What can we learn from the UK’s BYOD strategies?
A BYOD policy (bring your own device) is a handy way for companies to improve productivity and cut costs. It allows staff to use their own mobile devices and hardware for work. That means the company doesn’t have to always invest in new hardware while allowing staff to use devices they’re comfortable with. Less time to get used to a new system, more time to focus on tasks.
However, with comfort comes problems. It’s easy to take security for granted. After all, when using your own device, you know what security red flags to look for, right? Well, not really. Complacency is common. Risk with BYOD policies also creates risk to a company network. In today’s age where we’re net drive and reliant on remote work, we have no choice but to use BYOD policies. That’s why it’s critical to secure them.
The UK has revised its stance on BYOD guidelines. What can we learn from them? What ideas should we incorporate into our own BYOD programs?
What the National Cyber Security Center currently says
The NCSC is the UK’s equivalent to CISA, responsible for handling cybersecurity policies and guidelines. Currently, they’ve outlined some key threats people and businesses face today:
- Obligations related to contracts and regulations
- An increased need for improved mobile device support
- Privacy controls and company regulations from end-to-end connections (mostly with remote working)
- Challenges of device compliance with company policies and rules
- Data protection, security, and backup
With that in mind, the NCSC has worked to update its policies due to the surge of remote working needs.
Emphasis on Zero-Trust
At Bytagig, we’ve talked about zero-trust before. The NCSC is bringing that conversation back to the table, though with renewed context. It isn’t enough to discuss or implement zero-trust. After all, it’s a policy that must be adopted by management and staff.
They also discuss that zero-trust architecture is not the same as implementation, in relation to BYOD. You can have zero-trust, but it must also fit a BYOD cybersecurity model.
“Cyber hygiene” is a catch-all phrase relating to good cybersecurity and IT practices. For example, maintaining a complex password policy, using two-factor authentication, having proper backups, and using a segmented network (to name a few). The problem is, the NCSC reports, these concepts are absent in many consumer and worker paradigms.
One primary example relates to passwords. Weak logins are an issue not just in the UK, but abroad as well. The NCSC gathered this information from a survey conducted by BitDefender, an expert anti-malware and cybersecurity service. From the survey, they discovered several alarming statistics.
With passwords, half of the respondents use the same passwords across all devices and logins. Logins here meaning a website, app, or whatever requires a pass phrase. Adding to the problem was the simple password use, often easily guessable phrases or combinations. Remember: attackers make use of bot-programs to brute force their way through logins when not using phishing schemes. Finally, some surveyed users (11 percent of the respondents) did not use any form of multi-factor authentication.
Others use password managers and/or relied on memory.
What about securing devices and mobile platforms?
Cyber hygiene extends beyond passwords, it also includes automatic protections against modern threats. In today’s age with so many emergent threats, it would be expected to use anti-virus measures. Unfortunately, this is not the case. The BitDefender survey also discovered that 35 percent of respondents did not use anti-virus measures on their phones, while others determined it was too complex or expensive. In other cases, some stated it was not necessary.
But the proliferation of attacks through mobile devices, especially with remote working, can’t be denied. A lack of VPN and secure browser use was also discovered, both of which are critical to better mobile security. This is intermixed with users reporting they experienced a “cybersecurity incident,” such as a breach, suspected attack, or data loss.
The report states that phishing and spam texts were part of the attacks.
The gaps and inconsistencies seen in both cybersecurity hygiene and adoption create a problematic threat.
So, what do we learn? These issues NCSC discusses are not contained only in the UK. What they reveal are fault lines in understanding good cybersecurity policy, and implementing it. The guidelines, then, will aim to address the problems briefly discussed in this article, something we can take to look at our own handling of remote work security.