The BYOD (Bring-Your-Own-Device) age has been around now for some time. The megatrends of remote work brought on by the pandemic have forced security professionals to sacrifice securing the endpoint with productivity overnight work from home policies on BYOD. Cybercriminals have taken advantage of the sudden shift with significant business impact. While it was imperative for business continuity in the face of Covid 19, there are many benefits for companies to allow BYOD to reduce costs and keep employees happy using their own familiar devices, and it makes securing corporate networks a challenge. Now the corporate workforce is uber-mobile, requiring 24×7 access from outside corporate firewalls, security teams must review their security infrastructure to minimize the attack surface. Users may not always follow usage guidelines, and with BYOD, it can be even more challenging. For example, mobile devices may not even be set up for VPN access, users may use unsecured WiFi networks, and they typically use mobile devices for both corporate and personal purposes. Since the BYOD age is here to stay, the next Phish Stories will address Security and Privacy in a BYOD World – May 25 at 12 PM PT.
Here are also some stats from techjury that highlights the increase in BYOD in 2020:
- 67% of employees use personal devices at work
- BYOD generates $350 of value each year per employee
- A BYOD-carrying employee works an extra two hours
- 87% of businesses are dependent on their employee’s ability to access mobile business apps from their smartphone
- 69% of IT decision-makers in the U.S. say BYOD is a good thing
- BYOD market size is expected to reach $366.95 billion by 2022
- 59% of organizations adopt BYOD
The growing BYOD trends make endpoint security challenging, and legal, privacy, employment, and other pertinent issues must be addressed. Here’s a breakdown of the various forms of BYOD and their associated security risks:
BYOD – Bring Your Own Device. The best known and most feared by IT, this ownership model gives employees complete responsibility for selecting, supporting, maintaining, and securing their own personal device, which will also be used for business purposes.
COBO – Company-Owned, Business Only. Most desired by IT security teams, but it’s less suited for today’s business environment. COBO relies on a corporate-owned device and is used solely for business use only. It can be configured with security protocols.
COPE – Corporate Owned, Personally Enabled. Workers can utilize a corporate device for both business and personal use, much like with BYOD. The difference is that IT security executives can employ security protocols and best practices.
CYOD – Choose Your Own Device. In this scenario, the option for which the device gets used is up to the individual. They can purchase mobile hardware from a pre-authorized company list of approved items. The flexibility gains here might be advantageous to the employee using the device, but the security challenges can be daunting.
POCE – Personally Owned, Company Enabled. Perhaps most similar to BYOD, the POCE framework takes over part of the device used for business purposes. Access to the corporate network is via a portal sectioned off from the private part of the device.
With all of these frameworks, some benefits and challenges need to be considered, and with all the applications and cloud access points used today, threats from phishing and other bad actors are still prevalent and hard to stop.
Phishing attacks can lead to credential stealing, data loss, and IP theft, leading to millions in fines and other legal ramifications.
With growing enterprise mobility requirements plus higher numbers of remote workers, properly securing mobile and remote users is causing IT security teams to rethink their endpoint security strategies.
VPN tunneling enables remote users to benefit from most perimeter protections. However, full-time VPN enforcement can be difficult. Users may not always follow VPN usage guidelines. Special “secure” web proxies are another option for protecting remote workers. But most organizations find deployment and enforcement challenging for similar reasons as VPN tunneling, especially on BYOD mobile devices. Web proxies also bring their own set of security, user privacy, and latency concerns.
The most commonly deployed security option for remote workers has traditionally been endpoint anti-virus or NextGen AV (NGAV) solutions. But endpoint security for laptops is focused on malware protection and offers little in the form of anti-phishing protection; that is, protection from file-less social engineering attacks designed to exploit users rather than the devices themselves. For the latter, most organizations use a variety of email security solutions. These certainly help reduce the number of phishing emails remote users see in their inboxes. Still, they do nothing to protect users from targeted phishing attacks in personal email, social media, ads, rogue browser extensions, messaging platforms, and more.
For users on mobile iOS and Android devices, the situation is worse. The vast majority of mobile devices have no special security protection other than the protections natively built into iOS and Android, along with their respective app store vetting processes. Safe browsing protections on mobile are also just a fraction of those on desktop browsers. Fortunately, truly malicious mobile malware is still quite rare. Unfortunately, mobile phishing is rampant. According to at least one mobile threat defense vendor, mobile users are 18x more likely to encounter a phishing threat than malware. There are also additional phishing attack vectors such as SMiShing which are largely unprotected. And with smaller screens and information layouts, important clues such as full URLs are typically hidden, making it easier to phish mobile users.
As organizations embrace the expanding remote workforce, security professionals should review their current endpoint security strategy to ensure they’re protected against sophisticated, fast-moving phishing threats. SlashNext Mobile and Browser Protection are fast, real-time phishing protection in a lightweight, cloud-powered apps and browser extensions that protect users without compromise, no degradation in user experience, and doesn’t transmit personal data.
To find the right balance between security and privacy to keep your BYOD workforce secure from the growing number of sophisticated phishing and social engineering threats, attend Phish Stories 5 Security and Privacy in a BYOD World – May 25 at 12 PM PT. Register Here