BYOD and security-minded corporate culture

Monday, February 6th, 2023

BYOD (Bring Your Own Device)

This article discusses how using personal mobile devices for work purposes without proper data security and governance can prove disastrous. We also explain how to approach introducing a BYOD policy to safeguard your corporate data and meet regulatory obligations.

UK government fails to establish security culture

The UK government’s Department of Trade and Industry (DTI) wrote, and the BSI Group published the BS-7799, a British standard, in 1995, making the UK one of the early adopters of information security and privacy.

The UK also published a Computer Misuse Act in 1990. However, despite a record of information security, the UK government, national bodies, and local authorities have a shadowy history of data breaches and leaks. In many cases, government departments and institutions failed to instill a cyber security conscious culture.

Boris Johnson MP

In 2022, details of government breeches and security incidents revealed that Conservative politician and former Prime Minister Liz Truss’s personal phone was hacked, and Home Secretary Suella Braverman used her personal email account for official government business.

Former Conservative Prime Minister Boris Johnson’s mobile was said to have been subject to attacks, on multiple occasions between 2020 and 2021. Boris Johnson’s personal phone number was publicly available on the internet for 15 years, after being listed at the bottom of a 2006 press release. The number has since been changed.

BYOD

The purpose of this article is not to bash the current Conservative administration but to highlight an important failing of corporate data governance. The government’s embarrassing data breaches and security leaks all involved personal devices being used for corporate (government) work, an activity colloquially know as BYOD (Bring/Buy Your Own Device).

BYOD enables employees to use their own devices to access corporate information as part of their job. In some cases, employees will be given the money to buy a device. Allowing employees to use personal devices for work purposes has several advantages for both parties such as enabling flexible working arrangements and saving the employer hardware costs.

Remote working

Today, more people work remotely than ever before. As a result, many employees work on their own personal devices. However, research shows that fewer than half of organisations have a BYOD security policy in place to safeguard work-related data that resides on personal mobiles.

In 2022, research by the Office for National Statistics (ONS) revealed that 8 in 10 employees who had worked from home during the coronavirus pandemic said they planned to continue working remotely at least part of the time (hybrid working).1 Smartphones, tablets and notebook computers are critically important in keeping remote workers productive.

Research suggests smartphones can increase productivity by 34%.2 According to a study by Gartner, over half of employees used their own personal devices and software for work purposes during the pandemic.3 However, less than half the respondents said their employer had a BYOD security policy.

Phones under threat

Each year in the UK, thieves steal approximately 325,000 smartphones.4 According to an article on the Payments Journal website around 20% of people never lock their smartphone.5 Cyber-criminals target mobile phones and tablets.

The threats to mobile devices are both numerous and varied including SMSishing (text phishing), evil-twin network attacks, malicious apps, and greyware (adware and spyware). Additionally, many older smartphones are vulnerable to cyber-attack because they no longer receive vital security updates (known as patches). It’s clear that mobile devices are susceptible to a multitude of threats.6

Whilst BYOD provides many benefits it also brings risks.

  • Personal devices are seldom as secure as corporate ones.
  • An employer has less control over a personal device and associated accounts on the device.
  • There is a high risk of confidential, private, and sensitive data leaking out of the organisation.
  • Unsecured devices can be an attack vector to target individuals, information, and gain unauthorized access to corporate networks.

Beyond basic security

Basic security standards such as the UK National Cyber Security Centre’s (NCSC) Cyber Essentials scheme include the security of BYOD devices if they can access corporate information. That is any corporate information that resides on a BYOD device, not just sensitive or highly confidential information.

Organizations should consider information standards such as Cyber Essentials as the minimum technical standard to secure their information. However, organisations must do more than meet minimum cyber security standards to meet the requirements of regulators and courts, who expect organisations and individuals to show they have taken all reasonable precautions to protect sensitive and personal data.

The importance of a security-minded culture

Securing BYOD requires having the right organizational culture. All BYOD users, from top to bottom, must embrace a security-minded culture and work within it. The recent incidents at Westminster highlight the failure of establishing a security-conscious culture, possibly due to inadequate communication of cyber security and data protection messages or a belief among senior politicians that it does not apply to them. This resulted in negative media coverage, reputational damage, and caused embarrassment to politicians and the government. Such failures undermine the trust of the public and foreign governments. The UK government and its MPs have much work to do to create a secure working environment.

BYOD Controls

An organization can use a range of tools and technologies to manage BYOD.

