BYOD reduces CAPEX, but at what cost to security?

By Dave Waterson, CEO, SentryBay

In the Autumn of 2020, Gartner described two technologies that would have a transformational impact on global businesses within the next 10 years. One of these was secure access service edge, and the other was Bring Your Own PC (BYOPC). Driven by the need to ensure remote workers could continue to be productive, enabling the use of their own personal device, whether through a BYOPC or Bring your own Device (BYOD) approach became essential.

But as the modern workplace has altered and become more diversified, new approaches to technology and its usage must be backed up with an equally fresh approach to cybersecurity. The National Cyber Security Centre has recently updated its advice with regard to designing, implementing and managing IT configurations based on a BYOD model. The Centre issued a stark warning to companies – if you have given BYOD users admin access to company resources, revoke it immediately, then come back. What it means by this is that planning is needed for new BYOD deployments, and a quick fix will not be enough to stave off the cybersecurity risks.

Keeping control of access

There is no doubt that BYOPC and BYOD have helped many organisations to manage the cost and feasibility of connecting remote workers and stakeholders such as partners and suppliers. But in sacrificing full control of the device, CISOs need to armour their corporate networks so they do have full control over access, regardless of whether they are working virtually, on the cloud or on-premises.

Unmanaged endpoints, or devices on which the security posture is not updated constantly, represent a threat. If they are compromised by malware or hackers, they are at risk of keylogging or screen scraping attacks which can capture confidential or sensitive data. Other malware uses browser attacks which aim to exploit the log-in process of remote access systems.

As the use of BYOD grows, so too does the risk of attack. While it can be challenging for security leaders to control devices, and even operating system levels or application versions (including browsers) remotely, it is certainly not an impossible task. The best way to move forward is by deploying complementary layers of solutions and services that come together to deter threats.

Most fundamental is the need for a zero-trust approach which should blanket the entire network and all endpoints that connect with it. It might seem extreme to treat all users (and their devices) as a threat by default, but it is the only way to ensure that they can be verified. It’s why the adage “Never trust, always verify” has become so significant.

Taking a sophisticated approach

CISO’s must also adopt more sophisticated strategies than internet security, anti-virus software and securing the wireless network with virtual private networking (VPNs). The past months have proven that with new ways of working, this old triumvirate is no longer enough to ward off attack and certainly each individual approach will not be sufficient.

Our recommendation is that security leaders specify and deploy software and solutions that have been specifically designed to protect endpoints and work as part of a zero trust approach. They ‘wrap’ data and applications securely to counteract cyberattacks particularly from common threats including keyloggers, screen scrapers, browser-based attacks, file interception, RDP double-hop or VNC attacks.

It’s important not to underestimate the impact of these attacks. Key logging and screen grabbing are widely used to access sensitive data. If a keylogger is installed on a remote endpoint device which has a lower security posture than it would have within a secure network, cyber-attackers can gain full access as the user logs-in and to everything the user enters at the keyboard or displays on the local device.

For this reason security software that protects data entry on unmanaged devices, particularly those that work with remote access apps like Citrix, VMWare, WVD, web browsers and Microsoft Office applications, is vital as part of a comprehensive, layered approach when deploying or redeploying BYOD.

The message is clear that BYOD needs careful consideration and planning. It is highly effective at reducing capital expenditure on devices and it impacts positively on the time and cost of maintaining equipment, but that should not be at the cost of security. Data must be adequately protected from the moment it is entered at the keyboard or on the screen to the moment it reaches its destination, regardless of who owns or manages the device or its location.

By Dave Waterson, CEO, SentryBay

In the Autumn of 2020, Gartner described two technologies that would have a transformational impact on global businesses within the next 10 years. One of these was secure access service edge, and the other was Bring Your Own PC (BYOPC). Driven by the need to ensure remote workers could continue to be productive, enabling the use of their own personal device, whether through a BYOPC or Bring your own Device (BYOD) approach became essential.

But as the modern workplace has altered and become more diversified, new approaches to technology and its usage must be backed up with an equally fresh approach to cybersecurity. The National Cyber Security Centre has recently updated its advice with regard to designing, implementing and managing IT configurations based on a BYOD model. The Centre issued a stark warning to companies – if you have given BYOD users admin access to company resources, revoke it immediately, then come back. What it means by this is that planning is needed for new BYOD deployments, and a quick fix will not be enough to stave off the cybersecurity risks.

Keeping control of access

There is no doubt that BYOPC and BYOD have helped many organisations to manage the cost and feasibility of connecting remote workers and stakeholders such as partners and suppliers. But in sacrificing full control of the device, CISOs need to armour their corporate networks so they do have full control over access, regardless of whether they are working virtually, on the cloud or on-premises.

Unmanaged endpoints, or devices on which the security posture is not updated constantly, represent a threat. If they are compromised by malware or hackers, they are at risk of keylogging or screen scraping attacks which can capture confidential or sensitive data. Other malware uses browser attacks which aim to exploit the log-in process of remote access systems.

As the use of BYOD grows, so too does the risk of attack. While it can be challenging for security leaders to control devices, and even operating system levels or application versions (including browsers) remotely, it is certainly not an impossible task. The best way to move forward is by deploying complementary layers of solutions and services that come together to deter threats.

Most fundamental is the need for a zero-trust approach which should blanket the entire network and all endpoints that connect with it. It might seem extreme to treat all users (and their devices) as a threat by default, but it is the only way to ensure that they can be verified. It’s why the adage “Never trust, always verify” has become so significant.

Taking a sophisticated approach

CISO’s must also adopt more sophisticated strategies than internet security, anti-virus software and securing the wireless network with virtual private networking (VPNs). The past months have proven that with new ways of working, this old triumvirate is no longer enough to ward off attack and certainly each individual approach will not be sufficient.

Our recommendation is that security leaders specify and deploy software and solutions that have been specifically designed to protect endpoints and work as part of a zero trust approach. They ‘wrap’ data and applications securely to counteract cyberattacks particularly from common threats including keyloggers, screen scrapers, browser-based attacks, file interception, RDP double-hop or VNC attacks.

It’s important not to underestimate the impact of these attacks. Key logging and screen grabbing are widely used to access sensitive data. If a keylogger is installed on a remote endpoint device which has a lower security posture than it would have within a secure network, cyber-attackers can gain full access as the user logs-in and to everything the user enters at the keyboard or displays on the local device.

For this reason security software that protects data entry on unmanaged devices, particularly those that work with remote access apps like Citrix, VMWare, WVD, web browsers and Microsoft Office applications, is vital as part of a comprehensive, layered approach when deploying or redeploying BYOD.

The message is clear that BYOD needs careful consideration and planning. It is highly effective at reducing capital expenditure on devices and it impacts positively on the time and cost of maintaining equipment, but that should not be at the cost of security. Data must be adequately protected from the moment it is entered at the keyboard or on the screen to the moment it reaches its destination, regardless of who owns or manages the device or its location.