The growing trend of remote work and mobile technology is blurring the lines between personal and professional lives for many of us. Using personal devices for work is undoubtedly more convenient, but it also presents a number of security risks.

In this blog, originally posted by our colleagues at the West Midlands Cyber Resilience Centre, we'll look at the risks of using personal devices for work and offer some advice on how you can help to mitigate them.

The growing trend of BYOD (Bring Your Own Device)

BYOD, or Bring Your Own Device, has grown in popularity. Employees value the flexibility and familiarity of using their own devices, and employers find it more cost-effective than providing all of their employees with brand new devices. However, this trend poses several risks, particularly in industries that handle sensitive information, such as healthcare and home care services.

Security challenges of using personal devices

Data breaches and unauthorised access

Personal devices are more vulnerable to data breaches than company-issued devices, owing to inconsistent security measures. If an employee's device is lost or stolen, sensitive information can easily end up in the wrong hands.

Lack of security updates

Not everyone updates their devices with the most recent security patches on a regular basis; we've all hit the "postpone update" button. Manufacturers must provide regular security updates and bug reporting mechanisms, but it is the user's responsibility to keep their device updated. Failure to do so puts your device and data at risk.

Inadequate encryption

Personal devices may not have proper encryption, making it easier for cybercriminals to intercept and access sensitive information. Encryption ensures that data, even if intercepted, is unreadable without the correct decryption key.

Malware and Phishing attacks

Personal devices are used for both personal and professional purposes, which increases the likelihood of malware infection. Employees may unknowingly download malicious software or fall victim to phishing attacks, compromising the security of sensitive work data.

File Sharing and Data Leakage

Sharing files between personal and professional domains may result in data leakage. Employees may accidentally share sensitive files via insecure channels or with unauthorised parties.

Lack of centralised management

Employees may handle sensitive information using unauthorised or insecure apps in the absence of centralised app management. Centralised management ensures that only approved and secure applications are used, which reduces the risk of data breaches.

The significance of rules and regulations

A lack of clear rules and regulations governing the use of personal devices for work can exacerbate security concerns. Companies should establish BYOD policies that address:

Device Security Standards

Make sure to set minimum security standards for personal devices, such as mandatory encryption, multi-factor authentication, regular security updates, and strong password policies.

Acceptable Use Policies

Clearly define acceptable use of personal devices for work purposes, including what activities are and are not permitted.

Access control and monitoring

Implement access controls to ensure that only authorised personnel have access to sensitive information. It's a good idea to set aside some time to ensure that these are regularly monitored so that security incidents can be detected and addressed as soon as possible.

Strategies for reducing risks

Centrally managed applications

Using centrally managed apps improves security by limiting access to sensitive data to specific locations and context. For example, home care apps can be configured to only allow data entry when carers are present with patients, preventing unauthorised access outside of working hours.

Two-factor authentication (2FA)

One of the most effective ways to improve the security of personal devices used for work is to use two-factor authentication (2FA) or multi-factor authentication. This increases security by requiring two or more forms of verification before granting access to sensitive data. It's also quick and easy to set up!

Remote Access Control

The ability to remotely revoke access to work apps and data is critical. If an employee's device is lost or stolen, or if they leave the company, their access to sensitive information can be terminated immediately, preventing unauthorised access.

Regular security training

Employees should be educated on best practices for security. Regular training sessions can raise awareness about the risks of using personal devices for work, provide practical tips for protecting sensitive information, and provide an opportunity for your employees to ask questions and receive clarification on issues they are unsure about. For details about the EMCRC's Security Awareness Training and how to book a session, see here.

Asking the Right Questions

To better understand and reduce risks, businesses and employees should ask themselves questions such as:

What are my vulnerabilities?

Identifying potential vulnerabilities in device security and usage patterns can help you focus your cybersecurity efforts where they are most needed.

Are my devices up-to-date?

Ensuring that personal devices have the most recent security updates and patches can significantly reduce the risk of exploitation.

Am I using a secure application?

Using vetted and secure applications for work-related tasks reduces the likelihood of data breaches.

Do I understand how to recognise phishing attempts?

Identifying and avoiding phishing attempts can help prevent unauthorised access to sensitive information.

If you need help with your organisation's cyber security, please contact us to see how we can assist you.

Source: The West Midlands Cyber Resilience Centre

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).