More companies are catching on to the fact that employees are most productive when they can use the tools and devices they’re already comfortable with. This is quickly eliminating the notion of company-assigned laptops, as 67% of workers already use their own devices at work.
With more workplaces adopting a BYOD policy, network security measures are also tightening. Though, tight security has one major flaw: it creates minor inconveniences that cause employees to create workarounds to get the job done.
Standard security is important but not enough
The standard approach to BYOD security involves securing your company’s network so each user only has access to what’s necessary to perform their job. This is important, as you don’t want people to have free reign of your entire company’s network.
With tight security comes restricted convenience. When convenience is restricted for employees, they’re going to create workarounds that violate security policies.
Here are some ideas for closing the gaps in security that often go unnoticed:
Keep a stock of USB flash drives available for employee use
Employees are going to need to transfer files to each other frequently. Some of these files will be large. If you already have a Box or DropBox account, don’t assume all employees will think to upload their files there first. If they haven’t been trained to do that, when someone needs a file, they’re going to think about how to get that file directly to the person who needs it.
Since email accounts usually have a file size limit of 25MB, they might use an external file transfer service like WeTransfer. The files are eventually deleted from their server, but that means your company data will remain on a third party’s server for a period of time. This leaves your data vulnerable to data breaches.
Although employees could transfer files directly between computers, sometimes a computer’s Bluetooth won’t work and the file is needed in that moment. So, they’ll reach into their bag and pull out their personal USB drive to use.
Unfortunately, viruses and malware can be spread easily through USB flash drives. To avoid this potential, fill a locked cabinet with USB drives for employees to use when needed. USB drives are cheap enough – between six and ten bucks – and you can require them to be signed out for use. You can have someone wipe and reformat each drive before making it available again, just as a precaution.
While your employees won’t rely on USB drives for file transfers, having them on hand will protect your company’s data in the event that an immediate file transfer is needed.
Don’t allow vape pens in the office
People have started using vape pens to hack into computers. With a few modifications, a vape pen plugged into a USB port can do some serious damage.
Recently, security researcher Ross Bevington demonstrated how to hack a computer with a vape pen at a presentation at BSides London. His demonstration showed the pen could interfere with network traffic and even masquerade as a keyboard. These types of hacks required the computer to be unlocked.
However, not all attacks require an unlocked machine. “Poison Tap is a very similar style of attack that will even work on locked machines,” Bevington told Sky News.
Another security researcher who goes by the name ‘Fouroctets’ posted this 22-second video showing a vape pen executing code on a Windows laptop.
It sounds harsh to ban vape pens from the office, but it’s not worth the risk.
Require permission to audit employee’s devices
When you hire somebody, it’s important to get their consent to audit any personal devices they bring to work to access the company network – especially when you’re bound by regulatory compliance like HIPAA. If you don’t get permission, you’ll regret it the first time there’s a problem.
You can inspect company laptops at any time because they belong to the company. You can’t inspect an employee’s personal computer without permission, even though they use it for work.
While privacy is important, your company’s security should always come first.
Be strict with your security measures and make no exceptions
Your security policies should be enforced across the board with no special treatment for anybody. This ensures everyone has to follow the same rules, and nobody feels singled out.