Secure Remote Access: Risks, Auditing, and Best Practices

What is Secure Remote Access?

Remote access is the ability of authorized personnel to access a computer or network from a geographical distance, through a network connection. This is especially important for branch office workers, business travelers and employees working from home.

With remote access, users can access files and other system resources from any connected device (as long as it is supported by the remote access system), increasing employee productivity and allowing them to more easily collaborate with colleagues.

Remote access must be secured to prevent unauthorized access to company resources. This involves securing the remote access protocol itself, ensuring that users do not share credentials or use weak passwords, and securing the devices used to connect remotely, including bring your own device (BYOD). Remote access security was always important, but as more and more employees work remotely, it is becoming a primary concern for most organizations.

The Importance of Secure Remote Access

When employees work remotely, the nature and scope of cybersecurity threats change. New types of risks are emerging, including:

Workers relying on home computers (very often infected with malware, even if not explicitly targeted by attackers), home routers, personal mobile devices, and unsecure Wi-Fi networks. All of which can be easily compromised by attackers, yet they are difficult to manage and protect by corporate IT staff.

  • When employees connect to a corporate system or storage resource, the data must be transferred through a public Internet connection. If the transfer protocol is not properly protected, third parties can eavesdrop on the connection and steal sensitive information.
  • Working from home requires employees to adopt a broader set of tools, such as remote desktop protocol (RDP) and virtual private network (VPN) clients, increasing the attack surface and creating new potential security vulnerabilities.
  • Phishing attacks, while not unique to remote workers, can be more effective when employees are working remotely. Employees may be distracted, using the device during off hours, or sharing or their devices with family members, including children, making it easier for attacks to succeed. It is also much more difficult to apply security measures like email security solutions.

Remote Access Security Risks

Here are some of the most common security risks affecting remote access.

Permissive Remote Access Policies

When an attacker compromises a VPN (virtual private network), they can easily gain access to the rest of the network. Historically, many companies deployed VPNs primarily for technical roles, enabling them to access key IT systems. Today, all users, including non-technical roles, might access systems remotely using VPN. The problem is that many old firewall rules allow access for VPN clients to almost anything on the network.

A new approach to remote access known as Zero Trust Network Access (ZTNA) ensures that every user and device connecting to the network only receives access to the specific services it needs to access.

Related content: read our guide to Zero Trust Network Access

Remote Devices

Following the COVID-19 pandemic and the huge number of employees working from home, many organizations were forced to purchase computing equipment and provide it to remote employees, or have employees purchase equipment on their own, leading to potential “supply chain” vulnerabilities, like the SuperFish vulnerability that affected Lenovo laptops.

Other organizations use the bring your own device (BYOD) model, letting employees perform work activity with their personal or home equipment.

The proliferation of new equipment presents challenges for security teams. They need to make sure that devices are protected from malware and viruses. Whether it is a BYOD device, or a corporate device used remotely by an employee, the organization needs to ensure security tools can be installed, managed and supported remotely.

A main challenge with BYOD is that organizations may not always be able to manage the device or install security software, because users can object. It is also difficult to verify the initial state of a BYOD device, and understanding if it was previously infected or tampered with by attackers.

Related content: read our guide to BYOD security

Limited Visibility Into Remote Activity

In a remote work environment, security teams need to monitor endpoint devices to prevent the spread of malware, fileless attacks, and other threats to remote users.

However, many security teams do not have visibility over remote user activity, and cannot monitor east-west traffic on their local networks, making it difficult to detect advanced threats. This raises the possibility of attackers compromising a remote device, using it to connect to corporate assets, and then moving laterally to compromise other systems.

Security analysts are now also working from home, like other employees, making it even more difficult to investigate threats and manage endpoint detection and response. The combination of these problems makes it easier for attackers to evade detection.

Users Mixing Home and Business Passwords

Users have a bad habit of using passwords repeatedly—unaware of the risks that any website they used a password on could be hacked, and passwords shared on the dark web. Reuse of passwords makes it possible for attackers to easily obtain credentials, and use them to access all the user’s accounts, including corporate systems.

Secure Remote Access Concepts and Technologies

Remote access technology made great progress. There are many new ways for users to access computing resources remotely, from a variety of endpoint devices. Here are some of the technologies enabling secure remote access at organizations today.

Remote Access with Full Network Access: Virtual Private Networks (VPN)

VPNs allow employees working remotely to connect to a corporate network by routing their activity through a secure server. VPN systems encrypt data transmitted over the network, so that data is unusable to an attacker eavesdropping on the connection.

