How to discuss cybersecurity with your employees? Use BYOD!

In the field of security, it is well known that there is always a weak link that is often the end user. For a long time, it has been portrayed in cybersecurity by an innocent hand that plugs an external USB drive to a computer connected to sensitive data. This time is far behind us. Nowadays the consumerization of ICT products has pushed employees to use their personal devices in professional environment. The BYOD trend is now a reality that could be a threat as well as a benefit depending on how it is managed.

But what is BYOD exactly? This acronym is used for Bring Your Own Device and means that employees of a company are given permission to work, and thus access their company’s data, with their own computers, tablets or cell phones. This trend has been normalized in recent years due to the decline in the price of technology devices, their increased capacity and their adoption by a growing segment of the population. In addition, employers and employees find their interest despite obvious risks in terms of safety.

59% of companies allow their employees to use their own electronic devices at work. This figure rises to 71% for small businesses according to a TechPro study.

The direct benefits of BYOD rely in the gain of flexibility and productivity for employees and an economic advantage for SMEs, with private devices being more efficient than those provided by the IT department. Considering that employees are often more attentive to their personal data, the use of the same device in their private and professional life is an incentive to become more involved in the application of cybersecurity best practices.

Keypoints

To take advantage of BYOD while avoiding the associated threats it is important to have a clear vision on the next points:

The identity access management (IAM)

  • It does include the way how passwords are generated and protected. One of the most effective solution is to adopt a password manager.
  • Some users have already adopted fingerprint or face scan technology to unlock their device, but they need to check the quality of the underlying technology. Some software contain significant flaws that do not perceive the difference between an image and the real face.
  • To ensure that the highest standards are met, it is possible to include two-factor authentication for all sensitive data or the device itself.

Encryption

Encrypting all data is the best way to ensure that most information stays safe, even if the device is stolen or if someone penetrates the company’s network

This technology can be directly implemented in the device by the manufacturer or can be purchased from a private company that also provides customer service and regular updates.

The mobile device management (MDM)

  • Once a mobile becomes a professional tool the IT department has to apply the same standards than for other devices connected to the company’s network as applications and configurations, corporate policies and certificates, and backend infrastructure.
  • The various applications that are used in a private environment has to be check as they could become a threat for the company’s data. Some free applications (social media, games, …) include in their privacy policy the right to scan all or part of the content contained in the phone.
  • With free Wi-Fi provided everywhere, telecommuters could be connected to highly insecure networks, such as airports. In order to ensure a direct connection to the data needed to work without putting the company at risk, it is necessary to include a VPN solution on all devices.
  • The users do need a simple solution to back up their professional data to keep them available at any time. It could be done directly by a connection to secure cloud solution or the company’s hard drives at given time.
  • A remote wipe solution is a good addition to backup one, it does allow the IT department to remote wipe, lock, or locate the device at any time to be sure that there the data remain safe.

The most important factor in any cybersecurity strategy is always the human being.

They already talked about that

Although best practices and rules are written in golden letters, if employees do not feel concerned, they will not be applied. Ludivine Martin, a researcher of the LISER, Luxembourg, and the CREM, France, has shown that the use of innovative work practices is an important incentive for the employee’s motivation. It is therefore imperative to make it clear to all employees that the use of private devices in a business environment is an advantage associated with specific responsibilities on both sides.

The BYOD is a growing trend that has already been addressed by CASES through an article released in 201X. Since this publication, the benefits and threats have changed slightly due to the consumption of ICT by individuals and the industry. However, once a clear strategy has been developed by the IT department with the support of the company management, employee adoption of rules and best practices is not too complicated. Then, BYOD becomes an opportunity to engage everyone in a more optimistic perspective of cybersecurity and a way to raise standards.

CASES expert voice

“The most important point with BYOD is to consider the overall situation to anticipate any incidents that may occur. Here are some tips for doing this:

  • Hold regular information security awareness sessions that cover, among other things, this theme.
  • Define the types of information allowed on personal devices based on the classification of the data and the actual needs of the business
  • Integrate BYOD into risk analysis without neglecting applications that can be a source of information leakage, such as cloud applications that enable fast file sharing.”

Table of Content