BYoD is helping organizations to cut costs and keep employees productive, but if devices are unmanaged, they represent a threat to the secure corporate perimeter. In this article, Dave Waterson, CEO at security specialist, SentryBay, explains why it’s time to adopt a zero-trust approach combined with real-time endpoint protection to secure the unified remote access cyber security stack.
With the continued uncertainty around the best ways to manage the ongoing impact of COVID-19, business leaders are under pressure to implement flexible policies that can support working practices amid constant change. Some employees are back in the office, others have adopted a more hybrid approach, many are still remote. The location of employees, however, is no longer the key issue. How they remain productive, able to communicate, and secure, wherever they happen to be is now the priority for businesses.
To this end, BYoD and BYoPC policies are expanding rapidly. Long before the pandemic, these models that encouraged employees to use their own smartphones, tablets and laptops to carry out their work tasks had changed workplace culture permanently. According to Statista, in 2018, 45% of UK businesses enabled BYoD, and of these 60% were finance or insurance firms.
Since then, that number has grown exponentially, with the pandemic driving the adoption of BYoD culture rapidly throughout North America, which an IndustryARC report shows now accounts for more than 28% of global market share, followed by APAC and Europe.
For the many organizations that invested heavily in secure corporate laptops in recent months to serve their distributed workforces, the adoption of BYoD has brought significant savings in CAPEX. However, there are two major considerations that all businesses must address as they expand their BYoD policies, and they are security and compliance.
Vulnerability of unmanaged endpoints
Any device that is unmanaged and accesses the corporate network can potentially admit malware. Whether it’s from the personal applications used by employees and which lack security rigor or the downloading of games and apps from unchecked sources, the risks of data theft or viruses infiltrating sensitive company information is significant. If the device is lost or stolen and falls into the hands of cybercriminals, the lack of security will make it a doddle for them to hack corporate accounts.
And the lack of control associated with unmanaged devices has another downside: it renders the company non-compliant with a wide range of important regulations, including GDPR, PCI-DSS, HIPAA, FFIEC layered security and of course, internal infosec requirements. Interestingly, in a poll that we carried out on Twitter recently, more than half of respondents admitted that their current infrastructure had either failed Payments Council Industry (PCI) assessments or their company was non-compliant with PCI DSS – clearly this standard alone is difficult enough to comply with, without the added complexity of BYoD.
Addressing the issues
Turning unmanaged devices into secure endpoints that pose no threat to corporate data is not difficult, but it does need addressing urgently if companies embark on BYoD policies. The best approach is to adopt multiple layers of complementary solutions and services that work together to block cyberthreats and proactively manage gaps in compliance.
The first, and most important step is to take a zero-trust approach to every endpoint that will connect with the company network. The motto “Never trust, always verify” is a useful reminder. Zero trust literally means that every user (and their device) is treated as a threat by default, even those that are already inside the network. They cannot be granted access to the system at any level until they have been verified.
It is a measure of how important zero trust has become, that in the Spiceworks Ziff Davis 2022 State of IT report, which surveyed more than 1000 technology buyers in North America and Europe, 65 percent of companies in Europe said that they were implementing or planning to use zero trust security solutions within the next two years.
The next step is to think beyond the old stalwarts of internet security, anti-virus software and securing the wireless network with virtual private networking (VPNs). These are all important and play their part, but none of them is a complete solution for managing today’s threat landscape.
Instead, enterprises should look to deploy dedicated software and solutions that can ‘wrap’ data and applications securely to neutralize the threat of cyberattack particularly from keyloggers, screen grabbers and similar malware.
Key loggers and screen grabbers are the attack vector through which sensitive data is most often, and most easily, stolen, and unsurprisingly, both these forms of malware use unprotected endpoint devices to get into corporate networks. If a keylogger is installed on a remote endpoint device which has a lower security posture than it would have within a secure network, cyber-attackers can gain full access as the user logs-in and to everything the user enters at the keyboard or displays on the local device.
This is why software that protects data entry on unmanaged devices, particularly those that work with remote access apps like Citrix, VMWare, WVD, web browsers and Microsoft Office applications, is an essential part of the layered approach when considering BYoD.
All organizations of any size need to understand just how much they should do to secure their BYoD policies from the word go. They cannot just rely on two-factor authentication, a VPN or standard anti-virus solutions. Unless data is protected as it is entered from the keyboard or onto the screen, it opens a gap in the corporate armor which makes the company vulnerable to a security breach, and also to non-compliance.
- The security threat of Bring Your Own Device (BYOD) initiatives
- 4 key 2022 security trends predictions
- 17 IT leaders on why your organization needs zero trust, with tips on implementation
- How to protect your corporate network this year: top three tips
BYoD is the route of choice for many businesses as they negotiate the road forward. To make it work however, business leaders must ensure they do not sacrifice security and compliance in the drive towards cost savings.