A Common Cybersecurity Misconception
A common cybersecurity misconception is that some people are too “unimportant” to attack. So, they think they don’t need to lock down their personal devices or keep their software up to date.
Does it really matter if your account managers or marketing team update their iPhones to the latest iOS? Or make sure they are running the most recent version of Acrobat? How would an organization even police that?
It matters. Bad actors do not discriminate. Think of bad actors like water and your organization a boat ― cybercriminals will infiltrate even the tiniest crack to gain access and take down whatever they can. Attackers may not care about employees’ data and financials, but they certainly care about the data and financials they can unlock within the organization.
With the rise of Bring Your Own Device (BYOD) policies in workspaces, there are more security risks that both employees and managers need to be aware of.
According to the SANS Institute website, about 31% of employees polled “sometimes,” “rarely,” or “never” install software updates. Depending on the size of your business, that could be a significant number of vulnerable endpoints. If cybercriminals can gain access to an endpoint, such as a mobile device, they have a crack to slink into and infiltrate an organization’s whole system.
Ways Employees Can Keep Personal Devices Secure
Use strong passwords and MFA whenever possible on personal (and business) devices
- Using a second factor that is biometric (like a fingerprint) or physical (like a Yubikey) is even safer in the event your mobile device gets stolen.
Update devices regularly
- Most updates have security fixes and shouldn’t be ignored
- Run auto update on computers and mobile devices
Make sure you are downloading software from trusted sites
Enable automatic locking with password protection on your computers and phones
Ways Organizations Can Reduce Risk While Implementing BYOD
- Create and enforce company-wide BYOD policies
- Require MFA for all business accounts; strongly suggest for all personal accounts
- Implement comprehensive logging that records all access to company services and alerts on potentially risky logins (examples include logins from an unexpected country and multiple login attempts with MFA failures)
- Implement an endpoint management system to install on all devices. These tools have the ability to push updates, control which apps employees can download, and manage a device remotely in the event it is lost or stolen.
- Enforce an acceptable use policy that prohibits risky behaviors, such as downloading unknown software or jailbreaking your phone. Ensure that all employees read this and agree to it by signing this policy.
The goal of BYOD is to make work easier for your employees. Unfortunately, it can make work easier for bad actors as well. After ensuring all of the above procedures are in place, continue to review them and work on fostering a security-forward culture through education, discussion, and buy-in from all parts of the organization.
If you’re looking for more guidance on how to implement standard cybersecurity protocols, or need help creating or augmenting a cybersecurity program, our team can help. Founded in 2016, Cyber Defense Group was designed to address the growing demand for experienced cybersecurity consulting for innovative cloud-native and cloud-reliant organizations. Get in touch, and see what results are possible for your organization.