While VPNs are widely used and still considered secure, there are growing security concerns. VPN, by default, allows access to the entire corporate network. This means that a compromised end-user device, or an attacker with stolen credentials, can use VPN connections to gain broad access. Organizations are switching from VPN to zero trust network access (ZTNA), described below.

Remote Access with Credentials

Virtual Network Computing (VNC)

VNC is a technology that enables screen sharing, allowing a remote user to view and control the desktop of another computer. This can be achieved through a network connection using the

Remote Framebuffer protocol. The VNC viewer is installed on the client and connects to a VNC server on the remote workstation. VNC usually uses VPN as a transport.

RDP (Remote Desktop Protocol)

RDP is a protocol originally developed by Microsoft, which enables remote connection to a compute system. RDP is also available for MacOs, Linux and other operating systems. The RDP server listens on TCP port 3389 and UDP port 3389, and accepts connections from RDP clients.

VDI (Virtual Desktop Infrastructure)

Many large organizations set up dedicated infrastructure, usually based on solutions like Citrix or VMware Horizon, which allow them to run large numbers of virtualized desktops and serve them to end users, who  connect to the desktops remotely. VDI solutions provide dedicated gateway solutions to enable secure remote access.

DaaS is an evolution of virtual desktop infrastructure (VDI), where virtualized desktops are hosted by a cloud provider, and organizations pay a fee per desktops or hours used.

Zero Trust and Modern Approaches to Remote Access

Zero Trust Network Access (ZTNA)

In the zero trust security model, users only have the rights they need to perform the role they have. All user accounts and devices on the network are not trusted by default. This is very different from traditional security solutions that allow users full access to the target network.

Zero Trust Network Access (ZTNA), also known as Software Defined Perimeter (SDP), is a set of technologies that can implement the zero trust strategy on a corporate network. Users who want to connect to an organization’s network can connect only to the specific applications or systems they need to perform their tasks, when they need them. This greatly reduces the cyber threats that organizations face when granting remote access to networks.

Multi Factor Authentication

Multi-factor authentication (MFA) is a secure access control process that combines multiple credentials to verify the identity of a user. It is especially important, and is commonly used, for secure remote access.

An MFA portfolio of access methods should include at least two of the following: something the user knows (such as a password), an object the user possesses (such as a smart card or mobile phone), and something that is essential to the user’s identity (for example, a voiceprint or fingerprint).

Because there are additional layers of validation in MFA, even if one of the authentication factors is compromised, unauthorized access is hindered by the other factors. For example, if a password has been compromised, the account will not be compromised, because the attacker will probably not possess the physical token, or will not be able to pass the biometric scan.

Privileged Access Management (PAM)

PAM provides a way to manage identities using systems like Active Directory. Identity management is crucial for privileged or administrator accounts, which are used for enterprise-level support tasks.

PAM is a set of technologies that can secure, control, and monitor access to organizational resources through privileged accounts. PAM solutions provide capabilities like certificate management, system and data access control, user activity monitoring and credential masking. This reduces the threat of unauthorized network access, and makes it easier to detect and mitigate suspicious activity on privileged accounts.

Vendor Privileged Access Management (VPAM)

Many organizations need to provide privileged accounts for two types of users: employees and external users, such as technicians and contractors. However, organizations using external vendors or contractors must protect themselves from potential threats from these sources.

External users pose unique threats, because the organization has no control over the security best practices of their companies.

Vendor Privileged Access Management (VPAM) is a solution that addresses the risks inherent in third-party remote access. VPAM is related to PAM, but there are important differences:

Traditional PAM solutions are designed to manage internal privileged accounts, based on the assumption that administrators know the identity and usage status of the users.

  • Because this is not always true for third-party users, the VPAM solution uses multi-factor authentication to provide an additional layer of protection.

VPAM allows network administrators to identify and authenticate external users through advanced methods, to ensure they are linked to an active employee account. A VPAM solution continuously monitors the activity of external users, and provides protection against abuse.

Secure Access Service Edge (SASE)

SASE is a new security model, leveraging software-defined networking (SDN), that helps users connect securely to remote data centers. It includes technologies like cloud access security broker (CASB), secure web gateway (SWG), firewall as a service (FWaaS), and ZTNA (ZTNA, described above, can be a component within a SASE solution).

SASE takes complete ownership of remote access in an organization, eliminating VPN, physical equipment, and backhauling solutions, and managing remote access using virtualized appliances. It can not only facilitate remote access and authenticate users, but also filter content being transferred on the network, detect and prevent malware and a host of other security threats.

What to Include in a Remote Access Audit

An important first step to evaluating remote access security is to conduct an audit. Here are the key elements you should include in a remote access security audit.

