How to make BYOD secure?
When managed securely, allowing your employees to use their own devices for work can have huge benefits for your business.
Employees feel more comfortable and accordingly are more productive working on devices they’re familiar with. Another important benefit, Bring Your Own Device (BYOD) cuts down significantly on device and software costs.
This article provides 5 tips on how to make BYOD secure. The most effective single measure you can put in place is to move your end-user computing workloads into the cloud.
What are the risks of enabling BYOD?
There are a number of risks associated with BYOD. These include:
- Data loss
- Lost or stolen devices
- Access to data by people that have left the company
5 Tips to Make BYOD Secure
5. Make employees ‘security aware’
Many security issues and breaches are caused by human error. These often happen when an employee doesn’t fully understand security risks. This is particularly the case when it comes to device security.
For this reason, it is vital to create a culture of security awareness. Provide regular training to make sure everyone understands risks and best practices.
4. Use Mobile Device Management
With a Mobile Device Management (MDM) application such as Microsoft’s InTune you can control how your organisation’s devices are used. including mobile phones, tablets and laptops. You can also configure specific policies to control applications.
On personal devices, MDM helps make sure your organisation’s data is protected. This is because it lets you separate company data from employee data. Your BYOD employees will need to install an application on their device, which will allow it to be managed by a remote application.
The challenge with MDM is to find a balance between making an endpoint fully secure and infringing on a user’s privacy and freedom to keep control of their own device.
3. Implement conditional access policies
Conditional Access is a tool used in Azure Active Directory to ensure only authorised users can access your organisation’s data. With Conditional Access, if a user wants to access a resource, they must complete an action such as a multi-factor authentication.
You can also apply policies to prevent users from accessing resources on devices that are not managed by MDM. Geographical restrictions can be used to stop access for certain locations. This improves security as it ensures that only authorised users on authorised devices can access sensitive data and systems.
2. Enforce Multi-Factor Authentication (MFA) and password complexity rules
Multi-Factor Authentication (MFA) reduces the risk of security breaches from occurring and keeps data safe. According to Microsoft, MFA can “prevent 99.9 percent of attacks on your accounts.”
At a basic level, authentication requires proof that users are who they say they are. Multi-factor authentication takes this a step further. In addition to username and password, users are required to provide proof from two or more authentication ‘factors’ before they are granted access to a resource.
As well as their PIN or Password, users need to provide an “authentication token” These tokens are usually generated by an application on a mobile phone. Because users need to provide a biometric to open the device and the application, the act of authenticating into an application on a mobile phone with fingerprint or facial recognition can be considered a third factor of authentication.
1. Move workloads to the cloud with Azure Virtual Desktop (AVD)
This is by far the most effective and comprehensive measure you can take to make BYOD secure. In fact, it mitigates all of the risks mentioned earlier in this article:
With AVD, your data is in the Azure Cloud and not on the user’s device. Because data is held on a server, it can be regularly backed up. If data on the desktop gets deleted or corrupted either by human error, malicious attack, or technical failure it can be easily restored. Microsoft’s Azure data centres have many redundant systems. They are therefore more resilient than most corporate data centres. As such, with Azure you are much less likely to be impacted by power outage, hardware failures, or other common data centre issues.
There are also a number of actions that can be taken to prevent users from syncing data from cloud applications back to their local device.
The most effective of these is to have employees securely boot into an edge OS, such as Igel OS. This renders the user’s device ‘read only’ and free from company data.
Lost or stolen devices
Using AVD can’t prevent your users’ devices from being lost or stolen, but it can ensure that anyone that gets hold of a user’s device doesn’t have access to any of your company data.
Access to data by people that have left the company
Access to AVD is managed by Azure Active Directory. When someone leaves the company it is sufficient to disable their directory account to revoke any access to their resources in Azure.
Using AVD can help to avoid a malware attack. Equally important, it gives you a way to recover quickly and easily in the event that you do fall victim to an attack.
With AVD, desktops are managed centrally, so it is relatively easy to ensure that the operating system is regularly kept up to date with security and other patches. With AVD, these updates can be run outside of working hours to ensure that there is no downtime for employees.
Policies can easily be enforced in AVD which prevent a user from downloading and installing applications from the Internet. This is a leading cause of malware attacks.
One of the key security benefits of running a VDI solution on Azure, is the fact that Microsoft is extremely security conscious. Everything within the Azure environment is automatically encrypted and has sophisticated detection methods to prevent many cyberattacks. Microsoft also has over 3,500 cybersecurity experts who work on your behalf 24/7 to ensure all workloads hosted on the Azure cloud stay secure.
If a virtual machine in Azure does become infected with malware it can simply be turned off and reverted to its golden image.
When they are used to connect to applications in the cloud, user devices can still fall victim to ransomware attacks. These are increasingly prevalent. During the pandemic, attacks increased by 500%.
Providing employees with a secure edge operating system such as Igel OS that they can securely boot into from a USB device solves this problem. When their devices are booted into the secure edge OS the potential attack surface is minimised, making your employee’s personal device impervious to ransomware attack.
This has zero impact on the user’s device and they never need to install any third party software or security agents. When the USB device is removed from your employee’s computer it is reverted to its normal state and can be used as a personal device.
Conclusion – How to make BYOD Secure
Moving workloads to the cloud is by far the most effective and comprehensive measure you can take to make BYOD secure. Microsoft Azure Virtual Desktop (AVD) is the best virtualised experience and the only solution fully optimised for Windows 10, Windows 11 and Microsoft 365.
AVD can be technically challenging and expensive. Using a Managed AVD as a service like the one we offer at Cognition Cloud gives you all the benefits at a predictible monthly cost.
If you follow the tips described here you can make BYOD safe. The result is:
- Less money spent on buying and managing company devices
- Better user experience
- More flexibility to work remotely
- Increased productivity and agility
- Improved recruitment and retention
Sustainable. Smart. Secure.