Mitigating the security risks of BYOD

BYOD — Bring Your Own Device — was a question two or three years ago. Companies were concerned about the implications, excited about the possibilities, unsure which rules they should settle on.

vpn tech byod

Circumstances have overtaken us. BYOD is a fact. 87% of businesses rely on BYOD to some extent. The benefits are clear: users prefer their own devices anyway, know how to use them, and buy and maintain them for themselves. IT is released from hardware maintenance; in some businesses where cloud computing and IoT have both been implemented, IT’s role has changed out of all recognition because they actually have zero hardware to maintain on-site.

But the downsides are also clear. BYOD has massively increased the number of consumer-grade, unprotected, multi-use devices present in the workplace. Clunky as the office suite of PCs used to be, they were firewalled, anti-virussed and constantly monitored and checked by IT professionals. That’s not the case with the hodge-podge of iPhones, Android smartphones, Chromebooks and tablets that workers lug in to the office from home.

Result? Sensitive data is stored on the same devices and transmitted over the same wifi networks that people use to play Fortnite, comment on Youtube videos and post on social media. Emails containing company or client data travel across unprotected wifi networks in coffee shops, gyms, homes and public locations. Where consumer and professional behaviours intersect there’s a huge data security risk.

All of this has the effect of increasing what cybersecurity experts call a company’s ‘attack surface’ — the range of places a cybercriminal can find a way in.

How does BYOD increase the risk of cyber attacks?

BOYD is risky because it increases the effect staff have on security, that effect already isn’t good. Most cyber attacks against businesses take place via employees, for the simple reason that workers typically don’t comply well with security protocols. 

Take passwords.  Top contenders last year were ‘123456,’ ‘password,’ and ‘12345678.’ That’s not tough to guess. Neither is the name of a local sports team or spouse. To save a few seconds remembering a more complex password, employees use weak ones even though they know the risks: 70% of businesses have suffered a data breach, and in the average 191 days it takes to realize a breach has taken place they suffer loss and damage equivalent to an average $3.86 million

And in a US survey only 36% of employees were able to recognize a suspicious link in an email, the most common way for malware, ransomware and viruses to enter a company’s system.

BYOD makes it far easier for criminals to target employees accurately. Intercept a few emails, check the person’s social profiles and you have enough on them to craft an effective spear phishing email, or to figure out their passwords for when you steal their device.

But how do criminals intercept emails?

Man in the middle attacks

Suppose Matt sends Jane an email. In between Matt’s email server and Jane’s, that email is bounced from server to server across the internet, and a server is really just a computer. 

So adding malware to a server, or intercepting, reading and then forwarding that email, leaves no trace and isn’t even difficult. The criminal acts as the ‘man in the middle’ between the sender and the intended recipient.

After intercepting the emails of several people who work in the same business together, a criminal can have enough information to carefully target cyberattacks, know who to email with a malware or ransomware link, or simply steal sensitive data that belongs to the company, its employees or its clients. 

It’s also possible to intercept and rewrite emails en route. This can be used to ask for more detailed information that the original sender did, or to transmit instructions to a subordinate that leave the company wide open. But the email’s from the boss, so it’s all OK, right?

Man in the middle attacks work on websites too. Data you send to and from a website can be intercepted — bad news when 75% of employees shop online at work. What they do online at home is up to them, of course, but if they use the same browser or device it can be infected with spyware that then hoovers up everything they do at work, down to the keystroke.

What can you do to secure your business?

There are several routes open to you to secure your business. Some rely on technology, like encryption. Others rely on encouraging staff to actually do what they’re supposed to, which can’t be just a matter of more training. 

For the biggest bang for your buck, encrypting your internet traffic is the way to go. ‘A VPN is the most cost-effective security action you can take to secure your business,’ says VPNAdviser’s Roland Brown. ‘Think about how much of your business takes place over networks. Secure those and you’ve taken a big step to preventing an attack.’