Penetration testing—connect to the network like a user does and attempt to gain access to internal systems like databases or backend applications. Users should never have access to these types of systems. Also, scan for vulnerabilities on systems that users can legitimately access, to ensure they cannot be exploited by attackers.

    • Remote device testing—test samples of remote user devices (whether BYOD or company owned) to see what security measures they are running, whether they are infected by malware or have other security issues.
    • Check protocols and authentication—identify how users connect to the corporate network and how authentication is performed. Ensure protocols are secure and encrypted, authentication is strong and cannot be easily bypassed. Evaluate the entire remote access system in light of company policies and compliance requirements.
  • Governance—how are company policies enforced across remote users and devices? Are governance policies applied automatically, or set manually by administrators or supervisors, which can lead to human error and security gaps?
  • Logging and reporting—ensure that any activity by remote devices is properly logged and the organization is able to generate reports and audits required by its compliance obligations.

Secure Remote Access Best Practices

Here are a few best practices you can use to improve security for a remote workforce.

Develop a security policy for remote access—the policy should specify which protocols must be used for remote access, which devices are allowed to connect (company owned or BYOD), permitted use of those devices, and policy for wiping lost or stolen devices.

  • Protect and manage endpoints— Many enterprise companies are looking for more than just a proxy service in the cloud, as they add zero trust network access (ZTNA), remote browser isolation (RBI), sandbox, firewall as a service (FWaaS), data loss prevention (DLP) and other cloud-based security services.
  • Use encryption—ensure all data is encrypted, both during transmission, and at rest on an employee’s local device. Encryption is another layer of protection, in addition to antivirus and secure authentication mechanisms, which ensures that even if attackers compromise the devices, they cannot make use of sensitive data.
  • Invest in security awareness—conduct ongoing training on security practices. Every employee must be aware of security policies, consequences for violating them, common social engineering attacks and how to identify and prevent them.

Secure Remote Access with Hysolate

Securing privileged access to sensitive resources is a critical step for organizations to establish security assurances for business assets in a modern workspace. The security of most or all business assets in an organization depends on the integrity of the privileged accounts that administer and manage IT systems. Cyber attackers are targeting these accounts and other elements of privileged access to rapidly gain access to targeted data and systems using credential theft attacks.

With Hysolate, remote employees can work in a clean, managed environment, without IT administrators worrying about potential malware.

Hysolate Isolated Workspace is a local hyper-isolated virtual environment that provides users with a superior user experience. It is built to spin up instantly on any Windows 10 operating system and managed, at scale, from the cloud. This reduces the risks associated with privileged users by providing them with isolated operating systems that run locally on their end-user device.

Learn more about Secure Access with Hysolate

BYOD: The Complete Guide

What is BYOD?

Bring Your Own Device (BYOD) is a growing trend, in which devices owned by employees are used within the enterprise. Smartphones are the most common example, but employees may also bring their own tablets, laptops and USB drives.

BYOD is part of the IT consumerization trend—the deployment of consumer software and hardware in enterprises. Bring your own technology (BYOT) refers to the use of consumer devices and applications, selected and configured by employees, in work environments.

In some cases, employee-owned equipment is allowed for use by the company, and may even be subsidized or supported by the IT organization. In other cases, the equipment owned by the employee is part of a parallel ecosystem known as shadow IT—hardware or software unknown or disallowed by the organization’s central IT department.

Whether your organization supports employee-owned hardware and software or not, the reality is that employees will at some point use personal devices to connect to the corporate network or access corporate data, and this poses a security risk. Many companies implement BYOD policies to minimize risk and address the need for consumer technology in the workplace.

Why is BYOD Important?

When employees use technology they are familiar with, they are inherently more productive. Many employees are digital natives, and find it difficult to function without their personal devices. When using personal devices at work lets them focus on their work, rather than adapting to the digital tools provided by the enterprise.

According to a Dell survey, 61% of millennials and 50% of workers 30 years or older believe that technology tools they use in their personal lives are more effective and productive than those they use in their professional lives.

Another benefit of BYOD is major cost savings. According to a Cisco report, Companies implementing BYOD can save $350 per employee per year, by passing on the cost of equipment to their employees.

BYOD Pros and Cons

BYOD has many advantages and disadvantages to consider. Here are some of the benefits of BYOD to organizations:

  • Better equipment—personal equipment is usually faster and more advanced than aging equipment provided by IT departments.
  • Employee satisfaction—most employees find personal equipment more comfortable and efficient to use. BYOD employees are typically more satisfied with their user experience than those with corporate devices.
  • Reduced costs—when employees bring their own equipment, this means the enterprise spends less on new equipment, and also saves the cost of maintenance and technical support.
  • Increased productivity—employees working on personal devices are more productive and have less technical issues.
  • Easier onboarding and offboarding —onboarding a new employee or terminating employment with company-provided devices can be a difficult process. BYOD, when properly managed, can make employee transitions much easier to manage.

