Security for Employees Using Personal Devices for Work

As personal devices within corporate networks make for a potentially combustible mix, a cavalier approach to BYOD security won’t cut it.

How can employees and organisations mitigate the cyber-risks associated with employee-owned devices and help avoid jeopardising corporate data and the data of their customers? While there is no ‘one size fits all’ solution, a few measures will go a long way to shielding companies from harm.

Reduce the corporate attack surface

Employee use of devices outside of the purview of IT is, particularly if left unchecked, become a major threat to corporate data. In an era where bad actors constantly look for chinks in companies’ armors, limiting the number of such potential entry points is a no-brainer. Importantly, then, organisations need to take inventory of every device accessing their networks, as well as set security standards and configurations that employee devices must meet to ensure a baseline level of protection.

Update software and operating systems

The importance of installing security updates to patch known vulnerabilities in a timely fashion cannot be overstated, as hardly a day goes by without news of discoveries of new vulnerabilities in widely used software. Ensuring that employees work on updated devices is certainly easier when they use company-issued laptops and smartphones and can rely on support from the IT department that stays on top of and installs software updates on their machines soon after they are released. If the task of keeping software on their devices up-to-date does fall to the employees themselves, organisations can, at the very least, be diligent when it comes to reminding their employees that patches are available, providing them with how-to guides for applying the updates, and monitoring progress.

Establish a secure connection

If a remote employee needs to access the organisation’s network, the organisation needs to be aware of this. Remote workers may use not just their home Wi-Fi networks, but also public Wi-Fi networks. In either scenario, a properly configured virtual private network (VPN) that lets remote workers access corporate resources as if they were sitting in the office is an easy way of reducing the organisation’s exposure to weaknesses that could otherwise be exploited by cybercriminals.

Protect crown jewels

Storing confidential corporate data on a personal device clearly poses a risk especially if the device is lost or stolen and isn’t password-protected and its hard drive isn’t encrypted. Much the same goes for letting someone else use the device. Even if it’s “just” a family member, this practice can still lead to the compromise of the company’s crown jewels, regardless of whether the data is stored locally or, as is common in the work-from-anywhere era, in the cloud. A few simple measures – such as making strong password protection and auto-locking a requirement and teaching employees about the need to prevent anyone else from using the device – will go a long way towards shielding the company’s data from harm.

Secure videoconferencing

Videoconferencing services experienced a boom thanks to the pandemic as all meetings that were originally in-person moved to the virtual world. Organisations should create guidelines for using videoconferencing services, such as which software to use and how to secure the connection. More specifically, it is advisable to use software that comes complete with robust security features, including end-to-end encryption and password protection for calls, that will shield confidential data from prying eyes.

Software and people

Forgoing reputable multilayered security software on devices that have access to corporate systems is a recipe for disaster. Such software – especially if managed by the company’s security or IT team – can save everybody many headaches and, ultimately, time and money. Among other things, this can provide safeguards against the most recent malware threats, secure corporate data even if the device is misplaced and, ultimately, help system administrators keep the devices compliant with the company’s security policies.

Ensuring that devices and data are backed up regularly (and testing the backups) and providing security awareness training to the staff are also essential – the technical controls wouldn’t be complete if employees didn’t understand the heightened risks that come with the use of personal devices for work.

Guest post by ESET Ireland