Discover the 5 biggest security risks of BYOD.

1. Data breaches

BYOD devices – especially mobile devices – complicate any IT security strategy. They’re often easier for employees to lose and usually aren’t as well-protected from security threats as business-owned devices.

Plus, because BYOD devices normally contain a mixture of personal and business data, they’re more difficult for IT to secure and remotely control in case something does go wrong.

Hybrid working has led to a rise in data breaches. Read this blog to discover how remote work has changed the face of cybersecurity.

2. Unsecured networks

Because of the flexibility they offer, employees often use BYOD devices on the go – it’s one of the main reasons many people opt for BYOD in the first place. And the public Wi-Fi in the café is pretty convenient if you fancy a cappuccino while you work. But connecting to an unsecured Wi-fi network puts valuable company data at risk. When employees connect to public Wi-Fi networks, their work device becomes vulnerable to attacks like:

• Honeypots: Fake Wi-Fi hotspots set up by attackers, which look legitimate to end-users.
• Snooping: Attackers listening to network traffic between two machines, potentially exposing confidential data to people outside the organization.

When drafting up a BYOD policy, it’s crucial to take these ‘third spaces’ like cafés and pubs – and their unsecured networks – into account.

3. Blurred lines

Unclear security expectations are already bad news for any IT department. But couple them with BYOD and you’ve got a potential security nightmare on your hands.

Why?

Well, if an employee is using a personal device for work, this means that they’re probably using it when the working day ends, too. Unfortunately, this means they’re less likely to stick to security best practices.

After all, you probably don’t apply the same caution when using your own laptop in your leisure time as you do when using a device at work. But because that personal device is also being used for work, this carries the risk of exposing confidential company data. So, it’s extra important to set clear security expectations for employees who are working on their own devices.

Here’s how to maintain security while employees work remotely.

4. Shadow IT

Using a personal device for work as part of a BYOD policy is one thing but doing it entirely without the IT department’s knowledge is another thing entirely. This is where the risks of BYOD meet that creepily named phenomenon, shadow IT.

If employees are using personal devices for work without notifying IT, it creates invisible risks that the IT department can’t address because they don’t know about them. It also increases the attack surface of the organization, making it more susceptible to things like data leaks.

5. Malware

Another major security risk of BYOD devices – especially smartphones – is that they are more vulnerable to being infected with malware than other devices. Worryingly, this can often happen without users even noticing. It’s pretty common for smartphone users to inadvertently download malicious software to their devices, which could enable attackers to steal data or even uninstall security programs.

Want to stay one step ahead of attackers?

With cyber-attacks becoming more sophisticated by the day, getting on top of IT security is more important than ever. Discover 6 ways to boost your company’s IT security in this blog.

The post The 5 biggest BYOD cybersecurity risks appeared first on MCG - EN.

1. Get BYOD under control

The rise of hybrid working means that more employees are opting to use their personal devices, such as laptops and phones, for work. For your colleagues, this means more freedom and flexibility. But, for IT departments, unsecured personal devices are a potential security disaster waiting to happen.

The solution? Unclear expectations are the enemy of IT security. So, to ensure that ‘bring your own device’ (BYOD) doesn’t get out of hand at your organization, start by making sure that employees know what’s expected of them. What kinds of mobile devices (if any) can be used for work? Are employees allowed to download new software onto these devices? These kinds of boundaries should be clear to all employees before they think about working with a personal device.

2. Use multi-factor authentication

Of course, you’re already using passwords to protect your organization’s networks. But password security is about more than just a combination of letters and numbers.

Think about enforcing multi-factor authentication, which means users need to verify their identity at least one other way, such as via a code sent to their mobile phone. After all, attackers can’t access your organization’s data if they can’t get into your company network.

IT security isn’t just a job for IT. To keep your data safe and sound, it’s crucial to build a culture of cybersecurity awareness within your organization.

