When BYOD Also Means Bring-Your-Own-Cyber Risk

Bring Your Own Device (BYOD) used to be an emerging trend in the workplace, one that allowed professionals a bit more flexibility and comfort by using their personal computers and phones to conduct business.

Today, BYOD is largely the norm in a work-from-home setting as employees left their office devices in the midst of the pandemic. With long-term remote working policies becoming more commonplace, the enterprise is facing a new age of security threats — and the most heavily-regulated industries may be the most vulnerable.

Steve Mancini, chief information security officer at enterprise device security firm Eclypsium, recently told PYMNTS about the strategies attackers use to steal company cash from employees working from home. Relying on pre-COVID device and employee security policies is no longer sufficient to protect the enterprise or its money, he said.

The BYOD Risk

The sudden migration of professionals out of the office was a shock to many enterprise systems.

“The rapid redeployment of staff to a predominately remote workforce caught many companies off-guard,” said Mancini, adding that this shift has profound implications for the security of enterprise devices.

In a traditional office work environment, professionals’ devices are kept on company property, with organizations retaining more control over computers, phones and other equipment. Security control frameworks are usually built around this office setting and on the assumption that, in the event of a security compromise, internal controls and a hands-on response will be possible.

Not necessarily so, now that so many professionals are outside of the office.

“Attackers can now initiate attacks with some degree of confidence that devices they compromise will cohabitate with devices not controlled by the organization,” explained Mancini.

In addition to potentially having greater access to non-corporate devices to infiltrate company networks, attackers are also exploiting some shifting behaviors that result from a remote work setting. For instance, many professionals’ devices are always on and always connected, Mancini said. Sending confidential information to personal printers or local storage is another trend causing security headaches.

According to Mancini, some of the most heavily regulated sectors, including finance, healthcare and government, may be the most vulnerable to this new level of risk exposure. Regulatory compliance efforts have led organizations in these sectors to establish rigid procedural and technical controls, he explained.

Adjusting controls to address work-from-home settings became more difficult and, he said, “entire segments of the industry were caught unprepared to migrate from predominantly nonmobile desktops to full remote.” It became an increasingly painful process to update security procedures from legacy, on-premise paradigms, particularly as firms had to act fast when deciding whether to purchase new devices for remote-working employees or entrust them to work on their personal devices.

Understanding Attacker Strategy

Understanding how attackers leverage vulnerabilities in a remote setting is a critical step to combatting the risk.

Business email compromise attacks are on the rise, for example, with hackers now able to infiltrate employee email accounts or take advantage that professionals can no longer simply walk down the hall to confirm that any request for payment has come from a legitimate executive within the company.

But perhaps the largest vulnerability when it comes to company devices today appears in the process of updating those devices.

“This could be through man-in-the-middle attacks on update procedures, forcing updates from malign sources, or compromising content offered through software marketplaces,” Mancini said. “As with most attacks, the lower in the device stack you can introduce these attacks, the greater the impact, and the less likely you will be detected — and the longer you will persist.”

Luckily, awareness of security threats is on the rise. An understanding of third- and fourth-party risk exposures has significantly matured in recent years, for example, according to Mancini.

Even so, rebuilding a security strategy to address the needs of both on-premise devices as well as devices in-use by professionals working from home is no walk in the park.

Eclypsium recently secured $13 million in funding from investors at CV8 Ventures, TransLink Capital, Mindset Ventures, Alumni Ventures Group and Ridgeline Partners, while existing backers Intel Capital, Madrona Venture Group Andreessen Horowitz and Ubiquity Ventures also participated.

While the new funding will help the company better prepare its enterprise clients for the work-from-home environment, Mancini said it has already positioned itself to address those unique needs by focusing on integration with distributed workflows and expanding support to monitor network appliances, “which became a major attack target due to the shift to remote work.”

As the company grows, organizations will be pressed to elevate their understanding of these security risks. With remote working and BYOD, the challenges can be overwhelming, but not insurmountable.

“Mitigating the risk of BYOD is challenged by authority, visibility and control,” said Mancini. “The best approach is to consider these three areas and build a strategy to reestablish technical and procedural controls as close to those for organization-provisioned devices.”

“As with all risk,” he continued, “there is no silver bullet, and there is no finish line.”