What are the risks of BYOD?

  • Limited control and difficulty of monitoring usage of multiple types of devices.
  • Security risks caused by employees accessing corporate systems and data on personal devices. Personal devices, even those covered by a BYOD policy, generally do not have the same level of security as corporate devices.
  • Employee privacy can also be an issue. Organizations must use security features or deploy security solutions on personal devices, to ensure the security of corporate data. However they must do this without compromising the privacy of the employee’s private data.

When considering a BYOD policy, every company must perform a risk assessment and understand the impact of personal devices. Financial, healthcare, law firms, or companies in other regulated industries, will face much more serious consequences of BYOD security issues.

The type of corporate data being accessed is also important—encrypted data is less sensitive than cleartext. Publicly available company information is less sensitive than personally identifiable information (PII) or company intellectual property.

Alternatives to BYOD: CYOD and COPE

While BYOD has compelling advantages for both organizations and employees, there are alternative models. Two models adopted by many organizations are CYOD and COPE.

Choose Your Own Device (CYOD)

This policy allows companies to offer a set of pre-approved devices and let the employee choose between them. These devices have a secure configuration and come with business applications pre-installed. CYOD policy allows users to select their own equipment and choose devices they are more comfortable with, while companies maintain ownership and cover costs.

CYOD is a compromise between BYOD and a strict company-owned equipment policy, because it gives employees some freedom. The company selects the type of equipment to deploy, to ensure compatibility and enforce a certain level of security on all devices. Unfortunately, employees are not always happy with the choice of equipment available. Even if the selection is broad, the employee may not find a device they are familiar or proficient with.

Corporate-Owned, Personally-Enabled (COPE)

This strategy provides employees with devices that are fully owned by the company. While the company maintains ownership and pays for the device, users are allowed to personalize it. They are allowed to download software that is not work related (with some restrictions of course), and customize the interface to their liking.

COPE provides the organization the highest level of control over user equipment. The company does not give up ownership and can ensure devices are pre-configured to ensure security and compatibility with enterprise systems—effectively, the company can harden and lock the device in advance.

However, COPE can be inconvenient to employees, as they do not have the ability to choose equipment that suits their needs. Another disadvantage of COPE is that it is the most expensive model for the enterprise.

Creating Your BYOD Policy

A BYOD policy contains the rules governing the level of corporate involvement in the management of employee-owned devices. The policy defines the level of IT support provided by the organization to the employees, as well as the areas employees are responsible for.

Typically, BYOD policies contain:

  • Clear documentation of employer and user responsibilities.
  • Specific instructions regarding the software application used to manage network devices.
  • Signed agreements acknowledging that all employees understand the policy and agree to comply.

Organizations also choose to add the following information to their BYOD policy:

  • Security policies—based on industry standards, such as data encryption and using strong passwords.
  • User guidelines—defined for the purpose of preventing BYOD users from introducing threats into the corporate network.
  • Formal BYOD training—designed for the purpose of clarifying policies and providing employees with updated information.

Learn more in our in-depth guide to BYOD policy

BYOD Best Practices

There are many valuable techniques you can use to implement your BYOD policy. Here are key practices to consider.

Security First

BYOD devices are usually not controlled by IT. This means each employee must be trained to implement security first when protecting the device. Employees should be encouraged to add multi factor authentication to their devices and use strong passwords. Organizations should consider providing employees with the tooling needed to protect their BYOD devices.

Workforce Education

Employees should be properly trained in security risks they may face while using their BYOD devices. Risks like shadow IT, phishing schemes, and malware should be clearly explained to each BYOD user, as well as the proper measures required to prevent and respond to these security incidents. An educated employee can potentially prevent a massive breach.

Establish a Culture of Trust

BYOD devices can significantly escalate the damage insider threats might achieve with their privileges. Establishing a culture of trust throughout the organization can help create a deeper connection between the employees and the organization, and potentially prevent privilege abuse by disgruntled staff members or ex-employees.

Establish an Employee Exit and Onboarding Plan

When employees use company devices, it is relatively easy to control how the device and the information it stores should be treated once employees leave the company. However, when employees use their own devices, the organization cannot easily wipe out the data. Establishing an employee exit and onboarding plan can help you set clear expectations and rules regarding how to secure corporate information during these transition periods.