You should also consider encrypting files on devices. Where you don’t own the devices, you can partition their storage and then encrypt; again, while this is imperfect, it does mean that if the device is lost or stolen your business data is safe. 

It’s also worth looking at remote wipe capability on the volumes of storage that belong to you, so if an employee leaves, they don’t take valuable or sensitive data with them — intentionally or not.

Let’s start with staff compliance.

Can we get staff to do the right thing?

Adherence to cybersecurity protocols is notoriously terrible. In a 2017 Dell survey, 24% of staff who had received cybersecurity training still did unsafe things at work to get their jobs done. In fact, staff compliance with security is the number one problem in the space.

Maybe that’s because from a UX point of view, cybersecurity protocols themselves are terrible. Think about it: they rely on adding small but unenjoyable tasks to a user’s workflow, when that’s exactly the kind of thing we’d be trying to remove if we were designing a checkout, sales or signup flow — because we know users hate it. 

The widely-used Fogg behavioural analysis shows that you’re going to get the most action where motivation is high, the task is easy and there’s a trigger right there. 

Want a million bucks? Click here now. 

That’s going to get a lot of action. 

Want to maybe save your boss a million bucks? Do the thing you half-remember from that course six months ago.

Not so much action on that one. Add to that the fact that employees are usually expected to remember cybersecurity cues and triggers themselves rather than being reminded (‘triggered’) by external cues and you have a recipe for noncompliance. Low motivation, high difficulty and no trigger.

Since these users are at work and can’t abandon the flow the way they probably would if they had a choice, they do the next best thing and work around the security protocol. If they don’t get the spreadsheet finished by Friday, someone notices; if they send it to everyone in a cc’d email from unsecured wifi in a coffee shop, no-one says anything. 

So that’s what happens.

The practical upshot is always the same: the carefully constructed security protocols the business has put in place are negated totally, sometimes without the IT department or business owner even knowing it’s happened.

The solution is to refocus on the fact that the best security is the kind you actually do. Security protocols need to be easy to engage with and perform, as well as secure; if they aren’t they won’t be performed at all.

To improve employee compliance, make security as near to simple and effortless as possible. Include triggers in workflows where you can, and accept that anything difficult or time-consuming is not going to get done at all. Maybe staff should behave differently, but the fact is, they don’t.

It’s worth considering creating gamification or leaderboard systems for security protocol compliance, encouraging it with perks, prizes or simply public recognition. The ‘sales bell’ effect is definitely real!

But protocol alone can’t solve security.

Encryption: encrypting computers and hardware

It’s now possible to encrypt the contents of computers at low cost and without interrupting workflows. Apple does this automatically via its Disk Utility tool, but products are available to carry out encryption across multiple devices. 

On BYOD devices, you’ll probably also be using partition. Typically users will be asked to partition their on-device storage (hard disk, SSD card) and have one side for work and the other for their own use. In effect, this creates two devices, running on the same hardware and inside the same case.

But encryption of this type doesn’t fully solve the problem either. Those encrypted devices can be broken into, lost or stolen, and the encryption is only as strong as the password used to access it; have we mentioned how terrible most passwords are?

This can be solved with remote wipe functionality: if a phone or tablet goes missing you can order it wiped from HQ and as long as it’s turned on and connected to the web, you can delete what’s on it, wherever it is. (Which is why thieves will often pop the SIM or disable network connections, so you need to be quick out of the blocks.)

Remote wipe can be performed on the whole device or just some volumes; enterprise wipe tools delete only the data and apps flagged as belonging to the business, meaning they’re OK to use as standard when an employee leaves, and Knox or other partitions can create a volume which can be remote-wiped with affecting the rest of the device.

Encryption: encrypting files

Another option is simply to encrypt every file. If it’s sent by email or chat app, it doesn’t matter if it’s intercepted since it can’t be read. 