Mobile Device Management

  • Asset management

Knowing who is using BYOD, the devices, details of operating systems, and what they are using BYOD for.

  • Security awareness training

Ensuring users know the risks and how to reduce the chance of a compromise, so they are aware of the technical and administrative controls, and the consequences of failing to follow them.

  • Administrative controls

Documented controls that users read and agree to abide by. There should be defined consequences for not abiding by the controls.

BYOD policy, acceptable use policy, data classification policy, data management and use policy, BYOD security standard, BYOD operating procedure, etc.

  • Technical Controls

There is a wide range of tools and technologies that can form part of technical controls. The selection of these tools is important to meet the risk appetite of the organization and its security concerns.

Mobile Device Management (MDM)

Controls on the mobile device that manages corporate data separately to personal data. More intrusive to the user’s personal device but allows data to be downloaded to the device and remotely wiped if necessary.

Mobile Application Management (MAM)

Controls on the access of applications that hold corporate data, limit its download to personal devices, less intrusive on the device but prevents users working with data on the device.

Asset management

Asset management is required to identify and record those who are using BYOD. It is often a regulatory requirement to provide records for auditing and to ensure devices are up to date with patches and vendor support. Asset management also allows for targeted security awareness training for those who need it. It is a continuous process with users regularly updating the registry entry about the device and renewing their commitment to protect information and the organization. Audit and renewal of the commitment to adhere to the BYOD policy should be at least annually.

Security awareness training

The company conducts user awareness training to educate users about the risks of using BYOD and how to take precautions. This on-going process of security awareness training requires keeping records of employees who complete the training, which is crucial for the security culture. All staff should participate in the training.

As the last line of defence, users must be informed about their security responsibilities in the face of potential threats. For instance, SIM attacks can hijack mobile phone numbers and accounts, malicious software can compromise them, data can be accidentally sent to the wrong recipient, or uploaded to a cloud service and shared by others.

Administrative controls

Administrative controls are part of the Governance, Risk and Compliance side of an organization. There needs to be clear rules, standards, procedures, and guidelines that outline the expectations of the organisation, its risk profile, and an explanation of why this is important. Additionally, the organization must keep a record to prove that users agreed to abide by the rules and understand what is expected of them for audit purposes. Although these controls are easy to implement, they require users to voluntarily follow them.

Technical controls

Technical controls are the most prescriptive controls. They will frequently block or allow user behaviours based on a set of rules agreed by the organization and documented in its policies, standards, and procedures. A wide selection of tools and technologies are available for deployment, either alone or in combination, to provide technical controls. Broadly they fall into two camps.

Device-based controls
  • Device-based controls are installed on the device and tend to be intrusive by nature. However, they typically divide the phone into two virtual devices. First, a personal device that the organisation should not be able to see or manage. Second, a business device where the organisation can see data, applications and manage the device.

Organizations might use device-based controls to prevent unauthorized access to corporate data. The controls allow the company to remotely wipe data from a phone when a user leaves the organisation, or the device is lost or stolen. They should also keep a record of the device’s operating system status, such as whether it is up to date and security patched.

Non-device controls
  • Non-device controls limit access to the corporate data based on conditional access rules agreed by the organisation. This form of control typically allows users to view and manipulate data in the application, but not on the device itself. The organisation controls the propagation of data without using any tools on the BYOD device, making the controls less transparent when remote users access and manipulate data.

Every organisation who wants to allow BYOD should have a policy in place. The organization should maintain a record of those who have agreed to the policy and are using BYOD devices. Beyond this it is up to each organization based upon its risk appetite to set the controls appropriate to their requirements, in some cases these requirements might be regulatory or set by third parties.

Precautionary steps to safeguard your mobile

Of course, every owner of a mobile device who uses it for work purposes can take some simple, practical steps to reduce the risk of a security incident or data breach.

Below you will find nine actions that you can take to help improve the security of your mobile devices and data:

1. Lock it

Lock your smartphone or tablet to prevent someone else from using it. Set a password, PIN code or swipe pattern. Alternatively, use biometric information such as facial recognition or fingerprint to secure your device.

2. Encryption

Encryption is a method of transforming valuable data into a secret code that only someone with the right key can access. Some apps routinely encrypt information but be sure to check. This helps prevent hackers accessing your data even if they intercept it. For people with an Android device, you can enable encryption via Settings and then the Security tab. If you use an Apple iPhone, it encrypts all data automatically. Of course, encryption only works if you lock your device in the first place.

