I am sure it has been said many times before (including in these blogs), but the speed with which the IT sector evolves is incredible. New technologies develop and become the norm within an amazingly short space of time. Remote access to the work environment is one of these. It has only taken a few years for Bring Your Own Device (BYOD) to move from ‘potential’ to common practice. The issue with advancing technology, though, is that those who would take advantage of unsecured systems are also developing their own solutions at a similar rate. Bringing your own device may well be commonplace, but that doesn’t make it any less a risk. In fact, it increases the risk of penetration or security breaches of your systems exponentially.
Working from home (WFH) is something else that has become commonplace recently. Throughout 2020, most of us spent at least some WFH time accessing work systems remotely. If we hadn’t, the various local and national lockdowns would have resulted in considerably more damage to the economy. The rise in BYOD proved to be a saviour for many businesses. However, as useful as the team being able to access the information and systems to work from home is, it is also fraught with danger because any system is only as strong as the weakest link in the chain. It is not a stretch to see how the pandemic resulted in businesses with ultra-secure, encrypted and intrusion proofed systems suddenly having to rely on the security on that old laptop Bill from accounts purchased second hand from a car boot sale a few months ago.
Is it really so important that BYODs are attaching to your IT systems?
The bottom line is that this does really matter. Your internal systems could be as secure as possible, but if you are relying on unchecked devices to process the information, they are vulnerable. It’s like buying the most expensive, unbreakable safe to keep your valuables in and then having a catflap put in the door. Mobile phones, iPads, laptops and home routers, in particular, do not have a high level of security. They are vulnerable to a range of attacks that most managed IT services and secure systems would shrug off. They are often unsecured, or where an attempt to secure them has been made, the security is weak. Out of date virus checking, repeated passwords, zero-day vulnerabilities and routers that haven’t been updated for a long time are basically an open door. There are literally millions of new ‘viruses’ a year being developed for every platform and every operating system. In a recent operation, Israeli surveillance company NSO used their Pegasus software to infiltrate the phones of prominent activists with startling success. After infection by the malware, either by a click trap or even a non-click invisible intrusion, sensitive information, access to microphones and cameras, and the intimate details of the victim’s life was a simple process.
So, there is certainly a risk, but what is the risk, and what can you do about it? One of the most common risks is the one we often consider the least, the threat of device theft. The majority of phones and tablet devices are easily accessed by pretty low-level techniques and sometimes not secured at all. Loss of a device potentially gives the thief access to not only the data on the device but the passwords and access needed to breach other systems. Just as worrying is the access they will have to the email and other communications stored on the device. Work emails contain a wealth of personal information from email addresses to spam through to bank details and background information to facilitate identity theft.
It is scary stuff, but the solution is clear. If you are allowing staff to have BYOD access to your secure systems, then the devices must pass muster as secure environments. If they don’t or can’t meet the grade, then using them is a gamble you may not want to take.
BYOD is commonplace and dangerous, so we all need to be aware of the threats and how to deal with them because the consequences of something like a ransom attack are far-reaching and potentially catastrophic.