This presents its own set of obstacles, in that many recipients don’t have the encryption client to decrypt the files: if you’ve ever tried getting clients to use Slack, you know what I’m talking about here. Send a client an encrypted file, get an email back that they can’t open it, go around the houses for half an hour and wind up emailing them an unencrypted copy anyway. At that rate you may as well fax it to them.

Additionally, the more careful a business is to safeguard a single version of a file, the harder it is to collaborate. As soon as one member of staff creates a backchannel version of the file, the encryption efforts have been for nothing. And that’s almost bound to happen if it’s difficult to access the encrypted version.

Tools for encrypting files include VeraCrypt, the (free) successor to TrueCrypt and a powerful open-source file encryption solution with a bare-bones interface; AI-powered solutions like Shieldox, which makes its own decisions about which files to share; and Axcrypt, with productivity-friendly Dropbox and Google Drive integrations.

But they don’t solve the problem totally either. They still leave your messages unencrypted, don’t protect you while you’re browsing, and usually both parties need them installed to make them work; again, clients and customers will be the sticking point here.

Encryption: encrypting traffic

Encrypting traffic can be done easily using a VPN. VPNs, Virtual Private Networks, both encrypt all web traffic and obscure the originating IP address by rerouting traffic through another server. 

Put simply, using a VPN puts a wall of encryption between you and the internet. Your communications are protected, your IP address is concealed and access to your network is made much harder. 

The good news is that, while a VPN isn’t a complete solution either, it is both very inexpensive and totally effortless. VPN clients can be installed on mobile devices and left on by default, and compared to other business SaaS products, even the best, features-rich VPNs are very low-cost.

Some VPNs keep activity logs or otherwise monitor their users, and business users should be aware that the majority of so-called ‘free’ VPNs are actually data collection tools. The data is subsequently repackaged and sold to advertisers and others, so using them is exchanging one form of spying for another. (It might also leave you noncompliant with data protection regulations.)

If you choose a no-logs VPN, employees might be happy to leave it on and running constantly or even to use it in their own time for their own purposes, and there is no extra cost or risk associated with this for you. But using a dedicated business VPN setup can allow you to monitor network usage and assign permissioned access, which is also worth considering.

Choosing a VPN for BYOD

Some major consumer VPNs have business plans, and there’s a young but growing business VPN industry dedicated to supplying VPN services to larger organizations.

For instance, a very small business could be served with a single subscription to a mainscale consumer VPN like NordVPN. Secure, with no logs and a vast array of servers and encryption options, Nord is a heavy hitter in the consumer VPN space. But with the option to connect up to six devices simultaneously, it’s also a good choice for small businesses — and when you’re ready to scale, Nord has business options too, though you’ll have to get on the phone with a representative to learn more.

For larger organizations, the go-to choice is Perimeter 81. The core functionality is what you’d expect from a top-end VPN aimed at the consumer market; after all, VPN at its heart is a simple tool. What sets a ‘business’ VPN apart is additional features like automatic wifi security, single sign-on, your own server, the option for cloud or on-premises deployment and permissioned administrator access. Perimeter 81 has two packages, for small business and enterprise, with extensive customization available for enterprises.

In other words, a business VPN takes the same expectations you’d have of any business SaaS package, and deliver VPN functionality in a way businesses are set up to consume.

Conclusion

Ensuring that your data remains safe on disks, in transit, while it’s being worked on and in communications isn’t something you can fix with one tool. 

Businesses have fundamentally, irrevocably handed control of their data to their employees, in the same way that they have handed control of their sales and marketing functions to their customers. Putting the toothpaste back in the tube isn’t an option, and neither is any solution that relies on acting like it’s still in there. 

Instead, businesses need to give their employees the tools to easily manage their own security.

 

 

 

Joel Levy
About Joel Levy 1939 Articles
Editor-In-Chief at Toronto Guardian. Photographer and Writer for Toronto Guardian and Joel Levy Photography