Enterprise security leaders have had to rethink traditional organizational processes to remain operational during the pandemic. Organizational leaders initially accomplished this through the broader adoption of BYOD (Bring Your Own Device) practices to better enable employees to remain productive regardless of their geographic location. The rapid push toward facilitating this, however, has invariably resulted in companies sacrificing the security of user endpoint devices for increased usability in a work-from-home environment.
The statistics speak for themselves. Findings from techjury research highlight how BYOD increased in 2020:
- 67% of employees use personal devices at work
- BYOD generates $350 of value each year per employee
- A BYOD-carrying employee works an extra two hours
- 87% of businesses are dependent on their employee’s ability to access mobile business apps from their smartphone
- 69% of IT decision-makers in the US say BYOD is a good thing
- 59% of organizations adopted BYOD
According to a market study published by Global Industry Analysts, the global market for BYOD and enterprise mobility estimated at $61.4 billion in 2020, is projected to reach $157.3 billion by 2026. Benefits such as enhanced employee satisfaction, schedule flexibilities and increased productivity are highlighted as the key drivers behind this trend. BYOD has also contributed to organizations shifting to cloud-based applications to manage various functions and the multitude of mobile devices from a single, controlled environment.
As more employees turn to their personal devices for work, the need for solutions to better manage the remote environment will also increase. At the end of 2025, the market for these enterprise mobility management solutions is expected to reach $11.96 billion. Similarly, the market for mobile device management solutions and services is anticipated to grow to $15.7 billion by 2025.
Security challenges increase
However, as the number of endpoint devices connecting to corporate assets in the datacenter grow, so too does the attack surface. And cybercriminals, as always, have quickly figured out new ways to capitalize on the daily information security challenges faced by organizations in this environment.
In fact, only 41% of businesses have complete control over the files being shared by users in enterprise messaging apps on mobile devices. The research further highlights that only 9% of companies have the tools to detect malware in these apps. And even though 42% of organizations indicated they use endpoint malware protection for BYOD security, this does not account for one of the most dangerous attack vectors in the market today – that of human hacking and social engineering.
Therefore, it should come as no surprise that, according to data from Verizon, the average cost of a successful data breach at U.S. businesses over the past 16 months increased to almost $22,000 per incident. But perhaps more significantly, nearly 85% of those breaches relied on social engineering. This reflects how adept vendors have become at detecting malware, resulting in a decline in these types of vulnerabilities.
Of course, organizations must still deploy endpoint anti-virus or NextGen AV solutions. But these are focused on malware protection and do not account for the evolution of phishing that incorporates more sophisticated social engineering tactics. So, even though personal devices will also remain a target, especially in a work-from-home environment where they sit outside the relative safety of corporate infrastructure and defensive measures, the threat landscape is now more focused on human hacking.
Bypassing defenses
To this end, threat actors are continuously identifying unique ways to bypass automated defenses and cybersecurity training. For example, attackers can use the publicly available APIs of a business to dynamically fetch the look and feel of an organization's customized Microsoft 365 login page. So, when a user clicks on a malicious URL, the first request goes to the Microsoft page, where attackers pull the screenshot and logos from the original account. This fools the automated defenses by providing a 100% accurate comparison between the real and fake sites and establishes a sense of trust with the users who are familiar with the company's login page.
Another method used is to embed phishing links into PDF documents uploaded to popular cloud platforms like Google Drive, Dropbox, or Adobe Spark. Once the user reads the document and clicks on the link, the actual phishing page will open. Because this happens at a domain level and it is challenging to extract phishing text from a PDF document, this can also fool automated systems and users.
Online forms like Google Forms or Survey Monkey also provide ways for attackers to bypass these defenses because these forms can mask phishing attacks. For instance, a form can be set up to look like a standard IT support page requesting the user to change their password due to the potential of a security breach. The user will then be asked for their original password and the new password, providing attackers with the information needed to compromise the system.
Device protection
Significantly for the BYOD environment, most mobile devices have no special security protection other than the features natively built into the operating system. This is exacerbated by the fact that browsing protection on these devices is a fraction of the protection available on desktop browsers. And while malicious mobile malware is still rare, mobile phishing is rampant.
Adding to the complexity of the cybersecurity footprint required to manage BYOD, phishing is no longer limited to just emails. Smishing (text messages) and vishing (phone calls) are becoming increasingly popular. And then there are the dangers of social networks like Facebook, LinkedIn, and Instagram, where phishing scams have become more advanced. This is thanks to how malicious users have adopted artificial intelligence (AI) technology to mine user profiles for personal information to launch target spear phishing attacks that are becoming increasingly difficult to identify even to the most well-trained person.
Recently, 700 million LinkedIn records were leaked to add to the 500 million profiles put up for sale on a popular hacking forum earlier this year. And even though LinkedIn stated that the most recent issue was attributed to data being scraped and not a breach, the situation highlights how significant social network compromises have become.
Increasingly, phishing campaigns are launched using legitimate cloud services like Google, Dropbox, or SharePoint. With organizations having those services whitelisted, a phishing page hosted on legitimate infrastructure can bypass security and user training that teaches people to look for suspicious domains. With threats coming from these legitimate cloud services and compromised accounts, it is impossible for ordinary people to identify a potential attack accurately regardless of their cybersecurity training.
Mitigating the risk
Given the growth of BYOD over the past year or so, security professionals must review their current endpoint security strategies. Security questions must ask questions, such as: does each user device have cybersecurity software installed, do employees have access to ongoing cybersecurity training, and how organizations can best balance the need to maintain a strict security environment while not compromising on the personal data of employees reliant on their personal devices for work.
In addition to having security on devices – the new endpoint in any network – it is important to inform employees about the breadth and sophistication of today’s human hacking attacks. We know that people are the weakest link of the security process, with human error inevitably resulting in a compromise. Alerting employees that attacks are near common and on all communications and collaboration channels, including SMS text and social media, can be one more step to help avoid the potential of these breaches happening.
However, there is no one sure-proof way of shoring up corporate defenses to disperse over a wide geographic footprint. Because the velocity of malware and phishing attacks is so high, organizations will need multiple defenses that combine various techniques. The best defense is a layered one that incorporates cybersecurity software, security at the endpoints of all networks, including mobile devices, and user training. But more than that, companies must adopt AI and machine learning (ML) to further strengthen their BYOD environments.
Realistically, the human resources requirements needed to defend against the growing number of automated attacks manually are almost impossible to meet. Companies must fight the proverbial fire with fire as BYOD becomes the new battlefield. By combining existing cybersecurity approaches with AI and ML algorithms, business gain access to automated analysis that understand what makes an application, extension, Web page, and spoofed page malicious.
No lockdown
Of course, this does not mean that organizations can exfiltrate personal data from employee’s personal devices. Endpoint Protection can be used to drive privacy and security while continuing with the BYOD approach. This means that the business has complete visibility of the threat landscape without compromising its employees' privacy. By not having data leave the device, the company cannot see, for example, the browsing behavior of the user.
In the end, the best way to guarantee privacy while delivering the level of protection needed is to do so on the device itself. By focusing on the infection and not on having personal data transmitted back to the corporate environment, an organization can get the best of both worlds. An effective BYOD environment where productivity is enabled while still being as secure as possible without compromising employee experience.