The sheer variety of employee-owned endpoints can cause a headache for IT teams. These devices do not always have the controls in place that endpoints within the office might have. Manuel Sanchez, Information Security and Compliance Specialist, iManage, explains the risk of BYOD and how companies can mitigate endpoint risk.
What shape will work take: remote vs return to office? The answer for the time being seems to be ‘both’ – and as long as a hybrid model of some form exists, organisations will need to be extra vigilant around the endpoints that employees are using to access and interact with the organisation’s resources at home and on the go.
These devices – which range from laptops and tablets to home printers – are juicy targets for bad actors looking to exploit these devices and gain access to enterprise systems and data, because they do not always have the controls in place that endpoints within the office might have.
How did we arrive at a landscape saturated with employee-owned endpoints, and what’s the best approach for enterprises looking to minimise potential risk surrounding these devices?
BYOD gets a boost
Even before the pandemic, there were BYOD (bring your own device) policies that allowed employees to use their personal devices for work – maybe their beloved MacBook laptop or a smartphone that they were already using every day in their personal life.
Since the pandemic, that approach has expanded, with many companies actually giving employees a cash allowance to purchase devices – not just smartphones or laptops, but other endpoint devices like printers.
This approach was a matter of necessity during pandemic lockdowns, when it was basically impossible for employees to avail themselves of corporate resources like printing. Instead, employees would buy a printer from an online retailer, so that they could print out hard copies of documents on their own.
Essentially, employees were free to create their own ‘home office’, along with the endpoints it encompassed.
An explosion of endpoints
The problem with this level of freedom is that IT is no longer in control of the devices their employees are using for work purposes. They’re not able to test those devices beforehand, make sure they have the right security features and functionalities and otherwise ensure that the devices can be sufficiently locked down.
Traditionally, the way to mitigate this problem was for IT to provide guidance and recommendations around the type of devices that employees could use, in conjunction with measures on the IT side that reinforced those recommendations. For example, any mobile devices that were at least five years old – and potentially had outdated, vulnerable firmware – wouldn’t be recommended, and wouldn’t even be allowed to connect to the company network.
The problem that IT teams are dealing with today isn’t so much employees trying to use older, outdated devices as the sheer variety of devices. The world isn’t just Macs and Windows, or iPhones and Androids anymore – there are Chromebooks, Google Pixels and a host of other devices. That’s to say nothing of the scores of vendors making the printers and other endpoints that employees are now purchasing and connecting to their home network for work usage.
Mitigating endpoint risk
Since limiting purchases to an approved ‘roster’ of endpoints is no longer a practical approach, companies should focus instead on disseminating endpoint best practices to remote employees. These practices include keeping devices fully patched and up-to-date, and not ignoring alerts that say the device needs to restart to run a security update. (Sounds straightforward, but it’s very easy for busy professionals to ignore these alerts when they’re in the middle of the workday, flying from one task to the next).
Companies may also wish to limit employee exposure to any rogue apps via the usage of an enterprise app store that only contains vetted and approved apps. This can help prevent employees from downloading a seemingly harmless app that is actually installing malware in the background and compromising their data.
Another method to reduce the threats on endpoints is through VPN (virtual private network) to ensure that communication remains secure outside of the office or outside of a secure home network. Additionally, Mobile Device Management (MDM) tools can assist IT teams to register new devices, monitor device health and hardening and track down a device and wipe its data remotely if it has been accidentally misplaced or stolen.
Additional layers of protection
Multifactor authentication (MFA) and passkey authentication have a role to play in endpoint protection, allowing users to move away from usernames and passwords altogether, using the device itself as a way to verify identity before accessing an application.
Perhaps the best way to neutralise any potential threats around unsecured endpoints doesn’t even involve the endpoint itself; instead, it revolves around where the organisation stores sensitive files and work product.
By making sure that the organisation stores sensitive content and manages user access through a cloud-based document management platform with Zero Trust principles built in, companies automatically incorporate another layer of protection into their hybrid working model.
A Zero Trust framework is a modern approach to cybersecurity that challenges the traditional assumption that everything behind a corporate firewall is inherently safe. Instead, it operates on the principle that no user, device, or system should be implicitly trusted.
The upshot? Whether or not employees keep up with the rules and recommendations from the IT department when it comes to updating and patching their devices regularly, the connection to the sensitive content in the document management platform is secure, keeping data protected.