BYOD Security: Threats, Security Measures and Best Practices
What is BYOD Security?
Bring your own device (BYOD) means that employees use personal devices to connect to an organization’s network, accessing work-related systems and possibly, sensitive data. Personal devices may include smartphones, personal computers, tablets or USB drives.
According to several studies, well over 50% of organizations and over 70% of employees use personal devices at work, and these numbers are rapidly growing. This means BYOD security is top of mind for IT and security leadership.
Personal devices are more likely to be used to break into corporate networks, whether or not they are approved by IT, because they are less secured and more likely to contain security vulnerabilities compared to corporate devices. Therefore, it is critical to understand and address BYOD security for organizations of all sizes.
BYOD Security Risks
Following are three of the most severe risks affecting BYOD devices.
Data Leakage and Loss
When employees use personal devices at work, any access to the corporate network can pose a risk—whether the employee is performing routine activities like logging into a work email account, or more sensitive activities such as viewing financial or HR records.
Attackers can gain access to a lost or stolen device, or compromise a device via phishing or malware while it is still owned by the employee. At that point, attackers have three main options to do damage:
- Steal data stored locally on the device
- Use credentials stored on the device to access the corporate network
- Destroy data on the device
The second option is especially dangerous, because a compromised account can initially appear to be a legitimate user accessing corporate systems.
The third option can be mitigated by cloud backup systems, but these must be setup carefully or they can also become an attack vector.
Smartphones are commonly infected by malware, and in most cases, smartphone users are not aware their phone is infected. What’s even more worrying is that, because mobile users install a large number of applications and may use them only occasionally, they may be careless about terms of service or permissions they grant to new applications.
On desktop or laptop computers, operating system vulnerabilities pose the biggest risk. Most users are not diligent about updating their operating system with the latest security patches. A first priority in any BYOD program is to identify the current OS running on employee devices, and ensuring they apply the latest updates.
Lastly, antivirus software is used unevenly by users on their personal devices. Some devices may not be protected at all, and others may be protected by free or unknown antivirus programs of questionable effectiveness
Mixing Personal and Business Use
With BYOD, it is inevitable that employees will perform both work and personal tasks on the same device. Your organization won’t have control over websites visited by employees, some of which may be malicious or compromised, or install questionable applications. Devices may be used by the employee’s children or other members of their household, and may be used to connect to unsecured wireless networks—the list of potential threats is endless.
Security Measures for BYOD Security
Given the major risks posed by BYOD devices, here are a few basic measures organizations can take to improve security on these devices.
Some devices and operating systems provide control over the applications installed on a device. For example:
- iOS devices can block access to the Apple App Store
- Android Enterprise makes it possible to customize Google Play to show only approved applications
However, applying such restrictions on applications on a user’s personal device is not practical. Employees are likely to resist these types of measures, and expect that they should be able to freely use their personal device when off work.
Containerization is a way to divide each part of a device into its own protected environment, each with a different password, security policies, applications and data. This can allow employees to use the device without restrictions, while preventing security risks to the corporate network.
When a user logs in to a containerized work environment, they cannot access their personal
applications and other features that the container does not manage. Containerization is a powerful solution that, on the one hand, prevents employees from using unapproved applications while connected to corporate systems, and on the other hand, does not restrict employees from free use of their personal device.
Android Enterprise makes it possible to set up separate, containerized environments for work and personal applications. This gives organizations full control over the work environment, without encroaching on the employee’s free use of their personal applications.
Hysolate is a solution that provides all the security benefits of having separate physical devices for privileged and non-privileged work, without the inherent hassles and costs when users juggle between multiple devices. Cyber criminals that breach the general workspace are completely contained within it and cannot laterally move to the other protected environment. They cannot reach the host or privileged OS, and they can’t even see that it exists.
Encrypting Data at Rest and in Transit
BYOD causes sensitive data to be retrieved and viewed on systems outside an organization’s control. Therefore, it is crucial to encrypt data at rest and in transit. Encryption allows you to protect the content of sensitive files even in the worst case of device theft or compromise.
In practice, encrypting all data transmitted to employee devices can be challenging. Security and operations teams must take into account all scenarios in which a user downloads or saves a file on the local computer, such as downloading email attachments or retrieving files from corporate cloud storage. In all these cases, software on the BYOD device must ensure the data is encrypted.
Another concern is that encryption can slow down day-to-day operations, hurt productivity and frustrate users. In addition, any malfunction in the encryption process can block users out of critical files they need to do their jobs.
BYOD Security Best Practices
Define a BYOD security policy, and even more importantly, take the time to educate users about it. Users should clearly understand what they can and cannot do on their personal devices, why the security measures are important, and what are the consequences of violating the policy.
Employees should undergo mandatory security training. A primary goal of employee education is to explain that security threats are a danger to the organization and to the employees themselves, and that by following the policy, they are improving safety for themselves, their colleagues, and helping to prevent catastrophic data breaches that can threaten the organization.
Separate Personal and Business Data
When employees use a device for business activities, a primary concern is privacy. A device can contain sensitive personal files or information, which the employee does not want to share with their workplace. At the same time, sensitive business data stored on the device must be protected and accessible only to the employee. Whether containerization solutions are used or not, the BYOD policy should clearly state how to separate personal and business information and prevent unwanted exposure.
Have a Solution in Place for Lost Devices
If a device is lost or stolen, employees must immediately report it to their manager or IT department. IT needs to be prepared for the necessary actions such as remote device lock, data wipe, password reset, and auto-wipe for critical applications. The protocol for device loss or theft should be clearly defined in the BYOD policy and employees should be fully aware of it.
Ensure Secure Network Connectivity
If an employee is connected to the Internet or public Wi-Fi, attackers can eavesdrop on business activities. Encourage employees to connect their equipment to a secure network, not just in the office, but also on the go. In any event, they should only connect to the corporate network via a secured, encrypted virtual private network (VPN).
BYOD Security with Hysolate
Hysolate offers a unique set of features that together, provide employees a positive day-to-day work experience while working from their own devices.
- Smooth deployment, onboarding and maintenance: Hysolate offers instant one-click installation or silent provisioning, including automatic installation in the secured operating system of all company-approved applications and automatic provisioning of company policies.
- Privacy and collaboration by design: with virtual workspaces that function like completely separate physical environments, employees enjoy their privacy, collaborate on tools of their choice, take their laptops home, promote ad-hoc team building through social media and more. They enjoy the feeling of freedom, trust and privacy that keeps them to stay on your team long-term. Easy-to-access ongoing support can be given, including remote access, without viewing the users’ private data.
- Continuous and uninterrupted access to company assets: Hysolate provides a completely isolated corporate virtual machine as well as improved VPN security, and secured split tunneling. Employees can work continuously without having to suffer overloaded networks, sudden IP changes, disconnects and the like, no matter where they are.
- Embedded granular security: Hysolate offers remote wipe and locking of corporate data, built-in data loss prevention, ongoing device health checks and granular policy management. Policies can determine when and how objects can be copied, cut and pasted between operating system workspaces, who has admin rights, what networks are permitted, whether USB devices are allowed and more. Hysolate can prevent keystroke recording, screenshots, and other malicious attack techniques. Security teams can ensure all company assets stay protected without disrupting the natural user workflow.
- A safe and positive end-user experience: The Hysolate guided tours make it quick and simple for users to onboard. From there, the sky’s the limit. With workspaces that act like multiple desktops, a thing common to most of us these days, users switch between desktops seamlessly. No more mind-boggling context switching and other unpleasant disruptions.