Protect yourself and your business by securing your devices.
Hybrid work environments and bring-your-own-device policies changed how we do business—and introduced new potential risks to your business’s data and operations.
Companies across the country have embraced hybrid work and remote connectivity. How and where we work is made possible by an increasing reliance on employee-owned or employee-enabled devices, most commonly mobile phones, laptops and tablets. Bring-your-own-device—or BYOD—policies make it easier for many workers to do their jobs from any location. And they have cut costs for companies that no longer have to buy, ship, maintain and replace business-issued employee devices.
However, along with cost savings and convenience come potential security risks. Every device—personal or business-issued—represents a potential breach point that could allow for a cyber event that results in fraud, loss of valuable or sensitive data or reputational harm.
“It’s human nature to look to convenience before safety,” says Jeffrey A. Taylor, Head of Fraud Forensics and Commercial Payments Strategy at Regions Bank in Birmingham, Alabama. “When we’re in a hurry, we drive over the speed limit and don’t think about safety. We often take a similar approach with new technology and security.”
To be sure, many companies are managing the risks presented by BYOD practices through a combination of improved security features on devices, consistent messaging and education for employees about cybersecurity, and policies that clearly spell out what types of behavior are allowed. But as the digital landscape expanded, bad actors changed their tactics, BYOD practices can’t remain static, especially if a business’s security protocol needs updating.
There is no single way to address BYOD security. Every business needs to develop a BYOD policy based on its business structure, regulatory environment and risk tolerance. The only option that doesn’t work is having no policy at all. What follows are guidelines for evaluating your business’s BYOD approach and making sure it is in sync with how your employees do business.
Recognize that ‘identity is the new perimeter’
In today’s BYOD work culture, the method for verifying an employee’s identity when they log in to a device—business-owned or personal—is the key to security. “Companies rely on identity and access management to get insights into what each employee is doing, what devices they’re using to access business networks and whether or not they’re logging in from where we expect them to be,” says Adam Perino, Vice President of Cybersecurity at Regions Bank. “The improved technology around user-based analytics has helped companies detect when someone is doing something suspicious, and maybe it’s not ‘them’ who is behind the action.”
This comes as security controls on common devices have steadily improved. “Just think in terms of biometrics,” says Taylor. “Facial recognition didn’t exist on all our phones until the past decade. The device itself is much more secure.”
That said, companies should make it clear that they expect employees to enable biometrics and multi-factor authentication (MFA) on every device they use. When strict BYOD policies are called for due to regulatory oversight or access to sensitive data, companies may need to deploy advanced facial recognition controls on all devices to ensure that only the designated employee is logging in. “It’s important to deploy other factors of identity authentication to access devices,” Taylor adds. “That makes a big difference in BYOD security.”
Create containers for business apps and functions
BYOD policies need to protect important corporate data without making the controls so restrictive that employees feel they can’t work effectively—and develop workarounds as a result. Even on devices issued by the business, that can create security blind spots. “Companies have little say over the applications installed on a personally owned device, or even on a business-owned device, unless they exercise rigorous oversight,” says Perino. “There’s a greater risk of a malicious application installation or other malicious activity that’s outside the organization’s monitoring capability.”
Companies can mitigate these risks by separating work applications from personal applications on employee devices. Should any malicious activity be detected, security teams can wipe the business-facing applications to prevent a deeper intrusion. Plus, they can protect corporate data in the case of a lost device by making it accessible only with a personal ID or password.
Communicate device management policies clearly
To set the tone for proper BYOD hygiene, create a policy for device security—and be transparent about what behavior is acceptable and what isn’t (such as downloading apps for personal use on a business-issued device). “The business attorney and device management department should help craft the policy but also the messaging to employees about what detection capabilities are in place and what actions can be taken when any anomalous behavior is detected,” says Taylor.
Be clear about what employees should do to keep their devices secure. “You need to give employees a leg up,” Taylor says. “Remind them that it’s up to them to make sure they apply all patches and updates, where it’s safe to connect to business networks and what behaviors they should avoid, such as using public Wi-Fi to do business, especially if they are handling sensitive data.”
Reinforce security basics
No matter what devices employees use for business, threats such as phishing emails, malicious links and attachments and spoofing are still among the most common sources of cyber incidents and data breaches. Every employee must acknowledge their responsibility in keeping business data secure, along with their own personal information and assets. In many cases, this simply means enabling the security controls that come with the device.
“If your device has facial ID or MFA, by all means use it,” says Taylor. “If you need a six-digit PIN to unlock the device, don’t choose something simple like 1-1-1-1-1-1. The same goes for passwords. Unfortunately, most security teams have stories about users who made it all too easy for bad actors to gain access.”
The basics include best practices for accessing business networks. If your organization makes use of a virtual private network, or VPN, employees should adhere to this extra step—and make sure their login credentials are robust.
“Leadership has to be clear about what they expect from their employees when it comes to protecting their devices and connecting to the network,” Taylor says. “But after that, each person has to take ownership by prioritizing security in their day-to-day function.”
Building a company policy
As you build a BYOD policy for you and your employees, keep these points in mind.
- The company, brand or business needs to set expectations. Security is, in a way, every employee’s business. But leaders and security teams need to establish methods and best practices that employees can rely on to protect the business and its value.
- Deploy security controls that protect critical business data and functions. Security teams should invest in technology for BYOD and business-owned devices that segments out essential functions and information and can wipe infected applications when necessary.
Stay alert and revisit your BYOD plan
Remember that things change rapidly when it comes to security and fraud. While device security has steadily improved, bad actors shift tactics constantly to steal passwords and trick administrators into thinking their access is legitimate. Employees should use all available access controls and maintain good habits around password management and overall cyber hygiene. And your business should frequently revise your policies to ensure you are combating against the newest fraud tactics.
Three things to do
- Read more about protecting your business from fraud.
- You can combat fraud, but your business should also build a response plan in case there is a data breach.
- In a hybrid environment that may be flexible or fully remote, consider what that means for your security.