3. Make sure employees are security-savvy

We’ve said it before, and we’ll say it again: IT security isn’t just a job for IT. In order to keep your company’s sensitive data safe and sound, it’s crucial to build a culture of cybersecurity awareness within your organization. Studies show that 95% of cybersecurity breaches can be traced back to human error, so the stakes are pretty high. Educate employees on best practices, what to look out for, and what they should do if they think there’s been a potential breach.

Are your colleagues already clued-up on the basics? Make sure they’re also knowledgeable about specific threats and how they could potentially impact the business. Would your colleagues know how to identify a personalized ‘spear-phishing’ email, for instance?

It’s not just IT departments who need to be proactive and vigilant when it comes to cyberattacks – employees do, too.

Find out how hybrid working has changed the face of IT security.

4. Shed some light on shadow IT

What is shadow IT? In short, it’s the IT that happens when the IT department isn’t looking. It’s become easier than ever for employees to access their own IT resources, without the knowledge or permission of the IT department. The problem with shadow IT is that it creates invisible risks that IT departments can’t address because they don’t know about them. It also increases the attack surface of the organization, making it more susceptible to things like data leaks.

To prevent this from happening, IT departments need to partner up with their company’s business departments to ensure that they’re investing in safe solutions, which won’t cost the organization in the long run.

5. Back it up, back it up

Ransomware is on the rise. According to IDC’s Ransomware Study, approximately 37% of global organizations were victim to a ransomware attack last year. Figuring out how to respond once an attack has taken place is no longer an option. IT departments need to be proactive about ransomware prevention – and recovery, should the worst happen.

The best way to do this? Backing up your organization’s data. By running regular backups, you’ll bypass the ransom demand by restoring data from a source other than the encrypted files. And if you want to prevent malware from encrypting backup files? Use a cloud backup to keep a copy of your files safe from ransomware and other cybersecurity threats.

6. Create a response plan

Your organization has a plan for evacuating your office building in the event of a fire. So why wouldn’t you have one for responding to a security incident? It sounds obvious, but creating a comprehensive response plan, identifying key stakeholders, and mapping out the most important processes is the best way to avoid chaos if the worst does happen. Once you’ve drafted up a plan, you can give it a test-drive and then modify it based on what worked well and what could be improved.

For some organizations, responding to a security incident will require collaboration between several departments. By ensuring that all relevant parties agree to their responsibilities in the event of a breach, well before it happens, you can save valuable time and deal with security incidents quickly and efficiently.

Find out how to improve collaboration between departments and which barriers to overcome.

Keep security breaches at bay when working remotely

The rise of hybrid working has made managing IT security a whole lot more complicated.

Find out how to manage IT security while employees are working from home.

The post 6 ways to boost your organization’s IT security appeared first on MCG - EN.

But working from home is about more than doing laundry between virtual meetings. For IT departments, remote working brings with it a number of cybersecurity risks. Here’s how hybrid work is changing the face of cybersecurity. 

Security is no longer just a job for IT

Prior to the rise of hybrid and remote working, the average employee wasn’t especially clued-up on security hygiene or best practices. And while it wasn’t an ideal situation, within the safe perimeters of the office (and the company network), most IT departments could deal with the occasional security nightmare.

But with employees working from their own homes, far from the watchful gaze of the IT department, the responsibility for upholding cybersecurity best practices has shifted onto employees’ shoulders.

Alongside their daily work, employees now need to consider: Who is standing behind me while I’m working? Am I using a protected network? Am I leaving my device unlocked and unattended? Should I ever let my partner or family members borrow my work device?

Employees are certainly becoming more cybersecurity-savvy, but to ensure they don’t fall victim to phishing or accidental insider threats, IT leaders still need to educate teams on the cybersecurity risks of remote working and security best practices.

The rise of “third space” working

When remote working started to become the norm, the primary focus for the majority of IT departments was securing people’s home environments for working. Sounds obvious, right? But the reality is, research shows that more people are starting to work in so-called “third spaces” such as cafes, libraries, or on the go.

This has big implications for IT as, while these spaces offer employees freedom and flexibility, they also increase the risk of security threats. The combination of a more distracting environment, the presence of strangers, and unprotected networks makes working outside of the home office even more dangerous. So, when establishing cybersecurity measures for hybrid working, it’s especially important to take these “third spaces” into account.