Learn more in our in-depth guide to BYOD security

BYOD Solutions

Implementing a BYOD strategy in most organizations requires additional technologies or solutions, which make it possible for users to bring their own devices, while accessing managed IT resources.

Mobile Device Management (MDM)

This is the most common form of BYOD management. MDM solutions can be deployed locally or in the cloud. They enable management of mobile devices, including deployment, security, monitoring, and integration with enterprise systems. They can protect corporate applications and data on personal devices, and automate delivery of enterprise applications to these devices.

MDM aims to prevent company policy violations, while maintaining employee productivity. MDM solutions enable:

  • Separation of company data from personal data
  • Protection of email and corporate documents on user devices
  • Enforcing company policies such as disallowed applications or web content
  • Remote management of mobile devices such as smartphones, laptops and tablets

Endpoint Protection Platforms (EPP)

As the BYOD trend gains momentum, endpoint security becomes very difficult. When deciding on a BYOD policy, your organization must address legal, privacy, HR, and many other concerns. BYOD introduces access and security challenges. Phishing attacks can lead to identity theft, data loss, IP theft, compliance fines, and legal exposure.

An EPP is a solution deployed on endpoint devices, which can prevent file-based and fileless malware attacks, detect malicious activity by the user (or an attacker who has compromised the device), and dynamically respond to security events and alerts. EPPs also provide the critical ability to remotely investigate security incidents on an endpoint, and perform remediation to mitigate threats.

EPPs prevent a variety of threats by providing the following measures:

  • Next Generation Anti-Virus (NGAV)—detects and blocks malware, including new types that evade detection by modifying binary signatures.
  • User and Event Behavior Analysis (UEBA)—detects unusual or suspicious behavior on the endpoint and alerts security staff.
  • Application control and whitelisting—enabling the organization to define specific applications and websites that are allowed on the endpoint, and blocking all others.
  • Device control—allows security teams to remotely control endpoints, collect data and enforce policies for audit, investigation and compliance purposes.
  • Sandbox—an isolated location on the device that can detonate potential malware in a controlled manner, analyzing it without threatening other parts of the device.

Desktop Virtualization: VDI and DaaS

Virtual desktop infrastructure (VDI) solutions provide a way for remote devices to access an enterprise-controlled desktop environment at any time. The IT team provides access to these virtual desktops and selects which resources are available to different categories of end users.

When BYOD users work on an enterprise-hosted desktop, the organization has improved control over their use of business applications and data. For example, it is possible to limit a user’s ability to download files or copy-paste information to the local device (while this may also hinder productivity).

VDI solutions require a major investment in infrastructure. A growing alternative, which is very easy to deploy and does not have large upfront costs, is desktop as a service (DaaS). DaaS is VDI hosted and operated by a cloud provider, billed according to desktops actually used.

Hysolate: Isolated Workspace-as-a-Service

Hysolate offers a unique set of features that together, provide employees a positive day-to-day work experience while working from BYOD devices.

  • Smooth deployment, onboarding and maintenance—Hysolate offers instant one-click installation or silent provisioning, including automatic installation in the secured operating system of all company-approved applications and automatic provisioning of company policies.
  • Privacy and collaboration by design—with virtual workspaces that function like completely separate physical environments, employees enjoy their privacy, collaborate on tools of their choice, take their laptops home, promote ad-hoc team building through social media and more. They enjoy the feeling of freedom, trust and privacy that keeps them to stay on your team long-term. Easy-to-access ongoing support can be given, including remote access, without viewing the users’ private data.
  • Continuous and uninterrupted access to company assets—Hysolate provides a completely isolated corporate virtual machine as well as improved VPN security, and secured split tunneling. Employees can work continuously without having to suffer overloaded networks, sudden IP changes, disconnects and the like, no matter where they are.
  • Embedded granular security—Hysolate offers remote wipe and locking of corporate data, built-in data loss prevention, ongoing device health checks and granular policy management. Policies can determine when and how objects can be copied, cut and pasted between operating system workspaces, who has admin rights, what networks are permitted, whether USB devices are allowed and more. Hysolate can prevent keystroke recording, screenshots, and other malicious attack techniques. Security teams can ensure all company assets stay protected without disrupting the natural user workflow.
  • A safe and positive end-user experience—Hysolate guided tours make it quick and simple for users to onboard. From there, the sky’s the limit. With workspaces that act like multiple desktops, a thing common to most of us these days, users switch between desktops seamlessly. No more mind-boggling context switching and other unpleasant disruptions.

Learn more about Hysolate’s Isolated Workspaces as a Service for BYOD

BYOD Policy: Getting it Right

What is a BYOD Policy?

