Excerpt from Benefits Pro, Written by Amir Tarighat (Co-founder of Agency):
As we enter 2023, the most significant cybersecurity themes companies will face will revolve around threats coming from Employee-Targeted Digital Risks. This emerging threat surface represents attacks that come to the enterprise via their employees’ personal devices, accounts, and digital lives. In 2022, we saw security incidents at Microsoft, Cisco, Uber, and others that originated in employees’ personal digital worlds, outside of the areas normally safeguarded by corporate-controlled cybersecurity. This rapidly emerging problem is driving our growing need for better security and privacy, and its best and possibly only solution lies at the intersection of HR benefits and an IT department’s BYOD policy.
A BYOD – or “Bring Your Own Device” – policy sets out the rules for which employees can use personal devices to access company systems like email and Slack. Many companies already rely on personal devices for two-factor authentication by SMS or authenticator apps as their primary means for cybersecurity. Currently, even companies with robust BYOD policies usually implement weak cybersecurity measures that can annoy users and, at worst, violate their privacy. The solution to this problem is in giving employees real, professional-grade cybersecurity measures that they can use in their personal lives as well as at work.
To understand why, we have to dive a little deeper into how we got here. Enterprise cybersecurity has come a long way in the last decade. That improvement has come from the adoption of mature cybersecurity frameworks, enterprise tools, cyber insurance, legal policies, and an ecosystem of educational programs that train specialized computer security professionals. Today, companies spend more money than ever to protect their data and systems. Plus, the use of cloud servers and cloud-based software has helped companies share some of the burdens of protecting their core technical infrastructure.
Despite all those gains for companies, there haven’t been any significant improvements to consumer cybersecurity technology. The average individual isn’t any better off in terms of the quality of their personal digital security than they were a few years ago or even longer. Most people don’t spend any money on cybersecurity, and those that do tend to purchase passive countermeasures like VPNs and antivirus – which don’t represent how active, comprehensive cybersecurity is done by professionals. By and large, the average individual expects someone else, such as their bank, email provider, or device manufacturer, to be responsible for their digital security and privacy. When these organizations fall short, it can be company assets that are compromised.
In addition to the widespread use of personal smartphones to access work applications and email, pandemic-accelerated remote work has encouraged us to bring our work home to our devices. This creates the perfect storm for criminal hackers to target individuals as a means to attack the organizations they work for. Attackers can now leverage anything from stolen passwords on the Dark Web, personal information from data brokers, and complex malware and phishing campaigns to gain access through employees to valuable company data and systems. Even if you prohibit work matters on personal devices, employees are doing it anyway. When your employees are vulnerable to cybersecurity threats, so is your company. The key advantage of BYOD based on strong personal cybersecurity is ensuring that any devices that could potentially be connected to your company are properly secured.
If you’re looking to implement this kind of policy at your company, here are a few further aspects to keep in mind:
- Prep for increased volume. When implementing a BYOD policy, ensure that your internal security team or external vendors are prepared to support an increase in device volume and diversity. Make sure your IT team has enough personnel and know-how to tackle the expansion in threat-level surface areas to patrol. The same tools used for managing internal devices are likely inadequate to handle all the issues related to personal devices.
- Be active. The services your team uses collect a vast amount of employee and company information. It’s not enough to purchase passive countermeasures; you need active cybersecurity monitoring and response to be able to detect and defend against threats. Implementing ongoing dark web monitoring for data breaches affecting your employees is critical to preventing hackers from using exposed data to move into your systems.
- Privacy first. The number one place where BYOD policies fail is that they don’t respect the privacy of users, and therefore rightfully don’t get the adherence to procedures and software needed to protect everyone.
The major challenge of a BYOD policy is balancing improved security with everyone’s need for personal privacy. In Europe, for example, regulations like GDRP make installing corporate security software on personal devices a potential violation of privacy. As the U.S. approaches similar legislation, we’re likely to see the same thing here. At the end of the day, employees don’t want their corporate IT teams supervising their personal lives. The best way to handle this is by using an outside firm that specializes in both software and management of personal cybersecurity. Alternatively, some organizations, like government entities, might choose to develop their own in-house expertise and teams just to manage personal cybersecurity.
Read more: Human risk now biggest cybersecurity threat, report finds
But ultimately, a BYOD policy is a benefit for employees and should be treated as such. Besides the fact that the efficacy of cybersecurity awareness training is questionable at best, the way to get employees to take security seriously isn’t to force them to watch videos that they may not pay attention to but to offer quality cybersecurity that benefits them both individually and as part of the company ecosystem. This solves both the need to improve personal security as part of an organization but also gives teams confidence and privacy to work flexibly without leaving companies vulnerable to cybercrime. For organizations looking to protect their assets and become leaders in digital security, sponsored cybersecurity benefits turn this important area of compliance from a burden into a perk.
Amir Tarighat, a personal cyber privacy expert and Co-Founder and CEO of cybersecurity company Agency.