Introduction
Nearly half of UK businesses and almost two thirds of charities say that their staff regularly use personal devices for work, for example using their own laptops to access their employer’s network (Cyber Security Breaches Survey 2022).
Bringing your own device (“BYOD”) is often seen as a convenient and cost-effective way to embrace remote working, and it helped many businesses to function during COVID-19. But it can expose your organisation’s network and data, making you more vulnerable to hackers. Your IT security is only as strong as its weakest link and an employee’s personal laptop is not maintained to the same security standards as your corporate devices. To avoid the expense and negative publicity surrounding data breaches and network attacks, businesses and charities need to secure their data and IT.
So how can organisations embrace flexible working without exposing themselves to additional security risks?
The problem with personal devices – BYOD cybersecurity challenges
Personal devices are not managed by the organisation and do not meet the same security standards as corporate devices that are maintained by an IT professional. They may be running out of date software (including the operating system) and may be missing antivirus software. They are less likely to be password protected and more likely to be shared between family members.
In addition to work-related software, user devices often run a variety of programs for leisure and entertainment and are used to visit a range of websites. Employees who are away from their usual trusted wireless networks may unknowingly connect to a malicious network, for example if their device is set to connect automatically or if an attacker’s network has a name that sounds legitimate (e.g. containing the name of a trusted provider such as a shop or telecoms company). All this leaves personal devices more exposed to phishing attacks, malware and viruses which could then be transmitted to the company network when the user connects.
An easy way in for hackers
This vulnerability in a company’s cyber security is being exploited by attackers who target user-owned devices as an easy way to get to an organisation.
“Most human-operated ransomware attacks attempt to compromise or gain access to unmanaged or bring-your own devices (personal devices used to access work-related systems and information). These typically have fewer security controls and defences. We have observed that 80 to 90 percent of all compromises originate from unmanaged devices. Ransomware operators are also increasingly exploiting vulnerabilities in less common software, making it more difficult to predict and defend against their attacks. This reinforces the importance of a holistic security approach.” (Microsoft Digital Defence Report 2023)
With cyber attacks increasing in number and sophistication, it is imperative that organisations plug the security gaps created by unmanaged devices.
Small and medium organisations are most at risk, and charities are particularly vulnerable
“the primary victims of ransomware attacks this year were small and medium size organizations. Between July and September 2022, around 70 percent of organizations encountering human-operated ransomware had fewer than 500 employees.” (Microsoft Digital Defense Report 2023)
Charities are particularly vulnerable to cyber attack, partly because of limited resources invested into cybersecurity, a higher proportion of part-time staff, and greater reliance on personal devices, according to the NCSC Cyber threat report: UK charity sector. The negative impact of a cyber attack on a charity can be particularly high due to limited funds and a lack of insurance.
How safe is your data?
When a personal device with access to the organisation’s confidential data is compromised (e.g. by a virus or malware), that data is at risk. But that isn’t the only way that employee-owned devices can leave company data exposed.
Data saved to a laptop’s hard drive could be accessed by other users (such as family members) who share the device.
When the computer is disposed of (by being sold, given away or even stolen), the company has no opportunity to wipe the device as it would with a corporate machine, meaning data could be accessed by third parties.
If an employee or trustee emails organisation documents or information to themselves (e.g. to read at home), the risk of a data breach is increased. If their personal email account is breached, the organisation’s data will be exposed.
It is important to remember that the organisation’s data controller (not the device owner) is legally responsible for protecting any personal information covered by the Data Protection Act. The Information Commissioner can impose hefty fines for serious data breaches.
The expensive and disruptive consequences of a breach
Organisations that experience breaches can suffer a variety and combination of negative consequences. “Temporary loss of access to files or networks, disruption to websites, applications or online services and software or systems being corrupted or damaged are the most commonly reported outcomes” (Cyber Security Breaches Survey 2022). Other possible problems include the theft or destruction of confidential information, damage to physical devices, loss of money (either by theft or when paid as a ransom) and compromised company accounts/systems being used for illicit purposes.
“The average (mean) annual cost of cyber crime for businesses is estimated at approximately £15,300 per victim.” (Cyber Security Breaches Survey 2023)
Cyber security breaches are an expense that businesses could do without, costing time and money, but for many organisations the biggest worry is the impact on their reputation.
“Organisations were very concerned about the damage that a ransomware attack could do to their reputation, which some believed was worse than the cost of the attack itself.” (Cyber Security Breaches Survey 2022)
“Even breaches that do not result in negative financial consequences or data loss can still have an impact on organisations” (Cyber Security Breaches Survey 2022) for example, if resources are diverted to deal with the breach, if staff are unable to work, if business activities are paused, or if customers are negatively affected.
Reducing your exposure to risk – some safer ways to enable flexible working
Due to the risks involved and the potential high costs (in time, in money and to reputation), we recommend that organisations avoid the use of personal devices wherever possible.
Company-issued devices are generally the most secure option, so consider giving the employee or volunteer a computer owned and managed by the organisation (and used exclusively for work).
If that is not practical (e.g. due to the costs involved), there are a number of ways to limit the risks:
The personal device could become a managed device. Full device management could address many of the security concerns with BYOD but is unlikely to be acceptable to the user as it erodes many of the perceived benefits of using their own device. It requires delicate balancing of corporate security and personal privacy and freedoms.
Microsoft’s Azure Virtual Desktop provides a cloud-based desktop for remote working. Accessible from personal devices and with built-in security features, it ensures that only authorised users have access and that data is stored securely. It keeps work and personal files and programs separated, while still allowing the flexibility of remote working on a user’s own equipment.
If these solutions cannot be implemented, it is vital that the organisation limits the systems and data that personal devices can access. Microsoft Intune enables you to control the applications available to the user. Users should only be given access to applications and data that are necessary for their work, and only allowed to operate in accordance with the organisation’s cyber security policy.
Flexible working supported by good cybersecurity practices
It’s easy to overlook the dangers of personal devices accessing your network, but the repercussions can be expensive and professionally damaging. With cybercriminals using increasingly sophisticated tactics, it’s more important than ever to assess the risks and take effective action to limit exposure.
Businesses and charities need to be aware of all devices accessing their data and networks and ensure that they have appropriate controls and processes in place. Organisations can then provide more flexible working options to their staff without taking additional risks.
If you want to improve your organisation’s security while supporting remote working, contact us to discuss your options.