Bring your own device (BYOD) and remote working: a significant cybersecurity threat

Law Society partner Mitigo explains that the lack of control and oversight around employees using their personal devices while working from home is the next cybersecurity challenge facing organisations.

Phone-computer-cybersecurity

The past year has seen many firms successfully navigate the new world of remote working.

However, the rush to establish a new distributed workforce, combined with changing working patterns and employee behaviour, means that many organisations are facing an increased risk of cyberattack.

As a consequence, we have seen a worrying increase in cases of email account takeover and ransomware attacks.

Common security concerns stemming from remote working now include:

  • data leaking through endpoints
  • users connecting with unmanaged devices
  • maintaining compliance with regulatory requirements
  • remote access to core business apps
  • loss of visibility over user activity

All these problems fall under one umbrella: the dissolution of the traditional ‘perimeter’.

Many employees are now working from outside the security protection that their office networks would usually provide. There is no better example than employees using personal devices to do their job.

BYOD and remote working

The concept of BYOD has existed for many years within an office environment.

It is common to see employees using their own smartphone for work purposes. However, there is an alarming lack of control and visibility over employees using their personal devices for working at home.

The rapid shift to remote working meant some employees had to make do with using their unsecured personal devices in the absence of company-issued devices.

Even today, employees are working on home PCs or laptops that may also be used by others, including their children.

Elsewhere, we’ve seen employees entering their passwords for important enterprise systems, which are syncing with their children’s tablets or other family-used devices.

These unsecured devices are often the most vulnerable endpoints or entry points to firms’ networks and enterprise systems. Risks here include:

  • data leakage
  • users downloading unsafe apps or content
  • lost or stolen devices
  • unauthorised access to data and systems
  • risk of malware infections

Research by the Ponemon Institute highlights how BYOD has had a negative effect on cybersecurity in organisations.

67% of security professionals say remote workers’ use of their own mobile devices to access business-critical applications and IT infrastructure has decreased their organisations’ security posture.

The problem is compounded by the fact that almost a third of respondents say their organisations do not require remote workers to use authentication methods:

And it is not just traditional work devices like mobile phones or laptops that pose a security risk.

New figures commissioned by the government show almost half of UK residents have purchased at least one smart device since the start of the coronavirus (COVID-19) pandemic.

These smartwatches, TVs and cameras sit on the same home wireless network as those work devices, and remain vulnerable to cyberattacks too.

Technology, people and processes

With the perimeter falling away, firms are looking to technology solutions, alongside policy, governance and training, to mitigate the security risks.

From a tech standpoint, firms need to ensure authentication and device management is in place.

It is important that remote workers using their own devices have enabled basic security features such as:

  • the PIN
  • fingerprint, or
  • facial ID feature

MFA is an important tool for stopping traditional credential-harvesting methods and should be extended as far as possible.

The concept of ‘zero trust’

Going further, more firms are embracing the concept of ‘zero trust’.

This means that no user or system, either inside or outside the cloud, is trusted until they have been verified.

The concept can be applied to technologies, devices and employees’ work practices.

Users are verified through technologies like:

  • MFA
  • identity access management (IAM)
  • encryption and permissions systems

As well as mitigating the risks to the services and data being accessed, firms should consider the risk to client data that is being processed or residing on personal devices.

This will vary considerably according to which BYOD approach they have deployed and how it is configured.

One of the most important things your firm can do is to educate your employees and maintain their awareness of cyber threats.

Any tech solution you introduce should be alongside ongoing security awareness training and formal policies that lay out the procedures for working from home from a cybersecurity standpoint.

Many firms tell us they are likely to continue increased levels of remote work in the future.

Visibility and management across the newly distributed workforces will be crucial.

Firms must tackle the problem of BYOD and look to technology and processes that can provide visibility and greater security for employees when working remotely.

The Law Society has partnered with Mitigo to offer technical and cybersecurity services with exclusive discounts for our members. For more information contact Mitigo on 020 8191 9205 or email lawsociety@mitigogroup.com.

Maximise your Law Society membership with My LS