Security teams need to take a proactive approach to cybersecurity rather than a reactive one.

Proactive over reactive

Cybersecurity attacks were already becoming increasingly frequent and sophisticated before 2020, but remote working put the risks of these attacks into overdrive.

According to Splunk’s State of Cybersecurity report in 2022, over 49% of organizations say they’ve suffered a data breach over the past two years, up from 39% from their results pre-pandemic.

Now more than ever, security teams need to take a proactive approach to cybersecurity rather than a reactive one. This means taking measures to prevent cyberattacks from happening in the first place, rather than responding to incidents when they occur. That includes things like educating employees on cybersecurity awareness, periodically assessing your internal systems for vulnerabilities, managing shadow IT, and more.

And if something does go wrong, here’s how to manage panic at the service desk.

The basics still matter most

The rise of remote working may have made it even more important to be vigilant when it comes to cyber security – but it’s not all doom and gloom. You’ll be glad to hear that the majority of cyberattacks don’t require sophisticated technology or even a highly skilled security department to stop them in their tracks.

Preventing breaches doesn’t have to be a complex operation – it’s all about making sure that the basics of cyber hygiene are being adhered to throughout the organization. This means that keeping an eye on things like multi-factor authentication, least privilege access, and keeping devices up to date should still be a top priority for IT departments.

Want to know how to maintain security when employees are working remotely?

Read more on remote working.

The post The cybersecurity risks of remote working appeared first on MCG - EN.

But what is shadow IT exactly? In this blog, we answer five of the most frequently asked questions about shadow IT.

What is shadow IT?

The name says it all: shadow IT takes place in the shadows – and the IT department is left in the dark. In short, shadow IT covers all forms of IT that take place outside of and without knowledge and/or approval from the IT department.

Shadow IT refers to the use of technology systems, applications, or services within an organization without official approval, oversight, or knowledge of the IT department or management. It often involves employees independently adopting and using unauthorized software, cloud services, or devices to fulfill their work-related needs.

Normally, the IT department uses its expertise to select or approve new hardware or software for the organization. With shadow IT, other departments than IT or individual users use tools or devices that the IT department doesn’t know about.

Why does shadow IT occur?

Ease of use

With the sheer amount of available web and cloud-based technologies and applications, using your own IT resources has become easier than ever. Anyone can easily download and use IT tools through a web interface with little to no involvement from the IT department.

Business IT innovation

Most business departments want to innovate faster than the IT department has resources for. According to this Gartner report, only 40% of total IT investments comes from the IT department itself. Business departments simply find their own solutions: they actively invest in IT software that supports their innovation efforts. This may include investing in a new application or platform or enlisting the help of an external IT consultant.

Shadow IT creates invisible risks that the IT department can’t address because they don’t know about them in the first place.

What does shadow IT look like?

BYOD: a dream or a nightmare?

Bring Your Own Device (BYOD) is great for a number of reasons. For one, employees get to work exactly the way they want: whether they like using a Samsung tablet, a MacBook, or a Xiaomi smartphone. But BYOD also has a dark side. Using personal devices to log onto the company network may cause huge security risks. Especially when personal devices are outdated or use dubious software – a hacker’s dream come true. Keeping track of all devices? IT’s worst nightmare.

Connected but disjointed

Now that almost everyone is working from home, employees have to find new ways to stay connected to their team and coworkers. The solution? Online tools and applications such as Microsoft Teams, Miro, and Trello. Usually, a team or department simply downloads a new tool and the rest of the organization automatically follows suit.

The result? A snowball effect. All of a sudden, the organization uses eight different tools – and no one has involved the IT department or thought about how these applications handle personal data.

How can you maintain security while working from home?

Taking assets into their own hand

Some departments are extremely responsible. So responsible, in fact, that they handle asset management themselves instead of having centralized asset management run by the IT department. Such departments have their own, private IT stock.

