BYOD and remote working: a new threat

In association with Mitigo: Employees using insecure personal devices while homeworking are a source of serious weakness leaving law firms open to cyberattack

17th May 2021

The past year has seen many firms successfully navigate the new world of remote working. However, the rush to establish a distributed workforce, combined with changing working patterns and employee behaviour, means that many of those firms are facing an increased risk of cyberattack. As a consequence, we have seen a worrying increase in cases of email account takeover and ransomware attacks.

Common security concerns stemming from remote working now include:

data leaking through endpoints;
users connecting with unmanaged devices;
maintaining compliance with regulatory requirements;
remote access to core business apps;
loss of visibility over user activity.

All these problems actually fall under one umbrella: the dissolution of the traditional perimeter. Many employees are now working outside the security protection that their office networks would usually provide. There is no better example than employees using personal devices to do their job.

BYOD and remote working

The concept of Bring Your Own Device (BYOD) has existed for many years now within an office environment. It is common to see employees using their own smartphone for work purposes, for example. However, an alarming lack of control and visibility exists with employees using their personal devices for working at home.

The rapid shift to remote working meant some employees had to make do with using their unsecured personal devices in the absence of company-issued devices. Even today, employees are working on home PCs or laptops that may also be used by others, including their children. Elsewhere, we’ve seen employees entering their passwords for important enterprise systems, which are syncing with their children’s tablets or other family-used devices.

These unsecured smartphones, laptops and mobile devices are often the most vulnerable endpoints or entry points to firms’ networks and enterprise systems. Risks include data leakage, users downloading unsafe apps or content, lost or stolen devices, unauthorised access to data and systems, and risk of malware infections.

Research by the Ponemon Institute highlights how BYOD has decreased organisations’ security posture. Sixty-seven per cent of security pros say remote workers’ use of their own mobile devices such as tablets and smartphones to access business-critical applications and IT infrastructure has decreased their organisations’ security posture.

The problem is compounded when almost a third of respondents say their organisations do not require remote workers to use authentication methods, and only 35% say they require multi-factor authentication (MFA).

It is worth noting that it is not just traditional work devices like mobile phones or laptops that pose a security risk. New figures commissioned by the Government show almost half (49%) of UK residents have purchased at least one smart device since the start of the coronavirus pandemic. These smart watches, TVs and cameras sit on the same home wireless network as those work devices and also remain vulnerable to cyberattacks.

Technology, people and processes

With the perimeter falling away, firms are looking to technology solutions, alongside policy, governance and training to mitigate the security risks.

From a tech standpoint, firms need to ensure authentication and device management is in place – it is important that remote workers using their own devices have enabled basic security features such as the PIN, fingerprint or facial ID feature. MFA is an important tool for stopping traditional credential harvesting methods and should be extended as far as possible.

Going further, more firms are embracing the concept of “zero trust”. This model means that no user or system, either inside or outside the cloud, is trusted until they have been verified. The concept can be applied to technologies, devices and employees’ work practices. Verifying users is achieved through technologies like MFA, identity access management (IAM), encryption and permissions systems.

As well as mitigating the risks to the services and data being accessed, firms should consider the risk to client data being processed or residing on personal devices. This will vary considerably according to which BYOD approach they have deployed and how it is configured.

Aside from looking to technology to help mitigate risk, one of the most important things a firm can do is to educate employees and maintain their awareness to cyber threats. So, any solution should be introduced alongside ongoing security awareness training, and formal policies introduced that lay out the procedures for working from home from a cybersecurity standpoint.

Many firms tell us they are likely to continue increased levels of remote work in the future. Visibility and management across the newly distributed workforces will be crucial. This means firms must tackle the problem of BYOD and look to technology and processes that can provide visibility and greater security for employees when working remotely.

This article was produced by Mitigo. Take a look at their full-service offer on the member benefits page at www.lawscot.org.uk