The business practice of many companies involves the usage of personal devices to solve business problems – from calls from a personal phone to connecting a personal laptop to a corporate network. This situation is beneficial to everyone, especially in the case of small companies: on the one hand, the employee uses the usual device, and on the other, the company saves without purchasing equipment at its own expense. However, this is actually another huge cyber risk for business.
Personal Devices at Work – This is a Normal Practice
The number of organizations applying Bring Your Own Device (BYOD) policies has increased over the past few years. According to last year’s study, commissioned by Samsung at Oxford Economics, mobile devices are an integral part of the business processes of 75% of companies. However, only 17% of employers prefer to supply the entire staff with corporate phones. The others to one degree or another allow the use of personal devices in the work even without using VPN protection.
Should I Trust the Protection of Personal Devices to Owners
If corporate servers and workstations, as a rule, are reliably protected, then personal laptops, smartphones and tablets of managers and employees are far from always the responsibility of information security specialists of the organization. It is assumed that the security of personal devices is the responsibility of their owners.
But while employees themselves take care of the safety of devices, they remain a convenient target for a cyber attack. And this is not just an allegation: incidents involving the theft or hacking of personal gadgets occur constantly. Here are just a couple of striking examples.
In June last year, the University of Michigan Medical Center reported a possible data leak of 870 patients. The reason was the loss of the personal laptop of one of the clinic staff: unidentified men stole a bag with the device from his car. The laptop kept copies of data necessary for research: names, dates of birth, gender, diagnoses and other information about the treatment of patients of the medical center. Patient data sets were different depending on the project, but all contained confidential information.
Hacking a Desktop PC
If in the history with the medical center there is no information about whether the attackers used the data from the stolen laptop, then the customers of the South Korean cryptocurrency exchange Bithumb have no doubt. The criminals hacked into the employee’s home computer and through it pulled out information about the wallets of 32 thousand users of the service. As a result, fraudsters managed to withdraw hundreds of thousands of dollars from the accounts of Bithumb clients.
The exchange promised to compensate the victims at their own expense, however, customers still filed a lawsuit against Bithumb in court for the disclosure of personal information and related financial losses.
BYOD and Security Policy
It’s not enough just to allow employees to use their own devices and assume that you have adopted use of personal devices at work policy. By accepting the use of personal phones or laptops to store and use work information, you accept certain risks. So in order to reduce the likelihood of financial and reputational damage, it would be nice to follow a number of recommendations:
- Employees must understand what they risk when using personal devices at work. It makes sense to raise their level of awareness of modern cyber threats and to understand simple cybersecurity principles and at least get and know how to secure DNS server.
- All gadgets that have access to corporate networks and data must have a protective solution. Ideally, managed by a corporate administrator and by using VPN services. If this is not possible, recommend that employees install at least a VPN protective solution. Access to devices without protection is not recommended.