3. Anti-virus

Hackers use malware to steal data such as passwords and account information from personal devices. To help safeguard data invest in some anti-virus software. Typically, these applications examine anything you try to download or open on your device to make sure it is malware free. It is worth doing some research to find the best anti-virus app for your make and model of device. Many of the most popular anti-virus apps also come with a range of privacy and anti-theft features. Your organization might have pre-approved anti-virus software for BYOD purposes.

4. Find My device

Thieves steal over 180 mobile phones every day in the UK. Whether you lose your device, or someone steals it, it causes major inconvenience and puts your organization’s data at risk. Usually, company-owned devices protect data by using sophisticated mobile device management (MDM) software. Android and Apple provide ‘Find My’ device-tracking applications for personal use. These apps enable you to locate a lost or stolen mobile. They can also stop anyone else using your mobile, erasing all the data from your device, if necessary.

5. Backup

Switching on automatic backup will be a lifesaver if you lose your mobile. Once you have a replacement device you can simply reinstall your apps, settings, and media. However, not all backups are created equal. Different manufacturers and service providers offer different types of backup service. If you use your personal mobile for work, it is likely the organization has a backup solution in place. If not, we strongly recommend you examine the different backup solutions available to ensure you get the best one for your needs.

6. Whitelisting

Deciding what apps to install on your mobile device is something of a judgement call. Some organisations issue whitelists of pre-approved apps regarded as safe for work purposes. Just because an app is available to download from an app store does not mean it is safe to use. In recent years, the Google Play Store and Apple iTunes have been found hosting malicious apps that have infected millions of devices with malware.

7. Permissions

Having downloaded a new app onto your mobile, one of the first things you see is the permissions screen. Typically, people agree to the app permissions without thinking. Permissions allow legitimate apps to function properly. However, permissions can also be used by malicious apps to bypass security, harvest your data, and take control of your device.

You should always check what permissions a new app requires before you install it. If in doubt, do not install the app. You can also change the permissions of an app already installed on your mobile by going to Settings. Talk to your IT support provider before installing apps or adjusting settings when company data resides on your mobile device.

8. Security updates

Cyber security is an arms race between legitimate device manufacturers and software developers and illegal hackers and malicious coders. The moment a new app launches, cyber-criminals will seek to exploit any vulnerabilities they can find in the code. The legitimate developer quickly works to produce a patch to fix the security vulnerability.

You should always install the latest security patches, bug fixes and upgrades immediately. Backup your phone as a precaution before doing a major update. When an organization deploys MDM, it should automatically install operating system upgrades and security patches. If in doubt about updating a device, we recommend you consult your IT support provider for advice.

9. Avoid public Wi-Fi

When working remotely it is always advisable to avoid using public Wi-Fi services. Data carried over a public network is not secure and is easily intercepted by hackers. Instead, use your organization’s VPN (virtual private network). VPN enables you to communicate and share data securely. If VPN is not available, then use your smartphone’s SIM data connection. Whenever you do not need internet access, switch your smartphone to flight mode, which will disable your Wi-Fi, Bluetooth, and SIM mobile data connection.

In summary

Cyber security should be an enabler of the organisation, it should help it to meet its mission statement in a secure way. An organisation should enable BYOD in a secure manner, using a mix of asset management, awareness training, administrative, and technical controls, if it feels that BYOD is appropriate. This minimizes the risks to the organization.

Certainly, it is entirely possible with today’s tools and technologies to introduce BYOD safely. Ideally, security should be transparent to the user; in some cases, this is not possible but with a little effort it should not impede the way an organisation chooses to operate. However, for BYOD to work effectively, harmoniously, and securely both the individual user and organisation must keep to their side of the bargain. The negative news stories that plagued the Conservative administration during 2022 are illustrative of what can happen when users choose to ignore information security precepts.

Learn more about BYOD

Many organisations benefit from BYOD, enjoying reduced costs and increased productivity. However, BYOD comes with security risks and compliance challenges. If you would like to know more about remote working, BYOD, and cybersecurity contact Modern Networks.

Sources:

  1. Ons.gov.uk
  2. Forbes.com
  3. Techradar.com
  4. Ons.gov.uk
  5. Paymentsjournal.com
  6. Which.co.uk

Image of Boris Johnson, MP by Pete Linforth, Pixabay