With 82% of organizations implementing a bring-your-own-device (BYOD) policy, using personal devices on company networks is the new norm. BYOD policies offer advantages for employers and employees alike. Employees only need to manage one device of their choosing and can work remotely without issue. Meanwhile, employers save on the cost of supplying every employee with a laptop, smartphone, and tablet. Additionally, they can reap the rewards of an always-on workforce.
Though there are many advantages to BYOD, it also comes with a significant risk — and not just to the user. Personal devices that have access to company data are increasingly becoming targets for bad actors, and it’s easy to see why.
Here are the six ways BYOD policies, and even company-issued mobile devices, are posing a threat to organizations, and how your security team can mitigate those risks to avoid a costly breach.
All mobile devices pose a danger, but personal smartphones are particularly risky because they have virtually no built-in security. The same goes for personal laptops. Unlike company-issued devices, businesses don’t have the authority to install antivirus or endpoint detection and response software on employee-owned devices. Beyond that, employees are unlikely to voluntarily install added security software, especially if they need to pay for it or feel their privacy is being violated.
Making matters worse, employees are more likely to engage inadvertently in risky behaviors like downloading unsecured or malicious applications and visiting shady websites when using a personal device outside of work. When they are at home scrolling through Instagram, downloading gaming apps, responding to texts from friends, or clicking on an ad or text from a business they frequent, employees likely aren’t thinking about security and risk management in the same way as when they are sitting at a desk on a company device. This can end up with employees clicking on a phishing link and accidentally giving up their data.
If employees are at home using their personal devices for personal reasons and a compromise occurs, it may not seem like a company issue. However, any personal device that is connected to company email platforms, software, or cloud-based databases poses a threat to company security. For example, if an employee downloads an engineering design file or a client list full of PII and sends it over Slack, Teams, or email, that file is living on their device unencrypted. Furthermore, it’s unlikely the employee will think to properly delete the file after it’s sent, since they’re on to the next task.
Now imagine every employee is downloading and uploading files every week onto personal devices. Suddenly, there are millions of company files being stored on dozens, hundreds, or even thousands of unsecured devices. As bad actors search for device vulnerabilities virtually, or happen upon an unattended personal device in a coffee shop, those files can easily be accessed and used for malicious purposes.
Unfortunately, it’s not just locally stored files that make personal devices prime targets. SaaS and cloud-based applications on personal devices also pose a risk to data security, which brings us to our next point.
Before the widespread adoption of SaaS vendors and cloud-based infrastructure, securing company data was relatively straightforward. Information was stored on company devices and servers, both of which remained in the office. Now, data is typically stored on cloud-based applications, and access is only one account log-in away. Data security is split among the company that developed and manages the cloud-based application or solution, the company using the application, and its employees.
As personal devices with cloud-based applications leave the office, matters are complicated even further. Employees may be accessing company data stored in a cloud-based application from a public WiFi network or unsecured device, incurring more risk. (More on that later.)
At a minimum, companies need to ensure third-party partners and software providers are properly securing their environments, employees are using MFA, and are trained on password best practices.
With so many free workplace tools on the market, employees and teams often search for and download tools that allow them to be more efficient and productive. Unfortunately, when IT isn’t involved in that process, they can’t ensure the software or tools are secure or properly managed. If a breach does occur, or an unauthorized user gains access to an organization via one of these applications, incident response plans can’t be executed properly, and IT teams may not be able to identify the source of the compromise.
Shadow IT is already an issue for organizations, but it is compounded when employees are also downloading dozens of applications onto the same devices that store company data or are using multiple personal devices to access company networks. IT departments are struggling to keep track of which devices are connected to the organization’s network and which applications have been downloaded onto those devices. This not only poses a huge challenge for securing that data, but it also increases the chances of a repeat attack.
Due to all of the aforementioned vulnerabilities, hackers are increasingly attacking personal and mobile devices. A Samsung survey of 500 U.S. executives and 1,000 employees at small and mid-sized businesses found that 48 percent of BYOD organizations have had malware introduced through an employee’s personal phone. Proofpoint’s 2024 State of the Phish report stated that 75% of organizations experienced smishing attacks in 2023 and Verizon’s 2023 Mobile Security Index found that employees are 6-10 times more likely to fall victim to a smishing attack than an email attack.
Not only are mobile attacks on the rise, but cybercriminals are being strategic in how they’re leveraging attacks on mobile phones to trick prime targets. Executives are increasingly being hit with whaling attacks on mobile phones because cybercriminals know they are regularly engaging with sensitive company information on those devices. Meanwhile, nation-states are attacking telecom companies to access the phones of government officials and collect sensitive information. So mobile security is more vital now than ever before.
Personal laptops and mobile devices face all the same cybersecurity threats as traditional workstations and company-issued devices. But they also come with a slew of additional risks, particularly when it comes to mobile devices.
While desktop computers were once limited to secure in-office WiFi networks, laptops and mobile phones are often connecting to many less secure networks, including the networks in client offices, home networks, and worst of all, public WiFi networks. While this is also true for company-issued devices, personal devices are likely being used more frequently, and in more places, making them more open to risk. Threat actors can easily intercept communications or airdrop malicious packages onto devices connected to a public WiFi network. They can even track employees’ activities and steal their account credentials.
Similarly, the likelihood of physical cyberattacks increase because employees are taking their devices to more locations and are more likely to lose them or leave them unattended in places where someone can swipe them. While a work laptop may remain locked in a desk or safely stored in a home office, employees’ personal phones are traveling to bars, concerts, gyms, and dozens of other crowded places where their owners’ defenses are down and their attention is diverted.
Perhaps most alarming are zero-click attacks — a new type of exploit that affects aspects of a mobile device such as SMS, messaging, or email applications. In traditional attacks, a user must take an action like clicking on a dangerous link or downloading files with malicious code. Zero-click attacks, however, require no user interaction. They find and exploit vulnerabilities in applications that accept and process untrusted data by dropping malicious messages with malware on the phone and deleting any trace that it was even there, so users are unaware the attack even happened. These types of attacks are highly successful, particularly in personal devices that may be using old operating systems or contain unpatched software.
Because company data and applications are housed on personal devices, all these risks to personal devices become organizational risks. It’s imperative that companies take action to secure their networks and data before they become victims of a costly breach.
Mobile security is likely to be the next wave in cybersecurity. When companies adopted cloud-based software, security strategies needed to be adjusted, and this is no different. With the rise of BYOD, companies need to be aware of the risks and adjust their security strategies accordingly.
Because BYOD and mobile devices have so many risks that are continuously growing, traditional MDM strategies alone will prove to be insufficient. Organizations need to proactively hunt for new threats, address mobile-specific threats like spyware and zero-click exploits, improve visibility into devices accessing company networks, isolate company data and applications on mobile phones, use a VPN, and train employees how to avoid falling for a smishing attack. However, as is often the case, resources, expertise, and getting a mobile security strategy up and running can be expensive and time consuming. We recommend working with a partner who can help fill in any resource, knowledge, or tech gaps to get a mobile security strategy executed quickly.
SolCyber’s mobile protection services extend beyond that of traditional MDM. We help you take advantage of all the benefits BYOD has to offer without taking on the risks. Learn more about our mobile protection services and reach out to the security experts to get started today.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
