BYOD security warning: You can’t do everything securely with just personal devices

Remote working has become far more commonplace over the past year but even as some employees start returning to the office, businesses must be aware that there should be limitations to staff using their own laptops and other devices inside a corporate environment. 

Bring Your Own Device (BYOD) brings many benefits, but the National Cyber Security Centre (NCSC) has detailed certain situations where it should never be considered due to the potential cybersecurity risks it could cause. 

“You cannot do all your organisation’s functions securely with just BYOD, no matter how well your solution may be configured,” say new guidelines from the NCSC.

“If you’ve given BYOD users admin access to company resources, revoke that access immediately,” NCSC said.

SEE: A winning strategy for cybersecurity (ZDNet special report)

If a personal device gets compromised by cyber criminals, they could use that admin access to gain access to critical systems and functions via the use of legitimate administration tools. That could allow cyber attackers to steal data, lay the foundations for a ransomware attack and other malware campaigns. 

“Existing BYOD deployments need review. Potentially, you need to undo some of those quick-fixes and start afresh,” the agency said.

BYOD is the idea of allowing employees to use their personally owned devices for work and it can be a complex topic as increasingly we all use personal devices for everything from answering emails to managing critical services and hardware. 

While the same or similar devices are also issued by businesses, a personal device is configured differently to a corporate device, which can make things more complicated – and lead to additional security risks.

When the COVID-19 pandemic first started and many organisations and their employees suddenly had to adapt to working from home, the main concern was just ensuring that people could continue to do their jobs – in some cases, with employees using their own laptops in order to do so. 

But if businesses haven’t done so already, it’s time to think about what can and can’t be done with BYOD devices in order to ensure that employees are productive, but are also secure.  

“This ‘just make it work’ mentality is entirely understandable, but the time has come to deal with those wounds,” the NCSC said.

SEE: Ransomware attackers targeted this company. Then defenders discovered something curious

The level of access and trust BYOD devices have depends on the organisation and the role of the user, but some things all businesses need to consider when making this decision are what employees need to do, what employees need from a device, and what needs to be done in order to ensure the security and privacy of corporate data on their personal device.  

It’s a complex issue, but NCSC advises that in order to get the best results, organisations shouldn’t rush into any decisions. 

MORE ON CYBERSECURITY

• Digital transformation is creating new security risks, and businesses can’t keep up
• These systems are facing billions of attacks every month as hackers try to guess passwords
• Best antivirus software for 2021
• NSA, CISA partner for guide on safe VPNs amid widespread exploitation by nation-states
• Unsecured servers and cloud services: How remote work has increased the attack surface that hackers can target