Cyber Security blogs

  • Home
  • /
  • Blog
  • /
  • How does a BYOD strategy affect the information security risks in a supply chain?
August 17, 2020

If you don’t think your company has a strategy where employees use their own devices for work it may be happening anyway; the chances are that they do use their own mobile phones and possibly their own laptops in a professional context.  A Bring Your Own Device (BYOD) strategy can have many advantages and is welcomed by many employees. Looking at this within the context of the global pandemic brought on by COVID 19, this strategy is also referred to as Work From Home Device (WFHD).  

However, it should not be undertaken lightly given the impact it can have on information and cyber risk. It is also not advised for your company to see it primarily as a cost saving exercise. As a company, your challenge is to reduce and mitigate the risks when you have less control over the actual device. There are also issues with providing support to users for a far wider range of devices and operating systems. Having identified these risks, your company should try and set an appropriate balance in adopting BYODperhaps issuing laptops while allowing employees to use their own phones or supply all devices yourself. 

What are the benefits for your employees?  

It can make work much more convenient, which can improve morale amongst your employees and can even attract new hires. There is also a flexibility factor. It becomes easier for your staff to work from home, using a computer and a smartphone that they know well, and are comfortable with using. It is often assumed that there are financial benefits to allowing your employees to use their own devices, because you then don’t have to spend money on providing devices yourself. But this assumption doesn’t take into account the management costs of a device that is used by an employer, which can often render the original cost of a device insignificantAlso, employees will often expect a contribution to the cost of the device if they are required to use it for work. 

What are the risks?  

Although there are advantages linked to this strategy, there are also many risks which are associated with adopting a BYOD. These risks can be associated with: 

  • Security: for example, if an employee uses their own smartphone to access sensitive or confidential information about your company’s work, and then that same phone is stolen, or an employee loses the phone by leaving it on the train coming to work, you run the risk of a data breach. A very important factor that you must take into account is the different levels of security different devices may have.  ‘Home’ versions of operating systems that are on consumer computers won't always have more advanced levels of security that your business may, whereas operating systems on computers sold to businesses will; for example Bitlocker full disk encryption is only available on the Pro versions of Windows. 

Different mobile devices can have different layers of built-in security, for example. This can make some more susceptible to malware. This means that you may not be able to guarantee that all of your employee's devices are completely secure. Anti-malware add-ons which your company wishes to install in order to protect sensitive information may not be supported on different devices.  

  • Confidentiality: information can also be compromised by other means. If a member of staff leaves your company to start a new job taking their devices with them, you will need to ensure those devices no long hold sensitive data and don’t have access to the applications your company uses. How will access an intranet be revokedand company-specific downloads removed from the device. If a device is used at home as well as at work, confidential data could be leaked by accident when another member of the household opens up the device.  
  • Shadow IT: there is also a risk posed by the introduction of shadow IT, which is intrinsically linked to BYOD strategies. This is where your employees use applications and software for their work without approval from IT management. Although this could further improve your company’s efficiency, applications that have not received proper approval could contain malware or dangerous vulnerabilities that may expose data.  

For all the reasons above and others, there are significant business risks that need to be considered and addressed. Indeed, all the stakeholders work with customer data and all this data can be exposed easily if no measures are taken with a strong policy to fight against BYOD risks and security. That’s why, there are ways that you can mitigate some of the risks of this very useful strategy.  

What solutions are there to reduce these risks?  

Security awareness training 

It sounds very obvious, but the best way to address the risks associated with BYOD is by making sure that your employees are aware of them, particularly if you have personnel that deal with confidential information on a regular basis. This is because the majority of the time, data breaches linked to BYOD are associated with human error. We have seen the example of devices being lost, but people can also adjust the security settings on their smartphones and laptops so that authentication is rarely required to log into the device, meaning that data can be accidentally beached when a friend or family member uses the device. Encourage employees to adopt appropriate levels of security on all the devices they use for their work.  

Encryption mechanisms and burning data 

C2 Cyber has implemented a robust policy to manage all the devices which handle sensitive information about your company. In particular, it is a requirement to use disk encryption to keep data secureIt is also a requirement to apply strong passwords that are updated regularlyThese policies are harder to enforce on personally owned laptopsso you could provide devices with protection already built in. To give staff a little more choice and freedom in how they work, you could adopt for laptop devices a CYOD (Choose Your Own Device) strategy where your company provides a choice to workers of devices to use for work, which are still managed and controlled by your business. 

If an employee wants to access data remotely, and is not near their device they use for work, and wish to use their own device, you could also move corporate applications onto the cloud as web applications. This would allow employees to access data remotely with their own device, but you could adjust controls to block home devices from being able to download information onto an unmanaged device. 

Key Security Controls 

If a device has access to sensitive data about your company, then you must have control over it. That way, if an employee does lose their smartphone by leaving it on the train coming to work, then your company’s IT administrator can access it remotely and then burn any sensitive data in case it falls into the wrong hands. 

Your company could set up a Mobile Device Management (MDM) system, to monitor and secure devices, including personally owned smartphones to better secure them. This will mean that all the tasks and processes can be overseen at all times, thus enforcing key security controls. Through MDM, devices can be configured and can be remotely locked in the event of loss or theft.  There are 3rd party MDM versions available, as well as ones built into Office 365 and G-Suite services. 

In addition, your company can implement Data Loss Prevention (DLP) controls, reducing the risk that data could leak via personal communications channels. Data Loss Prevention can help you see and track data on devices, networks and the cloud, providing you with visibility on how individual users within your company interact with the data.  

Summary 

There are advantages in a BYOD/WFHD strategy, but there are also many risks. If your company chooses to adopt this strategy, you should consider how this can be best applied to suit your own needs. Some of the risks can be mitigated by making your employees aware of themAs well as this, your company should also encrypt sensitive data and your IT department should be given access to any devices that handle it. Above all, you should decide what your business risks are and the security posture you wish to adopt before you then decide how you will achieve this with devices that you cannot completely manage yourself.  If you’re interested in knowing more about the risks associated with adopting this strategy, some and speak to us.

You can use our Value Assessment Calculator to see your potential savings...

If you want to get in touch, feel free to contact us  

Need some more security tips?

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}
__CONFIG_group_edit__{}__CONFIG_group_edit__
__CONFIG_local_colors__{"colors":{"8b2fd":"Snuff","edb1a":"White Lilac","83d40":"Ship Cove","20090":"Scampi","4f35b":"Rose White","b98f0":"Turquoise","772bd":"Turquoise"},"gradients":{}}__CONFIG_local_colors__