How to Discuss Cybersecurity with Your Employees? Use BYOD!
In the field of security, it is well known that there is always a weak link which is often the end user. For a long time, it has been portrayed in cybersecurity by an innocent hand that plugs an external USB drive to a computer connected to sensitive data. This time is far behind us. Nowadays, the consumerisation of ICT products has pushed employees to use their personal devices in a professional environment. The BYOD trend is now a reality that could be a threat as well as a benefit depending on how it is managed.
But what is BYOD exactly? This acronym is used for Bring Your Own Device and means that employees of a company are given permission to work, and thus access their company’s data, with their own computers, tablets, or mobile phones. This trend has been normalised in recent years due to the decline in the price of technology devices, their increased capacity, and their adoption by a growing segment of the population. Also, employers and employees find their interest despite obvious risks in terms of safety.
Fifty-nine percent of companies allow their employees to use their own electronic devices at work. This figure rises to 71% for small businesses according to a TechPro study.
The direct benefits of BYOD rely on the gain of flexibility and productivity for employees and economic advantages for SMEs, with private devices being more efficient than those provided by the IT department. Considering that employees are often more attentive to their personal data, the use of the same device in their private and professional life is an incentive to become more involved in the application of cybersecurity best practices.
Key Points
To take advantage of BYOD while avoiding the associated threats, it is important to have a clear vision on the next points:
Identity access management (IAM)
- It does include the way how passwords are generated and protected. One of the most effective solutions is to adopt a password manager.
- Some users have already adopted fingerprint or face scan technology to unlock their device, but they need to check the quality of the underlying technology. Some applications contain significant flaws that do not perceive the difference between an image and the real face.
- To ensure that the highest standards are met, it is possible to include two-factor authentication for all sensitive data or the device itself.
Encryption
Encrypting all data is the best way to ensure that most information stays safe, even if the device is stolen or if someone penetrates the company’s network.
This technology can be directly implemented in the device by the manufacturer or can be purchased from a private company that also provides customer service and regular updates.
Mobile Device Management (MDM)
- Once a mobile becomes a professional tool, the IT department has to apply the same standards than for other devices connected to the company’s network as applications and configurations, corporate policies and certificates, and backend infrastructure.
- Various applications that are used in a private environment have to be checked as they could become a threat to the company’s data. Some free applications (social media, games…) include in their privacy policy the right to scan all or part of the content contained in the phone.
- With free Wi-Fi provided everywhere, telecommuters could be connected to highly insecure networks, such as airports. To ensure a direct connection to the data needed to work without putting the company at risk, it is necessary to include a VPN solution on all devices.
- The users do need a simple solution to back up their professional data to keep them available at any time. It could be done directly by a connection to secure cloud solution or the company’s hard drives at a given time.
- A remote wipe solution is a good addition to backup one, it does allow the IT department to remote wipe, lock, or locate the device at any time to be sure that data remain safe.
The most important factor in any cybersecurity strategies is always a human being.
They Have Already Talked About That
Although best practices and rules are written in golden letters, if employees do not feel concerned, they will not be applied. Ludivine Martin, a researcher of the LISER, Luxembourg, and the CREM, France, has shown that the use of innovative work practices is an important incentive for the employee’s motivation. It is, therefore, imperative to make it clear to all employees that the use of private devices in a business environment is an advantage associated with specific responsibilities on both sides.
The BYOD is a growing trend that has already been addressed by NC3 through an article released in 2014. Since this publication, the benefits and threats have changed slightly due to the consumption of ICT by individuals and the industry. However, once a clear strategy has been developed by the IT department with the support of the company’s management, employee adoption of rules and best practices is not too complicated. Then, BYOD becomes an opportunity to engage everyone in a more optimistic perspective of cybersecurity and a way to raise standards.
NC3 Expert Voice
‘The most important point with BYOD is to consider the overall situation to anticipate any incidents that may occur. Here are some tips for doing this:
- Hold regular information security awareness sessions that cover, among other things, this theme.
- Define the types of information allowed on personal devices based on the classification of the data and the actual needs of the business.
- Integrate BYOD into risk analysis without neglecting applications that can be a source of information leakage, such as cloud applications that enable fast file sharing.’