A bring your own device (BYOD) policy is a set of guidelines that define proper work and use of employee-owned devices, such as personal computers (PCs), laptops, smartphones, and tablets. The goal of a BYOD is to ensure that corporate assets, including networks, systems, and data, are protected against shadow IT threats.

A BYOD policy is created according to the unique and agile needs of the organization, which is why the policy is highly flexible and varies between organizations and industries. For example, one organization might opt to allow BYOD laptops but prohibit mobile devices, while another might agree to support mobile devices.

Why is BYOD Policy Important?

A BYOD policy can help employees understand when and how they can use their own devices for work purposes and access company data. Here are key advantages of adopting a formal BYOD policy:

  • Reduce costs— According to Cisco, a BYOD policy can help organizations save an average of $350 per employee, annually.
  • Improve productivity—a study found that a BYOD policy can help employees become more productive. People are often happier and more comfortable when they can use their own, familiar devices, instead of having to switch between personal and company devices.
  • Better security—a BYOD policy defines exactly how and when and what devices should be used for work. BYOD security guidelines should help employees understand their rights as well as their responsibilities. This information helps protect corporate assets from exposure to shadow IT threats.

However, informal BYOD practices can introduce significant risks, especially for organizations handling sensitive information.

If, for example, employees are not informed about proper BYOD guidelines, and are allowed to store and transfer sensitive information. Or if they download any 3rd party content that could be risky. In addition, if the IT team does not have complete visibility over these processes, then information could be leaked or compromised.

What Should a BYOD Policy Template Include?

A BYOD policy should be the result of a collaboration between all relevant departments, including HR, IT, and legal. Here are key aspects to consider when creating a BYOD policy template:

  • Authorized devices—define whether employees are allowed to use any available device or only certain devices.
  • Shared costs—employees working from home may consume more resources than they normally would for personal use. In this case, organizations might decide to offer a stipend to cover the costs.
  • Passwords—if the employee-owned device is used to handle important business information, organizations can define proper security requirements, such as multi-factor authentication and strong passwords.
  • Network security—organizations should define several network security aspects. For example, prohibiting the transmission of important information via public networks, clearly defining which networks are appropriate for BYOD use, and providing a virtual private network (VPN) as needed.
  • Data storage—a BYOD should clearly explain what types of corporate data they can store on their personal devices. Organizations should also prohibit data storage of any confidential or financial information on BYOD that are not encrypted.
  • Authorized use—a BYOD policy should clearly let employees know whether or not they are allowed to share the use of devices with friends or family.
  • Banned applications—employee-owned devices typically have a range of installed applications, some of which are not related to work purposes. Organizations might reserve the right to request the deletion of certain applications to prevent the malware infections.
  • Lost or stolen devices—a BYOD policy should inform employees as to proper conduct during security events, including the loss or theft of their device. For example, when the device is lost or stolen, the employee should immediately respond by remotely wiping out the data stored on the device.
  • Onboarding and offboarding employees—when employees leave the company, the organization might request to wipe out the device, or at the very least check it. Even though the device is personal, it was still used for work purposes and should be monitored during onboarding and offboarding, to prevent future issues.

Key Considerations for a Successful BYOD Policy

Make Compliance Clear

A BYOD policy should not contain languages or jargon the majority of employees are not familiar with. If this happens, employees might not be able to understand and comply. To prevent this, the organization should simplify the BYOD policy and clearly outline the responsibilities of employees and the efforts of the organization. To ensure employees know why they should comply, the organization should explain the importance of compliance.

Make Help Available

Policies should help support the efforts of the employees, providing clear guidelines, just like any regular FAQ document. Additionally, the organization should include information about the support available in cases of technical problems. Including this information in the BYOD policy can help provide quick references when employees experience technical issues.

Mandatory Security Policies

A BYOD should provide guidelines that help employees understand and implement proper security measures. For example, installing only trustworthy software and prohibiting the use of public WiFi networks. Organizations should also consider enforcing penalties for policy violations.

