Download
Click Here to Download
Thank you!
Let us know how we can continue to help.
Follow us on LinkedIn
Oops! Something went wrong while submitting the form.

The Issue with BYOD

September 11, 2023
Jason Kor

Lots of companies allow the workforce to use personal computers. The bring-your-own-device or BYOD model is appealing because it reduces the IT Operations costs, and it allows employees to use the systems they’re most comfortable with. Unfortunately, BYOD also presents a security risk. Is it worth it? Let’s discuss.

How likely is it that my employee’s computer is compromised?

Left totally unchecked, a company of even moderate size must assume that their employees are working from compromised machines. Criminals have compromised tens of millions of computers for financial crime, botnets, or other nefarious reasons. The US Government’s FBI reports more than 800k annual complaints. One of the leading categories is Tech Support Fraud. Active hacking aside, employees may download and install malware themselves through online marketplaces and forums.

How can an employee’s machine leak data?

Once a personal computer is compromised, an investigator must operate under the assumption that the unauthorized user had access to everything the employee did on that machine. Attempting to prove that the attacker had limited access would be a difficult, if not infeasible, task, given that forensic investigators typically have to review drives from every compromised computer as part of a comprehensive investigation.

  1. Keystrokes: The compromised computer can expose everything typed into the computer. Emails, briefings, memos. Literally everything!
  2. Screen scraping: The compromised computer can expose everything shown on the screen, saving video recordings. More recently, artificial intelligence tools
  3. Exfiltration: Attackers are likely to find sensitive files stored locally and simply export them. They can sync them to online storage solutions or simply remote into the computer and pull whatever they want.

What if the employee doesn’t have sensitive data?

Even if the employee doesn’t see sensitive information, these compromised devices are gateways for cybercriminals to infiltrate the company's network by exploring the environment, discovering other potentially vulnerable machines, or creating malicious software and leaving it for someone with higher privileges to execute.  

Even if the compromised computer didn’t have access to ANY files, file shares, other computers, it still serves as a cyber risk as the attacker can simply misbehave as if they were an employee! One example might be emailing customers telling them they should send payment to a new bank account.

What does the attacker do next?

The attacker’s playbook is simple. Once they pop one machine, they’ll look for others. A company’s computers networked together making it easier to move across the enterprise. Some examples would include emailing malicious files or uploading malware to shared drives.  Ideally, the attacker finds their way into company servers, computers with access to cloud administrator or other higher value targets sensitive.

Who’s going to do that?

Turns out, a lot of people. Your internet connected device is accessible to billions of people. Even one bad apple in a million leaves thousands of motivated and capable threat actors. Although motivations are as diverse as the unmanaged operating systems used by the average consumer, three primary motivations stand out:

  1. Financial incentives: Cybercriminals recognize the potential gains of infiltrating organizational networks. They can steal, commit fraud, or just encrypt the files demanding money for the keys.  
  2. Intellectual property theft: Especially in hypercompetitive industries, unmanaged devices may store valuable proprietary knowledge that attackers can exploit to undermine your company’s competitive advantage.
  3. Ideological motivations: hacktivists and criminal groups leveraging unmanaged computers to further their agendas, be it political, social, or economic. Examples include inflating social media posts or interrupting service for controversial (but legal) services like gun manufacturing or reproductive healthcare.

When has this risk materialized?

Here are a few publicly available examples of the risk associated with unmanaged mobile computers.

Breach Name Description
Morgan Stanley Data Breach (2015) Loss of an unencrypted laptop resulted in a breach, revealing personal and financial data of 15 million customers, and causing severe reputation damage. The laptop appeared for auction online.
Children’s Medical Center of Dallas Data Breach Losses of an unencrypted BlackBerry device and an unattended laptop in 2009 and 2013 exposed the ePHI of thousands, resulting in a $3.2 million penalty.
Feinstein Research Data Breach A laptop theft led to the exposure of ePHI for thousands of patients and participants. Interestingly, the $3.5 million penalty was so strikingly high because management knew about the issue and chose not to add additional safeguards.

What should we do to protect ourselves?

The level of protection depends on your business’ unique situation, including its susceptibility to attacks, position in the marketplace, tolerance for accepting risk and regulatory influence like compliance with FedRAMP or HITRUST.

Good - Access Restriction and Education

Prevent employees from accessing sensitive data and systems. This approach keeps things simple: if employees don't interact directly with sensitive IT, the risk of compromise through their personal devices is minimized. Regularly train employees about risks associated with accessing data.

Better - Zero Trust Architecture

Adopt a zero trust approach where no device or user is inherently trusted. Every access request is fully authenticated, authorized, and encrypted before granting access, ensuring that all interactions with company data and networks follow the principle of "never trust, always verify."

Best - Managed Company Devices with Zero Trust

Equip employees with standardized, monitored, and regularly updated devices. These managed devices, when combined with the zero trust philosophy, offer a robust defense. Managed devices and zero trust architecture work in tandem to amplify security: the inherent safeguards of standardized devices integrate with stringent access controls, establishing a solid defense against potential threats.

Conclusion

BYOD's cost savings and convenience are tempting, but the risk of compromised employee computers is real. Once a personal computer is breached, data leaks are highly likely. We can also be certain that, given enough unmanaged machines, at least one will be breached. Ready to secure your organization? Let our experts guide you to a safer, more efficient future.

About RISCPoint

If you are looking to bolster your organization’s security or achieve compliance, RISCPoint has advanced services tailored to your needs. Our certified cyber security professionals have successfully supported companies across a wide range of industries and sizes, from Fortune 10 to pre-Series A startups. To learn more, visit riscpoint.com/contact or call 1-888-320-1327.

Download

Stay Informed, Stay Secure

Subscribe to our newsletter and get the latest cybersecurity insights, updates, and event invitations delivered straight to your inbox. Join our community and empower your security journey with RISCPoint's expert knowledge.

Thank you! We'll keep you up to date!
Oops! Something went wrong while submitting the form.

Join our newsletter for updates. Terms.

Get ready to harmonize your cybersecurity goals with our team of industry-leading consultants.

Services
Compliance
Public Sector
Risk Management
Cybersecurity
Cloud
Privacy
Industries
Healthcare
Government
Cloud Computing
Software Development
Education
Fintech
Company
Team
Methodology
Partners
Careers
Resources
Posts
Whitepapers
Logo

Copyright ©2024 RISCPoint® . All Rights Reserved. Privacy Policy.

TOP