Vulnerabilities with BYOD
An increased risk of data breaches: Personal devices might lack strong security measures such as encryption, malware protection, or connection to a secure network. Consequently, the device may become a prime target for cybercriminals.
An increased risk of employee privacy concerns: Adding security tools to employees’ devices may require granting administrative access which could allow your business or service provider access to personal data on the device. This may include sensitive information like financial statements or images of identity documents.
Before BYOD is implemented as a business practice, it is important that a clear and comprehensive policy is created, and provided to employees, to outline expected practices.
Actions to Consider
Network security: Working remotely allows employees to work from a variety of locations and networks. Flexible working locations may,however, result in employees using unsecured, public networks. Adopting avirtual private network (VPN) can be a solution, so that employees can securetheir networks whilst working remotely.
Ensuring regular software updates: Distribute and ensure each employee uploads software patches to address new software security vulnerabilities. These are released by developers on a regular basis. It is important to note, patches are only useful if they are installed, so mechanisms need to be established to ensure this happens. One unpatched device can put the whole business at risk. For more information about software patches, please see the IDCARE Understanding Patching fact sheet.
Authenticate devices: Employees may use multiple devices to connect to the workplace network. Multifactor Authentication (MFA) can ensure only authorised devices gain access. MFA should be used in conjunction with other practices, including avoiding opening unknown attachments and clicking on links, unless verified.
Data confidentiality: Ensure sensitive company data is never downloaded and saved on the employee’s personal device. Instead, ensure data remains stored in a central location, for example Microsoft Sharepoint, where it can be accessed by employees with the relevant authorisation.
Provide security management software: Your business network and the devices attached to it all rely on each other to be safe. Many organisations provide Mobile Device Management (MDM) software for each employee. MDMs control what Apps and websites are accessed on personal mobile devices. It can quickly detect and resolve device malfunctions, security threats and data risks. However, employees may be concerned about their own data and any restrictions put on their personal devices. A Unified Endpoint Management (UEM) system can be used as an alternative. It can also manage PCs, and wearable devices, among others, and contains features for maintaining employee privacy.
Password managers: ensure that employees adhere to good password practices. Consider providing a trustworthy password manager to employees. For more information about password managers, please see the IDCARE Password Managers fact sheet.
Disclaimer
Identity Care Australia & New Zealand Ltd (IDCARE) provides identity and cyber security incident response services (the Services) in accordance with the following disclaimer of service:
- IDCARE is Australia and New Zealand’s national identity and cyber incident community support service. IDCARE is a not-for-profit and registered Australian charity.
- The Services provided do not constitute legal advice. IDCARE recommends that you consult your own legal counsel in relation to your legal rights and obligations, including but not limited to your legal rights or obligations under Australian and international privacy and data protection laws.
- While every effort has been made to ensure the accuracy of the content provided, to the maximum extent permitted by law all conditions, terms, representations, and warranties (in each case, whether express or implied) in connection with the provision of the Services which might otherwise be binding upon IDCARE are excluded.
- IDCARE’S liability for any loss or damage suffered by any person or organisation (including, without limitation, any direct, indirect or consequential loss or damage) arising out of or in connection with the Services (including without limited liability for any negligent act or omission, or statement, representation or misrepresentation of any officers, employees, agents, contractors or consultants of IDCARE) shall be limited to the fees paid by you to IDCARE in respect of the Services. For the avoidance of doubt, this limitation of liability extends to any liability arising from any actions performed or not performed as a result of any recommendations made in the course of providing the Services.
- If you would like to provide feedback please use our Feedback Form.