BYOD Policy with Hysolate

  • Hysolate offers a unique set of features that together, provide employees a positive day-to-day work experience while working from their own devices.
  • Smooth deployment, onboarding and maintenance: Hysolate offers instant one-click installation or silent provisioning, including automatic installation in the secured operating system of all company-approved applications and automatic provisioning of company policies.
  • Privacy and collaboration by design: with virtual workspaces that function like completely separate physical environments, employees enjoy their privacy, collaborate on tools of their choice, take their laptops home, promote ad-hoc team building through social media and more. They enjoy the feeling of freedom, trust and privacy that keeps them to stay on your team long-term. Easy-to-access ongoing support can be given, including remote access, without viewing the users’ private data.
  • Continuous and uninterrupted access to company assets: Hysolate provides a completely isolated corporate virtual machine as well as improved VPN security, and secured split tunneling. Employees can work continuously without having to suffer overloaded networks, sudden IP changes, disconnects and the like, no matter where they are.
  • Embedded granular security: Hysolate offers remote wipe and locking of corporate data, built-in data loss prevention, ongoing device health checks and granular policy management. Policies can determine when and how objects can be copied, cut and pasted between operating system workspaces, who has admin rights, what networks are permitted, whether USB devices are allowed and more. Hysolate can prevent keystroke recording, screenshots, and other malicious attack techniques. Security teams can ensure all company assets stay protected without disrupting the natural user workflow.
  • A safe and positive end-user experience:  The Hysolate guided tours make it quick and simple for users to onboard. From there, the sky’s the limit. With workspaces that act like multiple desktops, a thing common to most of us these days, users switch between desktops seamlessly. No more mind-boggling context switching and other unpleasant disruptions.

Learn more about Hysolate Platform

BYOD Security: Threats, Security Measures and Best Practices

What is BYOD Security?

Bring your own device (BYOD) means that employees use personal devices to connect to an organization’s network, accessing work-related systems and possibly, sensitive data. Personal devices may include smartphones, personal computers, tablets or USB drives.

According to several studies, well over 50% of organizations and over 70% of employees use personal devices at work, and these numbers are rapidly growing. This means BYOD security is top of mind for IT and security leadership. 

Personal devices are more likely to be used to break into corporate networks, whether or not they are approved by IT, because they are less secured and more likely to contain security vulnerabilities compared to corporate devices. Therefore, it is critical to understand and address BYOD security for organizations of all sizes.

BYOD Security Risks

Following are three of the most severe risks affecting BYOD devices. 

Data Leakage and Loss

When employees use personal devices at work, any access to the corporate network can pose a risk—whether the employee is performing routine activities like logging into a work email account, or more sensitive activities such as viewing financial or HR records.

Attackers can gain access to a lost or stolen device, or compromise a device via phishing or malware while it is still owned by the employee. At that point, attackers have three main options to do damage:

  1. Steal data stored locally on the device
  2. Use credentials stored on the device to access the corporate network
  3. Destroy data on the device

The second option is especially dangerous, because a compromised account can initially appear to be a legitimate user accessing corporate systems.

The third option can be mitigated by cloud backup systems, but these must be setup carefully or they can also become an attack vector.

Device Infection

Smartphones are commonly infected by malware, and in most cases, smartphone users are not aware their phone is infected. What’s even more worrying is that, because mobile users install a large number of applications and may use them only occasionally, they may be careless about terms of service or permissions they grant to new applications.

On desktop or laptop computers, operating system vulnerabilities pose the biggest risk. Most users are not diligent about updating their operating system with the latest security patches. A first priority in any BYOD program is to identify the current OS running on employee devices, and ensuring they apply the latest updates. 

Lastly, antivirus software is used unevenly by users on their personal devices. Some devices may not be protected at all, and others may be protected by free or unknown antivirus programs of questionable effectiveness

Mixing Personal and Business Use

With BYOD, it is inevitable that employees will perform both work and personal tasks on the same device. Your organization won’t have control over websites visited by employees, some of which may be malicious or compromised, or install questionable applications. Devices may be used by the employee’s children or other members of their household, and may be used to connect to unsecured wireless networks—the list of potential threats is endless.

Security Measures for BYOD Security

Given the major risks posed by BYOD devices, here are a few basic measures organizations can take to improve security on these devices.

Application Control

Some devices and operating systems provide control over the applications installed on a device. For example:

  • iOS devices can block access to the Apple App Store
  • Android Enterprise makes it possible to customize Google Play to show only approved applications

However, applying such restrictions on applications on a user’s personal device is not practical. Employees are likely to resist these types of measures, and expect that they should be able to freely use their personal device when off work. 

Containerization

Containerization is a way to divide each part of a device into its own protected environment, each with a different password, security policies, applications and data. This can allow employees to use the device without restrictions, while preventing security risks to the corporate network. 

When a user logs in to a containerized work environment, they cannot access their personal 

applications and other features that the container does not manage. Containerization is a powerful solution that, on the one hand, prevents employees from using unapproved applications while connected to corporate systems, and on the other hand, does not restrict employees from free use of their personal device.