So, what happens when an employee leaves the organization? They hand in their laptop at their department and think they’re done. Weeks later, they get a call from IT, asking about the laptop.

Meanwhile, the department has already handed out the laptop to a new employee. The IT department has no idea how many IT assets they have, where they are, and whether something is missing.

What are the implications of shadow IT?

“If you can’t see it; you can’t control it” definitely rings true for shadow IT. Shadow IT creates invisible risks that the IT department can’t address because they don’t know about them in the first place. It also increases the attack surface of the organization, making it more susceptible to data leaks, for example.

The IT department is responsible for security, compliance, and privacy in the organization. Shadow IT poses a genuine threat to all three of these, especially in larger organizations. The more applications, tools, and devices there are, the harder it is to control them.

How do I manage shadow IT?

Boost awareness

You simply can’t avoid shadow IT, no matter how hard you try. Using your own IT resources has become easier than ever with the boom in web and cloud-based technologies and applications. This doesn’t mean you should just accept it and move on. You should still shut down anything that’s actually dangerous or poses too great a risk.

But there’s also another solution: education. Invest in more awareness of how important security, compliance, and privacy are. Most users are simply unaware of the implications when they sign up for Trello or log onto the company network using an outdated device.

Next, set up simple guidelines that users have to follow when using their own hardware or software, such as multi factor authentication.

Partner up with the business

To make the most of innovation and avoid the risks of shadow IT, the IT department and the business departments need to join forces. On the one hand, the business departments need IT for their knowledge and expertise. On the other hand, IT wants to make sure the business departments invest in a safe solution that they won’t have to lose any sleep over.

So how do you partner up with the business? Offer your services and make sure the business departments know where to find you. Take on an advisory role in every innovation project, from the orientation phase until the implementation of a new tool.

A win-win situation: the business departments get to innovate, and IT gets to sleep at night (and profit from the business departments’ innovation and budget).

The post What is shadow IT? Answers to 5 frequently asked questions appeared first on MCG - EN.

What can organizations do?

First things first: it’s important that every employee is armed with at least a basic knowledge of IT security. Not every employee is a digital native, so it’s crucial that you cater to each and every one of your colleagues. To help with this, Mark suggests producing a one-page summary document outlining key security dos and don’ts (e.g. do remember to back up all documents but don’t log onto public networks).

Not only will this make sure that your employees don’t make basic security mistakes, but your employees will also appreciate having all this key information to hand — you can’t simply expect everyone to intuitively know what to do and what not to do.

There’s also another major danger. Amidst such widespread upheaval, organizations might be tempted to tear up the existing rulebook and introduce sweeping changes in an effort to ensure ongoing security.

Bart warns against this strategy. “Introducing too much change all at once might leave your employees confused and discouraged— they already have enough on their plate as it is. Try to follow established procedures as much as possible, and if you do want to switch things up, use change templates or incident workflows with documented approval steps.”

The message is clear: balancing security and employee experience is difficult enough as it is, so there’s no need to make it even harder.

Lastly, it’s important to ensure ongoing communication between your IT staff and your employees. As much as you might want to rely solely on established procedures, your security strategy will probably be affected in more ways than one. Mark recommends having verified forms of centralized communication — for example an intranet where employees can chat about any issues they’re having.

Try to foster a real sense of community. Let your team know that you’re always there for support if they need it: offering up your expertise and advice at all times. This is crucial if you want to successfully blend organization-wide security with providing a fantastic employee experience.

What should – and shouldn’t – your employees do?

“Well, there are the obvious things that should be avoided: don’t view confidential information in public places, don’t discuss confidential material in virtual meetings using unknown apps, and don’t log on to public networks,” Bart says.

Mark agrees: “You should also remind people not to assume that if everyone else is doing something, that automatically means that it’s safe. Even USB flash drives, which have long been a staple of IT practices, carry their own risks: they have a significant risk of being infected with malware.”

This also goes for VPNs. While some organizations might be rushing to provide employees with their own VPN in an attempt to increase organization-wide security, the opposite is actually true — if you use a VPN, you have a bigger attack surface, which leaves you more vulnerable to security breaches.

