A common cybersecurity misconception
A common cybersecurity misconception is that some people are too “unimportant” to attack. So, they think they don’t need to lock down their personal devices or keep their software up to date.
Does it really matter if your account managers or marketing team update their iPhones to the latest iOS? Or make sure they are running the most recent version of Acrobat? How would an organization even police that?
It matters. Bad actors do not discriminate. Think of bad actors like water and your organization a boat ― cybercriminals will infiltrate even the tiniest crack to gain access and take down whatever they can. Attackers may not care about employees’ data and financials, but they certainly care about the data and financials they can unlock within the organization.
With the rise of Bring Your Own Device (BYOD) policies in workspaces, there are more security risks that both employees and managers need to be aware of.
According to the SANS Institute website, about 31% of employees polled “sometimes,” “rarely,” or “never” install software updates. Depending on the size of your business, that could be a significant number of vulnerable endpoints. If cybercriminals can gain access to an endpoint, such as a mobile device, they have a crack to slink into and infiltrate an organization’s whole system.
Ways employees can keep personal devices secure
Use strong passwords and MFA whenever possible on personal (and business) devices
- Using a second factor that is biometric (like a fingerprint) or physical (like a Yubikey) is even safer in the event your mobile device gets stolen.
Update devices regularly
- Most updates have security fixes and shouldn’t be ignored
- Run auto update on computers and mobile devices
Make sure you are downloading software from trusted sites
Enable automatic locking with password protection on your computers and phones
Ways organizations can reduce risk while implementing BYOD
- Create and enforce company-wide BYOD policies
- Require MFA for all business accounts; strongly suggest for all personal accounts
- Implement comprehensive logging that records all access to company services and alerts on potentially risky logins (examples include logins from an unexpected country and multiple login attempts with MFA failures)
- Implement an endpoint management system to install on all devices. These tools have the ability to push updates, control which apps employees can download, and manage a device remotely in the event it is lost or stolen.
- Enforce an acceptable use policy that prohibits risky behaviors, such as downloading unknown software or jailbreaking your phone. Ensure that all employees read this and agree to it by signing this policy.
The goal of BYOD is to make work easier for your employees. Unfortunately, it can make work easier for bad actors as well. After ensuring all of the above procedures are in place, continue to review them and work on fostering a security-forward culture through education, discussion, and buy-in from all parts of the organization.
If you’re looking for more guidance on how to move your cybersecurity program forward, CDG can help. We are shifting the cybersecurity consulting paradigm to address the needs of mid-market, cloud-native or cloud-reliant companies who are experiencing rapid growth.
Founded in 2016 by global security expert Lou Rabon, our nimble team draws on decades of experience and diverse technical expertise to deliver a full spectrum of information security advisory and implementation services on a fixed-cost basis. Our right-sized, results-driven approach will help you meet your immediate needs, but also ready you to navigate what’s ahead. Get in touch, and see what results are possible for your organization.