Bring-your-own-device (BYOD) is a policy that allows employees to use their own devices (phones, laptops, etc.) at work or remotely. According to Cybersecurity Insiders, around 82% of organizations employ BYOD.
While this policy makes employees more efficient, boosts their morale, and it saves the company money, there are several cybersecurity risks attached to BYOD.
Here’s a quick summary of the risks:
These 9 major security risks can seriously harm your business if you allow BYOD without performing regular checks.
Below, I’ll go into more detail on each security risk and propose a few solutions. Keep reading!
The biggest risk of Bring-Your-Own-Device policies is malware infection. Employees tend to be less careful about the security of their personal devices and will pay less attention to what apps they install.
They may download PDF files, install games, and other apps for personal use, and many of these apps may be infected with malware.
Since the device also contains corporate data, the malware will gain access to it, causing a data breach.
Even more, when the employee comes to work and connects their device to the company network, the malware will spread to the entire network, leading to a crisis.
There are multiple types of malware, including:
The worst thing is that anything online could be infected with any one of these malware. All you need is a lapse in judgment when accessing a strange website or downloading an app and your device is infected.
As an employer, you have next to no control over how the employee uses their personal device at home.
So, you don’t know if they’re device is infected or not.
When you implement BYOD, it’s inevitable that employees will mix personal and business use on their devices.
This creates security vulnerabilities because corporate data will be stored on devices that are used for unsecured activities like online shopping.
You can hardly control your employees’ devices because you won’t know how they’re using them at home.
Here’s what might happen as a result:
It’s extremely difficult to keep these things under control. BYOD poses a heavy cybersecurity risk that’s not easy to avoid.
The chance that an employee loses their personal device is much higher compared to a work device.
One survey shows that 68% of healthcare data breaches were caused by the loss or theft of an employee device.
This happens because a personal device is more vulnerable to being stolen or lost due to how, where, and when it’s being used.
A work device is only used at work, while a personal device is used everywhere the user goes.
Anyone who comes into contact with the user may steal or access their device and get their hands on the sensitive corporate data.
This deserves its own spot on the list because of how dangerous Wi-Fi is to the security of the data on employee devices.
Public Wi-Fi networks are some of the worst cybersecurity pitfalls because of how vulnerable they are to external manipulation.
Man-in-the-middle attacks are very effective at infiltrating Wi-Fi connections and infecting connected devices.
Wi-Fi honeypots are more common than you think, and it’s really easy to fall prey to them if you can’t distinguish between a malicious and legitimate Wi-Fi network.
Another type of Wi-Fi attack is Snooping, where hackers exploit unencrypted or rogue access points to infiltrate devices connected to public Wi-Fi networks. Since most public Wi-Fi networks are unencrypted, the risks are more than real.
According to Verizon in their 2023 Data Breach Investigations Report, 74% of all data breaches involved the human element.
By “human element”, they refer to company employees who either made a mistake, were negligent, or acted in ignorance. Social engineering, in a nutshell.
Negligence and the lack of cybersecurity awareness can spell disaster for any corporation that operates on the web.
Any number of cyberattacks are facilitated through the human element. Malware, phishing, worms, ransomware, you name it and you’ll find a person guilty of negligence.
Here’s how it might look:
Negligence, disinterest, laziness, carelessness, all of these are problematic for employees with access to sensitive data.
When they’re bringing their own devices to the office, a whole slew of attack vectors become a reality and you have to prepare for them.
When it comes to BYOD, one of the highest risks is someone accessing sensitive data without authorization.
This could mean theft but it could also mean using the employee’s device without their knowledge.
Since employees will take their devices home, someone with bad intentions might open them, access sensitive data, and disclose it.
There’s also the risk of having the device stolen by someone with mal intent. This could end up becoming a data breach if the device isn’t secured properly.
Considering that 79% of Americans have their smartphones with them for 22/24 hours a day, it’s clear to see how the risk of data theft is important to consider.
Losing the device is also a possibility. Human error and negligence are factors you should consider when employing BYOD in your company.
Another reason why BYOD might pose a serious security risk is because employees might not be up-to-date with their security and software patches.
We all know that most people tend to be negligent with their personal devices. It’s all a matter of comfort.
But this comfort takes a great toll on personal (and corporate) security when you’re not installing the latest security patches.
Here’s what might happen in this case:
Outside of the office, employees may be less inclined to follow security precautions and take as much care as in the office.
However, this is just as important, if not more so, in order to safeguard the corporate data on the device.
Shadow IT happens when employees either use unauthorized devices or install unauthorized software on work devices without letting the IT team know about it.
Around 80% of workers acknowledge that they’re using SaaS applications that the IT department doesn’t know about.
There are multiple reasons why workers might avoid reporting everything to the IT department, but most commonly, they believe it would slow down their workflow.
While this might hold some truth, the security risk posed by Shadow IT should not be ignored.
Employees are not security experts, and using unapproved software or hardware can introduce new security vulnerabilities.
Some of these applications may have low security standards, lack encryption, and even contain security flaws.
Some employees will simply be oblivious, negligent, and careless about the security policies you have established.
This could happen for a variety of reasons such as:
Any one of these reasons is a major problem for the security of your business. You should deal with it as soon as possible.
BYOD policies have a few clear-cut benefits that you should know about:
These are the main benefits of Bring-Your-Own-Device policies for a company and its employees.
But I’ve also described the security risks above. There’s a potentially disastrous security breach waiting to happen if BYOD policies are misused and manipulated.
You will need to establish a few ground rules when implementing BYOD. Security checks, cybersecurity awareness, active discouragement of security negligence and Shadow IT, these are all necessary steps toward a healthy BYOD ecosystem.
It’s not impossible to achieve, though. With the right tools and planning, BYOD can enhance your business’ performance substantially.
Stick around for more PrivacyAffairs cybersecurity content!
Sources
BitGlass – BYOD Security Report 2021
Privacy Affairs – Why Is Phishing So Common & How to Protect Against It?
Perception Point – BYOD Security: Threats, Security Measures and Best Practices
Privacy Affairs – Cybersecurity Deep Dive: What Is the Principle of Least Privilege?
Kiteworks – Lost and Stolen Mobile Devices Are the Leading Cause of Healthcare Data Breaches
Forbes – The Real Risks of Public Wi-Fi: Key Statistics and Usage Data
Verizon – 2023 Data Breach Investigations Report
Privacy Affairs – The Art of Cyber Deception: Social Engineering in Cybersecurity
Privacy Affairs – Cybersecurity Deep-Dive: 18 Types of Cyberattacks & Prevention Methods
Leftronic – 29+ Smartphone Usage Statistics: Around the World in 2023
Track – 21 Shadow IT Management Statistics You Need to Know
Jumpcloud – BYOD Business Benefits