Reading Time: ~ 3 min.

Nestled within our chapter on malware in the 2020 Webroot Threat Report
is a comparison of infection rates between business and personal devices. The
finding that personal devices are about twice as likely as business
devices to become infected was always significant, if not surprising.

But the advent of the novel coronavirus—a development that
that followed the publication of the report—has greatly increased the importance
of that stat.

According to a joint study
by MIT, Stanford, and the National Bureau of Economic Research (NBER), more
than a third (34%) of Americans transitioned to working from home as a result
of COVID-19. They join approximately 14.6% of workers already working from home
to bring the total to nearly half the entire American workforce.

During remote work many employees are forced or simply able
to use personal devices for business-related activities. This presents unique
security concerns according to Webroot threat analyst Tyler Moffitt.

“In a business setting,” he says, “when
you’re given a corporate laptop it comes pre-configured based on what the IT
resource considers best practices for cybersecurity. This often includes group
policies, mandatory update settings, data backup, endpoint security, a VPN, et
cetera.”

Individuals, on the other hand, have much more freedom when
it comes to device security. They can choose to put off updates to browser
applications like Java, Adobe, and Silverlight, which often patch exploits that
can push malvertising.
They can opt to not install an antivirus solution or use a free version. They
can ignore the importance of backing up data altogether.

These risky practices threaten small and medium-sized
businesses (SMBs) both immediately and when workers gradually return to their
shared office spaces as the virus abates.

As our report notes, “With a higher prevalence of
malware and generally fewer security defenses in place, it’s easier for malware
to slip into the corporate network via an employee’s personal device.”

What’s at stake, for SMBs, is the loss of mission-critical
business data due to device damage, data theft via phishing and ransomware, and
GDPR and CCPA fines for data breaches. Any of these threats on their own could
be existential for SMBs.

What can businesses do to prevent BYOD-enabled data loss?

“Super small
businesses may not have the luxury of outlawing all use of personal devices,”
says Moffitt. “BYOD is a fact of life now, especially with so many individuals at
home, using home computers.”

But employers aren’t
out of luck entirely. They can still purchase for their employees, and
encourage the use of, several essential security tools. These include:

  • Endpoint security software – Employers should provide endpoint security for home devices when necessary. When it comes to free solutions, you get what you pay for in terms of protection. Currently, there’s the expectation, especially among younger people, that built-in antivirus solutions are enough for blocking advanced threats. In reality, layered security is essential.
  • Backup and recovery software­­ – Many SMBs rely on online shared drives for collaborating. This is dangerous because a single successful phishing attack can unlock all the data belonging to a company. GDPR and CCPA fines don’t differentiate between data stolen from personal or business devices, so this level of risk is untenable. Make sure data is backed up off-site and encrypted.
  • A VPN – IT admins or contractors should ensure that any sensitive company data requires a secure VPN connection. Especially with employees connecting on public or unsecure networks, it’s important to guard against snooping for data in transit.
  • Secure RDPs – Remote access can be a great option when working from home, but it must be done securely. Too often unsecured RDP ports are the source of attacks. But, when encrypted and protected by two-factor authentication, they can be used to access secure environments from afar. Many are even free for fewer than five computers.
  • User education – Security awareness training is one of the most cost-effective ways of protecting employees from attack on their own devices. Phishing attacks can be simulated and users in need of additional training provided it at very little additional cost. When compared to a data breach, the cost of a few licenses for security training is miniscule.

Collaboration over coercion

It’s difficult to mandate
security solutions on personal devices, but managers need to at least have this
conversation. Short of installing “tattleware,” this has to be a collaborative rather than a coercive effort.

“You can’t enforce a
group policy on a computer or a network that you don’t own,” reminds Moffitt.
“Ideally, yes, give each employee a corporate laptop to work at home that’s
securely configured. But if that’s not possible, work with employees to ensure
the right steps are taken to secure corporate data.”

Companies should
work with IT consultants to source high-performing versions of the solutions
mentioned above and cover their cost if it’s understood that personal devices
should be used during this period of working from home. If taken advantage of,
it can be an opportunity to foster a culture of cyber resilience and your organization will come out
stronger, wherever your employees are located.

The post Your Data, Their Devices: Accounting for Cybersecurity for Personal Computers appeared first on Webroot Blog.