Remote and hybrid working has caused a reshuffle within organisations and to lower capital expenditure on hardware, reduce maintenance costs and enable employees to use their own familiar computers, laptops and smartphones, Bring Your Own Device (BYOD) policies have proliferated. The flip side to this, of course, is that on such a large scale, it is challenging for organisations to control employee devices. They will not be aware of the status of a home PC or laptop and too many of these endpoints are not fully protected against cyber-attacks.
A poll we recently conducted on Twitter amongst security professionals found that the majority, 69.1%, believe a rethink is needed to deal with the cybersecurity threat now that devices and applications have moved outside the corporate network. Almost a quarter (23.6%) are very concerned about security breaches against the backdrop of hybrid and remote working.
What are the risks?
All devices risk being lost or stolen. However, it is malware that presents the most danger in a BYOD scenario. With cyber-attacks on the rise, employees and subsequently the companies they work for, are vulnerable to keyloggers, screen scrapers, browser-based attacks, file interception, RDP double-hop or VNC attacks, and the impact of these can be devastating.
Keylogging and screen grabbing, for example, are used by hackers to access sensitive data. If a keylogger is installed on a device being used remotely which is unmanaged, cyber-attackers can gain full access as the employee logs in and to everything they enter at the keyboard or display on their device.
The risks associated with BYOD prompted the National Cyber Security Centre (NCSC) to issue this statement: ‘Although the conceptual aims of BYOD are an attractive prospect to most organisations, it comes with a conflicting set of security risks and challenges.’ It went on to state that balancing an organisation’s need to protect and maintain control of its data and systems against the usability, and privacy expectations of the device owner can be difficult.
The recommendation of the NCSC is to adopt zero trust, and there are good reasons for this. Zero trust literally means that nobody and no device is trusted, and therefore everybody and their device must be verified before they can be given access to corporate data, applications, platforms or networks at any level.
Implementing zero trust, however, can be challenging. In fact, our poll found that only a third of respondents (33.6%) had already implemented it, although 8.5% were in the process and 10.6% planned to do so in 2022.
A workable approach to zero trust
Security professionals are concerned that they have a lack of understanding when it comes to embedding identity and access management, worried about productivity during the process, and about the cost or resources needed to manage the process.
To implement zero trust successfully means thinking about it holistically. It is not a single solution or a platform, it’s an approach to security that demands verification of all users and all devices, and it needs to be built into a company’s broad IT and security strategy, and preferably in stages that are achievable.
There is no doubt that if a company is embracing a BYOD policy to enable remote and hybrid work, it will need to significantly elevate its security posture. The tried and tested method of using internet security, anti-virus software and securing the wireless network with virtual private networking (VPNs) will no longer fend off the latest cyber-attacks. More is needed.
The best approach is a layered defence which means that even if a specific attack gets past one security measure, it will be thwarted by another. The most valuable corporate asset – data – and the applications that handle it, must be placed at the centre, with security layers encasing it protectively.
The approach to achieving zero trust also depends very much on the set-up of the organisation, how its hybrid or remote work policy is playing out, and what this means for its infrastructure. What any company should be looking for is a solution, or set of solutions, that provide a common security baseline. These must be fit-for-purpose, able to wrap data and applications securely, regardless of the status or type of endpoint device being used or the infrastructure that it is connecting to.
Putting zero trust into practice
It is one thing to purchase and deploy a security software solution, even one designed specifically to protect devices, but it is quite another to ensure that solution is coupled with support for the organisational needs of the company. Any solution that is being used in a BYOD environment must be simple for employees to use and implement; it must require very little in support; and it must also work seamlessly with all the most widely used organisational software packages.
Perhaps most importantly, companies should be using solutions based on application confinement. This means that applications and all the data that flows in and out of them, are constantly protected from malware without the need to identify it. Combined with kernel level anti-keylogging measures and always-on screen and video protection – this is the very definition of a zero trust environment.
Facing up to the new normal
Companies in 2022 are tackling an ever-evolving technology and cybersecurity environment while still recovering from the impact of the global pandemic. Implementing zero trust gives them the flexibility to adopt a BYOD policy, and take advantage of the cost savings, with the reassurance of knowing they are slamming the door on uninvited intruders.
Find out more about delivering BYOD in a zero trust framework here