Much has been made of third-party risk management over the last ten years as the industry has grown from basic security questionnaires to third-party risk assessors and platforms. It’s common knowledge that our data is only as secure as our third-party vendors. Going back to 2014, when Target was famously breached via its HVAC contractor, third-party risk is an essential threat surface.
As companies design and implement third-party risk assessment policies, one area often overlooked is assessing whether vendors effectively manage BYOD, and employee-targeted digital risk is often overlooked. It’s essential to ensure that your vendors are running personalized managed cybersecurity programs.
I am surprised by how often I speak with CISOs and compliance officers who aren’t including specific questions about bring your own device (BYOD) by vendor employees. BYOD allows employees to use their personal devices, such as laptops, smartphones, and tablets, for work purposes. While this can be convenient for employees and employers, it can pose a significant security risk if not properly managed.
The problem is that many security frameworks do not explicitly include BYOD, as they ask about company-owned devices only. This neglects that company employees can access email, files, and other sensitive resources from BYOD devices, which are often unprotected.
You wouldn’t work with a vendor that doesn’t have comprehensive security on its corporate devices. Why would you work with a vendor that doesn’t have comprehensive protection on its BYOD devices?
Employee Targeted Digital Risk is a rapidly growing threat surface, and it is essential for companies to implement a personalized managed cybersecurity program to protect not only BYOD devices but the entirety of their employees’ personal digital lives.
Add questions about BYOD to vendor security questionnaires to ensure that vendor employees are not exposing your enterprise to danger. Even for vendors that may say they don’t allow BYOD, it’s critical to confirm whether employees may be able to do things like access company email, or cloud services, on personally owned devices. If the answer is yes, those devices need to be protected!
Personal devices may have a different level of security than company-owned devices and may not be updated as frequently, leading to vulnerabilities. Additionally, personal devices may have a different level of protection and can be lost or stolen, leading to a potential breach. By including questions about BYOD in your vendor security questionnaires, you can ensure that your vendors take the necessary precautions to secure personal devices used for work purposes.