IEEE senior member and professor of cybersecurity at Ulster University