For a small business with limited capital, the offer from an employee to use their laptop, phone or tablet for work is tempting. While it does reduce capital costs, it does introduce cyber security risks.
1) Data theft / Data loss
Data stored in locations owned and managed by the organisation can be controlled and monitored. Devices in which the organisation does not operate run the risk of allowing unauthorised people to access data. Also, these devices may not have the same level of data protection as a device secured by the organisation leaving the data at risk if the device is compromised or stolen.
Anti-malware software installation is much lower on personal devices than on work devices where the building is mandated and controlled. This is particularly the case for phones and tablets, as many people believe only laptops are desktops are at risk.
3) Insecure applications
All personal devices have several applications installed that are not related to work. Each of these applications is a potential risk. The level of security built into some games and entertainment apps is not the same as that most organisations require. These apps have the potential to provide criminals access to organisational information that is stored on the same device. Some apps that look safe have been known to allow criminals to take over devices or to log user login information that can be used to access data.
4) Insecure networks
Most organisations have a firewall that restricts and controls the flow of data. This includes blocking connections that could be malicious. Personal devices can connect to an insecure home or public networks, making those devices target criminals. Being able to work from the local library or cafe sounds attractive. However, the provided accessible wifi networks do not have the same security controls and can be targeted by criminals.
5) Lack of management
Devices managed by individuals rather than the organisation have additional risk due to the lack of control. Risks include:
- Software updates may not be installed or be out-of-date
- Vulnerable programs installed
- Backups not being taken
1) Policy - the policies created for organisational systems can be extended to apply to BYOD. This is simple to do on paper but the implantation and adherence is challenging. It is hard for the organisation to force someone to change settings on their personal device. This is particularly the case if the changes impact the use of the device outside of work. This method generally relies on the individuals to apply the policy to their devices.
2) Software controls
One solution is to use software solutions that track and monitor how data is being accessed and can restrict/report when data is being shared outside the organization.
Mobile device management (MDM) solutions can provide some protection and balance between the control organisations need and the freedom to use their own devices workers want. These tools allow the organisation to deploy and secure devices while allowing the individual the freedom to use the device in their own time. However, there are still difficulties associated with this solution as the level of security the organisation wants may make the individual user experience too restrictive.
Having this level of control is ideal for removing company data from a compromised device, and having a good MDM solution will help allow granular control of this data. MDM can be seen as enhancing data security by monitoring, managing, and securing mobile devices such as laptops, smartphones, and tablets used in enterprises. Mobile device management solutions allow you or us here at Real World to control and distribute security policies to mobile devices accessing sensitive data. With more and more employees using one or all of these devices, organisations across all shapes and sizes are now turning to mobile device management for enhanced data and network security and improved employee productivity.
The Microsoft 365 Business Professional suite includes InTune; the standard Microsoft MDM solution heavily focused on Windows devices. Other MDM solutions that are more dedicated to Device management across different platforms would be JAMF and Kandji as examples.