By Akshay Bhargava, Chief Product Officer, Malwarebytes
Well before COVID-19 hastened people working from home, users embraced “bring your own device” (BYOD) practices. It created a proliferation of work-connected personal mobile devices that have become a regular part of our workplace fabric. But today, as the workplace has shifted to our homes, employees are now practicing a “use your own device” (UYOD) approach which means even more personal devices are connecting to company networks.
Like BYOD, UYOD, enables employees to be connected to work when they want, and over any device, they have on hand – empowering them with the flexibility and access they need to work, at home. But one concern still prevails: how to ensure proper security protocols are set and stringently followed in order to provide the same level of security that corporate-owned devices bring.
The COVID-19 phenomenon brings personal endpoint device security concerns, once again, to the forefront. Undoubtedly these personal devices come with a wide range of risk: while some diligent employees may fastidiously follow security protocols, others that don’t take cybersecurity threats as seriously will inadvertently expose their devices to bad actors. This uneven security posture comes at a time when research shows the volume of global threats against business endpoints has increased by 13 percent year-over-year. From an increase in enterprise-focused threats to the diversification of sophisticated hacking and stealth techniques, cybercrime is clearly targeting organizations with an increasing vengeance. And working from home on personal devices further elevates this risk.
Improving UYOD Security
While all organizations face increasing risk at the endpoint, small-to-medium-sized businesses (SMBs) are particularly vulnerable to a cyberattack. How could they not be when they are operating on thinner margins, with limited IT staff and less financial reserves than enterprises? To minimize security risk, SMBs need to put these practices in place when personal devices are being used to access business data:
Embrace a Cultural Security Mindset. One of the obstacles to getting personal device security under control is the mindset that someone else, usually IT, ‘owns’ the cybersecurity and data protection problem. Even though 70 percent of data breaches are known to start at the endpoint, this data point isn’t translating into the average employee or contractor’s consciousness.
No matter how strong defenses are, users can introduce threats to a company’s networks by:
- Falling for phishing scams
- Posting secure information on social media
- Inadvertently giving away credentials
Employees will more enthusiastically embrace BYOD/UYOD security protocols if management has effectively communicated not only how behind day-to-day practices to prevent malware or other attacks but also why mitigating risks is so critical. Acceptable use guidelines might include:
- How to detect social engineering tactics and other scams
- What constitutes acceptable Internet usage
- How remote workers should securely access the office network
- How to properly use password management systems
- How to report security incidents according to their urgency
To encourage employees to adopt ownership of their own device security, it’s important to note smaller enterprises thrive on being more nimble. This ‘get it done now’ mentality can lead to applications being put into play before being thoroughly vetted for access controls and may cause a rise in “shadow IT” which may not meet organizational security standards. It can also lead to ‘rogue’ assets, or personal devices being deployed without full vetting for risks.
The recent wholesale shift to remote working has highlighted this risk more than ever as personal device use explodes. When communicating with employees, there needs to be a careful balance between asking them to be more mindful of security, and realizing their first goal is always to get their work done. Communication and education here are essential to individual participation in helping mitigate risk at the endpoint.
Optimize Limited Resources. With limited IT staff, and often no dedicated security staff, SMBs will be looking to guard against the increased security risks from COVID-19 by executing strategic security initiatives for new remote workers and supporting long-term viability. One critical need in threat defense is endpoint detection and response (EDR) software. EDR is vital to containing a costly breach that could financially devastate an SMB or enterprise. EDR can help software security teams contain, investigate, and respond to threats that may have bypassed other defenses like antivirus tools. An effective EDR solution can provide automated analysis of data to identify suspicious activity, enabling IT to make a timely decision on the threat level and take quick action accordingly.
Simplifying personal endpoint device protection is also imperative. Managing protection for many devices, given scarce resources, demands centralized management from a single pane of glass to provide real-time protection and on-demand remediation. Many SMBs may also consider outsourcing their security needs to a managed service provider (MSP) in order to free up resources, but this should not take the place of employee security training.
Apply for Privacy Protection. As users work from home, they need an extra layer of protection to stop cyberattack risk – as they are no longer behind the security of your corporate network. This is where the value of a virtual private network (VPN) comes into play. This important, and often overlooked, a layer of defense ensures that a users’ IP address is private, secure, and encrypted, helping to protect your business data.
Serving as a digital middleman between the user and the Internet, a VPN can deter hacking and unauthorized tracking which will help prevent employees from being cyber threat targets. It works like an encrypted tunnel between the user and your data, keeping away the prying eyes of threat actors looking to access your business data – including passwords, personally identifiable information (PII), customer information, credit card numbers, and more. By employing a VPN, you can limit the risk of employees working from their personal networks while protecting critical business and customer information.
Post-COVID Environment
Eventually, employees will begin returning to work onsite, but this crisis has demonstrated the benefits of working at home. This means that the heightened use of personal devices for business is here to stay. SMBs can manage this new working reality by improving employee communication on threat prevention, creating a strategy to more thoroughly record and protect assets, and implementing the protection of a VPN to keep important business data away from prying eyes.
In the longer term, all these security measures are going to be critical to economic viability. Cybercriminals have been exploiting COVID-19, but they will revert back to other forms of cybercrime soon enough and ransomware attacks, costly data breaches and business disruption will be back in the news. SMBs can avoid tragedy by implementing strong preventative anti-attack measures now.
About the Author
Akshay Bhargava is the Chief Product Officer at Malwarebytes, a leading provider of advanced endpoint protection and remediation solutions.
