Cybersecurity Deep Dive: What Is BYOD & 9 Security Risks

Device Infection with Malware

The biggest risk of Bring-Your-Own-Device policies is malware infection. Employees tend to be less careful about the security of their personal devices and will pay less attention to what apps they install.

They may download PDF files, install games, and other apps for personal use, and many of these apps may be infected with malware.

Since the device also contains corporate data, the malware will gain access to it, causing a data breach.

Even more, when the employee comes to work and connects their device to the company network, the malware will spread to the entire network, leading to a crisis.

There are multiple types of malware, including:

• Viruses
• Trojans
• Phishing tools
• Keyloggers
• Adware
• Worm
• Spyware
• Ransomware
• Fileless malware

The worst thing is that anything online could be infected with any one of these malware. All you need is a lapse in judgment when accessing a strange website or downloading an app and your device is infected.

As an employer, you have next to no control over how the employee uses their personal device at home.

So, you don’t know if they’re device is infected or not.

Solutions

• Enforce the installation of antimalware solutions on your employees’ devices. This will alert them about any suspicious apps or websites, preventing malware infection
• Vet all the applications that your employees have installed on their personal devices when coming to work. Perform security scans to ensure there’s no risk of malware infection
• Implement strict usage policies to stop your employees from liberally using their personal devices while ignoring cybersecurity risks (e.g., disallow employees to install games or non-work apps on their devices)
• Perform regular routine checks on BYOD devices to ensure that no unexpected apps have been installed or that they haven’t been infected with malware

Mixing Personal and Professional Use

When you implement BYOD, it’s inevitable that employees will mix personal and business use on their devices.

This creates security vulnerabilities because corporate data will be stored on devices that are used for unsecured activities like online shopping.

You can hardly control your employees’ devices because you won’t know how they’re using them at home.

Here’s what might happen as a result:

• The employee loans the device to a friend, which puts the sensitive data in danger
• The device is connected to an unsecured Wi-Fi network
• The employee accesses an infected website, which puts the sensitive data at risk
• The employee downloads an infected file, which ends up accessing the private corporate data on the device

It’s extremely difficult to keep these things under control. BYOD poses a heavy cybersecurity risk that’s not easy to avoid.

Solutions

• Segregate between personal and business use to make sure that the user doesn’t affect work data when using the device for personal needs. This may be achieved with data encryption, a trustless security system, and the principle of least privilege
• Enforce the use of a VPN to prevent the malicious interception of communication when the device is connected to an unsecured Wi-Fi network
• Cut off access to work apps and data when the employee leaves to prevent any unauthorized access or data breach in case of employee negligence
• Enforce security awareness to avoid negligence and carelessness in personal use at home

Lost or Stolen Device

The chance that an employee loses their personal device is much higher compared to a work device.

One survey shows that 68% of healthcare data breaches were caused by the loss or theft of an employee device.

This happens because a personal device is more vulnerable to being stolen or lost due to how, where, and when it’s being used.

A work device is only used at work, while a personal device is used everywhere the user goes.

Anyone who comes into contact with the user may steal or access their device and get their hands on the sensitive corporate data.

Solutions

• Train your employees to use passwords and biometric security on their devices to avoid unauthorized access if the device is lost or stolen
• Train your employees to report a stolen/lost device immediately to cancel its access credentials and avoid a data breach
• Encrypt work data on the employee’s device so that it cannot be accessed outside of the work environment

Use of Unsecured Wi-Fi

This deserves its own spot on the list because of how dangerous Wi-Fi is to the security of the data on employee devices.

Public Wi-Fi networks are some of the worst cybersecurity pitfalls because of how vulnerable they are to external manipulation.

Man-in-the-middle attacks are very effective at infiltrating Wi-Fi connections and infecting connected devices.

Wi-Fi honeypots are more common than you think, and it’s really easy to fall prey to them if you can’t distinguish between a malicious and legitimate Wi-Fi network.