That being said, if you’re going to provide the best employee experience possible, it’s just as important to focus on what employees should do — rather than simply what they shouldn’t do. Mark emphasizes that employees should work together to develop contingency plans: triaging teams, sharing management responsibilities, as well as assigning and duplicating all essential codes and failsafe roles.

On the whole, employees should always raise any queries — no matter how large or how small — with their IT team. For Bart, “the key is to create a culture where employees have an ongoing, open dialogue with their IT team. You should make an extra effort to ensure that your less tech-savvy colleagues feel especially comfortable.”

Employee experience doesn’t mean that you have to run around making everyone happy all the time; instead, it means that you’re there for people whenever they need you, and that everyone knows this. Given how integral IT is to the vast majority of modern organizations, IT support is as much a cultural issue as it is a technical one.

If something unfortunate does happen, this is how you manage panic at the service desk

The post How to maintain security when employees work remotely appeared first on MCG - EN.

Here are five common cyber security fears for IT departments. Because sometimes, watching how your customers handle their work data just makes you want to yell like you yell at the tv when the girl runs upstairs from the killer again.

1. Data breach

The ultimate horror scenario: you discover that sensitive data has been available to people that shouldn’t have that kind of access. All organizations create monsters of data, and once the monster gets out of your control, the havoc it wreaks may have severe consequences. There are a lot of things you and your colleagues can do to make sure your data and any potential data breaches are contained, though.

Implement multifactor authentication to make it harder to hack into accounts, and limit access for each employee to the information he or she needs. This reduces the risk of employees accidentally spreading information to unauthorized parties, and if you do get a leak, it’s easier to find the source.

2. Loss of data

What if there’s a fire in your building and all your servers are beyond salvation? You’ve thought of this of course, this is why you have off-site back-ups. You’re not doomed. But there are a lot of ways to lose data. What if your cloud provider goes bankrupt?

Thankfully, that’s very unlikely, but it is wise to take measures to reduce the risk of data loss. Your organization depends on data, so losing a lot of it can be the equivalent of Godzilla come to destroy the place.

How do you maintain security when employees work from home?

3. Ransomware all over the place

Ransomware. We all know what it does by now. And we all have different ways of dealing with the problem. Like I said, you’ve got off-site back-ups, so if somebody comes in with a laptop that’s been ransomed, they’ll fully expect you to be able to put everything back into place. Little do they know of the bigger risk involved: how likely is it that this person’s laptop has unwittingly provided criminals access to your network? They might take down the whole thing!

This is another fear that’s best mitigated by being cautious with who can access what. Only give people access to the parts of your network they actually need. This will keep infected accounts from spreading the virus like an army of zombies.

Are you aware of the risks of shadow IT?

4. Hackers get your privileged users or your password manager

It may sound a little bit out there, but if anybody can get hacked, why not password managers? Randomly generated and then stored passwords are safer than ‘password’, but they’re not immune to the horrors of hacking. And since we’re spiralling now anyway, do you ever wonder how your privileged users come up with their password?

The colleague sitting right next to you might be logging in with ‘qwerty’ right now. And they have access to everything! You can’t always prevent hackers from getting their hands on log-in details, but you can make sure everybody’s alert.

5. The real world is still scarier: break-ins and theft

If you’ve read a post on this blog before, chances are you know we’re really big on working together with other departments. Even your IT security isn’t just a digital affair. Do you have a plan for an actual, old-fashioned burglary? The burglar might not be after valuables lying around. They may have placed devices instead of taking them, so they can access your data later, or hack your network from inside the building.

So, make sure you’ve got a good collaboration with other departments when it comes to security, and help emphasize the importance of locking doors and keeping track of keys and entry passes. You never know what’s lurking out there.

So what do you think? Do security risks keep you up at night? What are your biggest IT security nightmares and  what do you do to make them less likely to come true? Let us know in the comments!

The post Halloween: 5 IT security nightmares to keep you up all night appeared first on MCG - EN.