Phone and Device Safety: Ways to Keep Your Business Safe

Remote work and bring-your-own-device policies have changed how we do business—and introduced new risks to your business’s data and operations.

Companies in every industry are adjusting to a new normal of hybrid work and remote connectivity. This shift in how and where we work is made possible by an increasing reliance on employee-owned or employee-enabled devices, most commonly mobile phones, laptops and tablets. Bring-your-own-device—or BYOD—policies have made it easier for many workers to do their jobs from any location. And they have cut costs for companies that no longer have to buy, ship, maintain and replace business-issued employee devices.

However, along with cost savings and convenience come security risks. Every device—personal or business-issued—represents a potential breach point that could allow for a cyber event that results in fraud, loss of valuable or sensitive data or reputational harm.

“It’s human nature to look to convenience before safety,” says Jeffrey A. Taylor, Head of Fraud Forensics and Commercial Payments Strategy at Regions Bank in Birmingham, Alabama. “When we’re in a hurry, we drive over the speed limit and don’t think about safety. We often take a similar approach with new technology and security.”

To be sure, many companies are managing the risks presented by BYOD practices through a combination of improved security features on devices, consistent messaging to employees about cybersecurity, and policies that clearly spell out what types of behavior are allowed. But as the digital landscape expands and bad actors change their tactics, BYOD practices can’t remain static, especially if a business’s security protocol needs updating.

There is no single way to address BYOD security. Every business needs to develop a BYOD policy based on its business structure, regulatory environment and risk tolerance. The only option that doesn’t work is having no policy at all. What follows are guidelines for evaluating your business’s BYOD approach and making sure it is in sync with how your employees do business.

This graphic is called, “Understanding the Acronyms” and defines four ways that businesses can approach device management. The first is “Bring Your Own Device: BYOD,” which reads, “The employee uses a personal electronic device for work functions and handling business data. Responsibility for security is mostly on the device owner.” The second is “Choose Your Own Device: CYOD,” which reads, “The business allows an employee to choose from an approved list of business-owned devices. Employees can customize the device, but the business has administrator privileges.” The third is “Corporate-Owned, Personally Enabled: COPE,” which reads, “The business issues the device but allows employees some latitude in how it’s set up and used.” The fourth is, “Corporate-Owned, Business-Only: COBO,” which reads, “The business issues the device and maintains control of how it’s used. Personal use is severely limited—or prohibited.”

Recognize That ‘Identity Is the New Perimeter’

In today’s BYOD work culture, the method for verifying an employee’s identity when they log in to a device—business-owned or personal—is the key to security. “Companies rely on identity and access management to get insights into what each employee is doing, what devices they’re using to access business networks and whether or not they’re logging in from where we expect them to be,” says Adam Perino, Vice President of Cybersecurity at Regions Bank. “The improved technology around user-based analytics has helped companies detect when someone is doing something suspicious, and maybe it’s not ‘them’ who is behind the action.”

This comes as security controls on common devices have steadily improved. “Just think in terms of biometrics,” says Taylor. “Facial recognition didn’t exist on all our phones until just a few years ago. The device itself is much more secure.”

That said, companies should make it clear that they expect employees to enable biometrics and multi-factor authentication (MFA) on every device they use. When strict BYOD policies are called for due to regulatory oversight or access to sensitive data, companies may need to deploy advanced facial recognition controls on all devices to ensure that only the designated employee is logging in. “It’s important to deploy other factors of identity authentication to access devices,” Taylor adds. “That makes a big difference in BYOD security.”

Create Containers for Business Apps and Functions

BYOD policies need to protect important corporate data without making the controls so restrictive that employees feel they can’t work effectively—and develop workarounds as a result. Even on devices issued by the business, that can create security blind spots. “Companies have little say over the applications installed on a personally owned device, or even on a business-owned device, unless they exercise rigorous oversight,” says Perino. “There’s a greater risk of a malicious application installation or other malicious activity that’s outside the organization’s monitoring capability.”

Companies can mitigate these risks by separating work applications from personal applications on employee devices. Should any malicious activity be detected, security teams can wipe the business-facing applications to prevent a deeper intrusion. Plus, they can protect corporate data in the case of a lost device by making it accessible only with a personal ID or password.

Communicate Device Management Policies Clearly

To set the tone for proper BYOD hygiene, create a policy for device security—and be transparent about what behavior is acceptable and what isn’t (such as downloading apps for personal use on a business-issued device). “The business attorney and device management department should help craft the policy but also the messaging to employees about what detection capabilities are in place and what actions can be taken when any anomalous behavior is detected,” says Taylor.

Be clear about what employees should do to keep their devices secure. “You need to give employees a leg up,” Taylor says. “Remind them that it’s up to them to make sure they apply all patches and updates, where it’s safe to connect to business networks and what behaviors they should avoid, such as using public Wi-Fi to do business, especially if they are handling sensitive data.”

Reinforce Security Basics

No matter what devices employees use for business, threats such as phishing emails, malicious links and attachments and spoofing are still among the most common sources of cyber incidents and data breaches. Every employee must acknowledge their responsibility in keeping business data secure, along with their own personal information and assets. In many cases, this simply means enabling the security controls that come with the device.

“If your device has facial ID or MFA, by all means use it,” says Taylor. “If you need a six-digit PIN to unlock the device, don’t choose something simple like 1-1-1-1-1-1. The same goes for passwords. Unfortunately, most security teams have stories about users who made it all too easy for bad actors to gain access.”

The basics include best practices for accessing business networks. If your organization makes use of a virtual private network, or VPN, employees should adhere to this extra step—and make sure their login credentials are robust.

“Leadership has to be clear about what they expect from their employees when it comes to protecting their devices and connecting to the network,” Taylor says. “But after that, each person has to take ownership by prioritizing security in their day-to-day function.”

Building a Company Policy

As you build a BYOD policy for you and your employees, keep these points in mind.

  • The company, brand or business needs to set expectations. Security is, in a way, every employee’s business. But leaders and security teams need to establish methods and best practices that employees can rely on to protect the business and its value.
  • Deploy security controls that protect critical business data and functions. Security teams should invest in technology for BYOD and business-owned devices that segments out essential functions and information and can wipe infected applications when necessary.

Stay Alert and Revisit Your BYOD Plan

Remember that things change rapidly when it comes to security and fraud. While device security has steadily improved, bad actors shift tactics constantly to steal passwords and trick administrators into thinking their access is legitimate. Employees should use all available access controls and maintain good habits around password management and overall cyber hygiene. And your business should frequently revise your policies to ensure you are combating against the newest fraud tactics.

Three Things to Do

  1. Read more about protecting your business from fraud.
  2. You can combat fraud, but your business should also build a response plan in case there is a data breach.
  3. As employees shift to roles that may be flexible or fully remote, consider what that means for your security.