Another type of Wi-Fi attack is Snooping, where hackers exploit unencrypted or rogue access points to infiltrate devices connected to public Wi-Fi networks. Since most public Wi-Fi networks are unencrypted, the risks are more than real.

Solutions

• Instruct employees not to use public Wi-Fi networks to directly avoid a major cybersecurity risk
• Compel the use of VPNs for all employees, which protects against Wi-Fi attacks
• Promote cybersecurity awareness, especially regarding public Wi-Fi use when on the go
• Encrypt corporate data on the device to prevent unauthorized access even if the device is infiltrated following use of a public Wi-Fi network

Insufficient Cybersecurity Awareness and Negligence

According to Verizon in their 2023 Data Breach Investigations Report, 74% of all data breaches involved the human element.

By “human element”, they refer to company employees who either made a mistake, were negligent, or acted in ignorance. Social engineering, in a nutshell.

Negligence and the lack of cybersecurity awareness can spell disaster for any corporation that operates on the web.

Any number of cyberattacks are facilitated through the human element. Malware, phishing, worms, ransomware, you name it and you’ll find a person guilty of negligence.

Here’s how it might look:

• Downloading a phishing attachment from a fake email
• Installing an infected app from the Play Store, which ends up discovering sensitive data on the device
• Visiting an infected website, which downloads a ransomware on your device, which ends up infecting the company database
• Using an unsecured Wi-Fi network without a VPN and falling prey to a man-in-the-middle attack
• Having your device stolen, which ends up disclosing sensitive corporate data

Negligence, disinterest, laziness, carelessness, all of these are problematic for employees with access to sensitive data.

When they’re bringing their own devices to the office, a whole slew of attack vectors become a reality and you have to prepare for them.

Solutions

• Teach your employees about cyber-attacks and threat actors. Employees should know about the various types of cyberattacks, risks attached to surfing online, how to spot scams, how to react to attacks, and what not do while online

• Perform regular checks and impose strict security rules. You don’t want your employees being negligent or not caring about the security of corporate data. Security training is one thing but regular checks are how you keep employees attentive and aware

Unauthorized Access to Sensitive Data

When it comes to BYOD, one of the highest risks is someone accessing sensitive data without authorization.

This could mean theft but it could also mean using the employee’s device without their knowledge.

Since employees will take their devices home, someone with bad intentions might open them, access sensitive data, and disclose it.

There’s also the risk of having the device stolen by someone with mal intent. This could end up becoming a data breach if the device isn’t secured properly.

Considering that 79% of Americans have their smartphones with them for 22/24 hours a day, it’s clear to see how the risk of data theft is important to consider.

Losing the device is also a possibility. Human error and negligence are factors you should consider when employing BYOD in your company.

Solutions

• Strong passwords for all work devices. Make sure that your employees use strong passwords for their devices. Ideally, they should put another password on corporate files and folders
• Biometric verification will decrease this risk even further, ensuring that whoever gets their hands on the device can’t use it
• 2FA systems in place so that even if someone gets their hands on the device, they can’t access the sensitive data without the proper 2FA code (or physical key)
• Immediate reporting of lost/stolen device so that the higher-ups can cancel any access codes on the device that a third party may use to access the company’s databases

Missing Security and Software Patches

Another reason why BYOD might pose a serious security risk is because employees might not be up-to-date with their security and software patches.

We all know that most people tend to be negligent with their personal devices. It’s all a matter of comfort.

But this comfort takes a great toll on personal (and corporate) security when you’re not installing the latest security patches.

Here’s what might happen in this case:

• A newly-discovered zero-day exploit (which you don’t know about) will enable hackers to infiltrate your phone and steal sensitive data
• A recent cyberattack ravaging your OS type may affect you because you haven’t installed the latest security patch
• Various system vulnerabilities may open your device for attacks by third parties with malicious intent

Outside of the office, employees may be less inclined to follow security precautions and take as much care as in the office.