Android Enterprise makes it possible to set up separate, containerized environments for work and personal applications. This gives organizations full control over the work environment, without encroaching on the employee’s free use of their personal applications.

Hysolate is a solution that provides all the security benefits of having separate physical devices for privileged and non-privileged work, without the inherent hassles and costs when users juggle between multiple devices. Cyber criminals that breach the general workspace are completely contained within it and cannot laterally move to the other protected environment. They cannot reach the host or privileged OS, and they can’t even see that it exists. 

Encrypting Data at Rest and in Transit

BYOD causes sensitive data to be retrieved and viewed on systems outside an organization’s control. Therefore, it is crucial to encrypt data at rest and in transit. Encryption allows you to protect the content of sensitive files even in the worst case of device theft or compromise.

In practice, encrypting all data transmitted to employee devices can be challenging. Security and operations teams must take into account all scenarios in which a user downloads or saves a file on the local computer, such as downloading email attachments or retrieving files from corporate cloud storage. In all these cases, software on the BYOD device must ensure the data is encrypted. 

Another concern is that encryption can slow down day-to-day operations, hurt productivity and frustrate users. In addition, any malfunction in the encryption process can block users out of critical files they need to do their jobs.

BYOD Security Best Practices

Educate Employees

Define a BYOD security policy, and even more importantly, take the time to educate users about it. Users should clearly understand what they can and cannot do on their personal devices, why the security measures are important, and what are the consequences of violating the policy. 

Employees should undergo mandatory security training. A primary goal of employee education is to explain that security threats are a danger to the organization and to the employees themselves, and that by following the policy, they are improving safety for themselves, their colleagues, and helping to prevent catastrophic data breaches that can threaten the organization.

Separate Personal and Business Data

When employees use a device for business activities, a primary concern is privacy. A device can contain sensitive personal files or information, which the employee does not want to share with their workplace. At the same time, sensitive business data stored on the device must be protected and accessible only to the employee. Whether containerization solutions are used or not, the BYOD policy should clearly state how to separate personal and business information and prevent unwanted exposure.

Have a Solution in Place for Lost Devices

If a device is lost or stolen, employees must immediately report it to their manager or IT department. IT needs to be prepared for the necessary actions such as remote device lock, data wipe, password reset, and auto-wipe for critical applications. The protocol for device loss or theft should be clearly defined in the BYOD policy and employees should be fully aware of it.

Ensure Secure Network Connectivity

If an employee is connected to the Internet or public Wi-Fi, attackers can eavesdrop on business activities. Encourage employees to connect their equipment to a secure network, not just in the office, but also on the go. In any event, they should only connect to the corporate network via a secured, encrypted virtual private network (VPN).

BYOD Security with Hysolate

Hysolate offers a unique set of features that together, provide employees a positive day-to-day work experience while working from their own devices.

  • Smooth deployment, onboarding and maintenance: Hysolate offers instant one-click installation or silent provisioning, including automatic installation in the secured operating system of all company-approved applications and automatic provisioning of company policies.
  • Privacy and collaboration by design: with virtual workspaces that function like completely separate physical environments, employees enjoy their privacy, collaborate on tools of their choice, take their laptops home, promote ad-hoc team building through social media and more. They enjoy the feeling of freedom, trust and privacy that keeps them to stay on your team long-term. Easy-to-access ongoing support can be given, including remote access, without viewing the users’ private data.
  • Continuous and uninterrupted access to company assets: Hysolate provides a completely isolated corporate virtual machine as well as improved VPN security, and secured split tunneling. Employees can work continuously without having to suffer overloaded networks, sudden IP changes, disconnects and the like, no matter where they are.
  • Embedded granular security: Hysolate offers remote wipe and locking of corporate data, built-in data loss prevention, ongoing device health checks and granular policy management. Policies can determine when and how objects can be copied, cut and pasted between operating system workspaces, who has admin rights, what networks are permitted, whether USB devices are allowed and more. Hysolate can prevent keystroke recording, screenshots, and other malicious attack techniques. Security teams can ensure all company assets stay protected without disrupting the natural user workflow.
  • A safe and positive end-user experience:  The Hysolate guided tours make it quick and simple for users to onboard. From there, the sky’s the limit. With workspaces that act like multiple desktops, a thing common to most of us these days, users switch between desktops seamlessly. No more mind-boggling context switching and other unpleasant disruptions.

Learn more about Hysolate Platform

Dig In

dig-in event

Why You Shouldn't Work from Home without an Isolated Workspace

As the remote-first model has proven viable and so many enterprises are embracing work-from-home as a new and enduring paradigm, 2021 will see enterprises focus on longer-term solutions for enabling remote work.

Read Now