However, this is just as important, if not more so, in order to safeguard the corporate data on the device.

Solutions

• Make regular checks on the latest OS version of your employees’ devices to ensure that they’re running the latest software and security patches
• Emphasize the importance of installing security and software patches to your employees so that they change their mindset early on. Ignoring this may have severe consequences on your business

Shadow IT

Shadow IT happens when employees either use unauthorized devices or install unauthorized software on work devices without letting the IT team know about it.

Around 80% of workers acknowledge that they’re using SaaS applications that the IT department doesn’t know about.

The reasons could be multifold, but in most cases, workers claim that reporting everything to the IT department would slow down the workflow.

While this might be true, the security risk Shadow IT poses should not be ignored either.

Employees are not security experts, so they could introduce new security vulnerabilities by using unapproved software or hardware.

Some of these applications may have low security standards, no encryption, and even security vulnerabilities.

Solutions

• Emphasize the fact that unauthorized hardware or software are not allowed so that employees won’t engage in Shadow IT. Make the security risks clear from the very start and be strict with the regulations
• Try to make all work-related tools available to employees so that they won’t have to engage in Shadow IT. Often, this happens because the IT Department wastes time approving a tool that employees need to do their work
• Enforce a better security detection of unapproved hardware or software so you can discover it ahead of time

Carelessness in Observing Security Policies

Some employees will simply be oblivious, negligent, and careless about the security policies you have established.

This could happen for a variety of reasons such as:

• Personal issues
• Overconfidence in avoiding security risks without sticking to rigid regulations
• Disinterest

Any one of these reasons is a major problem for the security of your business. You should deal with it as soon as possible.

Solutions

• Find out why employees are careless and try to solve this issue. Explain to them the potential impact of a data breach and potential repercussions if they’re to blame
• Lay off employees who are constantly careless. It’s better to give up on an employee who is constantly careless and can’t observe the rules

Is BYOD Worth It in the End?

BYOD policies have a few clear-cut benefits that you should know about:

• Much lower upfront costs for hardware provided to employees. Since they bring their own devices to work, you’ll save on these expenses
• Improved employee productivity because of their familiarity with their own devices
• Increased employee satisfaction because they’re bringing an element of familiarity to work and don’t have to juggle a personal and work device simultaneously
• Greater mobility because employees are always available, even during their official time off. This should enhance responsiveness and engagement
• More flexibility with accessing company resources from anywhere, which increases employe morale, engagement, and loyalty

These are the main benefits of Bring-Your-Own-Device policies for a company and its employees.

But I’ve also described the security risks above. There’s a potentially disastrous security breach waiting to happen if BYOD policies are misused and manipulated.

You will need to establish a few ground rules when implementing BYOD. Security checks, cybersecurity awareness, active discouragement of security negligence and Shadow IT, these are all necessary steps toward a healthy BYOD ecosystem.

It’s not impossible to achieve, though. With the right tools and planning, BYOD can enhance your business’ performance substantially.

Stick around for more PrivacyAffairs cybersecurity content!

Sources

BitGlass – BYOD Security Report 2021
Privacy Affairs – Why Is Phishing So Common & How to Protect Against It?
Perception Point – BYOD Security: Threats, Security Measures and Best Practices
Privacy Affairs – Cybersecurity Deep Dive: What Is the Principle of Least Privilege?
Kiteworks – Lost and Stolen Mobile Devices Are the Leading Cause of Healthcare Data Breaches
Forbes – The Real Risks of Public Wi-Fi: Key Statistics and Usage Data
Verizon – 2023 Data Breach Investigations Report
Privacy Affairs – The Art of Cyber Deception: Social Engineering in Cybersecurity
Privacy Affairs – Cybersecurity Deep-Dive: 18 Types of Cyberattacks & Prevention Methods
Leftronic – 29+ Smartphone Usage Statistics: Around the World in 2023
Track – 21 Shadow IT Management Statistics You Need to Know
Jumpcloud – BYOD Business Benefits