By Jasson Casey, Chief Technology Officer, Beyond Identity
Five years ago, utilizing your personal device for work was considered a trendy perk. Now, it’s become a standard practice for many organizations. From contract workers who empower organizations to expand their capabilities without adding to their headcount, to BYOD employees who prefer the flexibility and familiarity of their own device, unmanaged devices are now considered the status quo in many workplaces.
While this unlocks new forms of work and uplevels productivity, personal devices also open up new attack vectors for threat actors, leaving companies’ networks, applications, and data exposed. Removing personal devices from work isn’t the answer, so what is?
BYOD and contract employees are a cybersecurity blind spot
When employees work on an unmanaged device, there are natural concerns about the security posture of that device, and whether the individual accessing company data from it is actually authorized to do so. When the user initially logs in, a platform authenticator that runs on the device requesting access can validate that the device is not jailbroken and that key security settings are configured correctly and active (e.g. local firewall is on, lockscreen is active, the disk is encrypted, and security software is installed and running).
But what about after? As security practitioners know, things change. It’s not hard to imagine the user purposefully or inadvertently changing an important setting that could lead to a security breach during the duration of their session. The device could be left in a cab, stolen, or innocently loaned to a friend without logging out first. In the time between that initial security check and final log-out, security teams are blind to who is actually behind the keyboard, and whether the device security posture remains within policy. This directly undermines organizations’ efforts to transition to a zero trust model.
The consequences of such a breach can be dire, costing companies their time, capital, and reputations. In 2022, organizations like Toyota, The Red Cross, Cash App, and the US Department of Veterans Affairs all suffered contractor-related cybersecurity breaches, despite having robust cybersecurity policies in place. The solution to this problem isn’t to suspend BYOD and contractor activity, which has become so essential to the modern workplace, but to fortify defenses to best support and protect work on personal devices.
Device Trust coupled with continuous authentication provides 24/7 peace of mind
Continuous authentication is rapidly becoming a best practice for BYOD and contract workers. Through this security solution, organizations can expand risk-based policy checks beyond that initial log-in, monitoring user behavior and risk signals from the endpoint every few minutes to re-assess whether the user identity remains trustworthy and that the device remains compliant with security requirements.
If the user and device pass the initial security check at log-in but fails a security check at any point during their session, the organizations’ SOC team can be immediately alerted and the device can be quarantined to prevent potential data leaks. This round-the-clock monitoring provides real-time insight into who is accessing company data even when they are on an unmanaged device.
The greatest advantage offered by BYOD and contract work is productivity, therefore it is critical that continuous authentication offers a streamlined, frictionless user experience. Integrating passwordless MFA delivers a smooth experience that facilitates work rather than interrupts it. By autonomously screening for changes in user behavior or device security posture, without requiring any user intervention, the company remains secure and workers remain uninterrupted.
As new regulations and best practices around zero trust models continue to gain steam, organizational leaders are increasingly searching for new avenues to achieve compliance. The consistent reassessment provided by continuous authentication makes it a vital component of organizations’ zero trust architecture, ensuring no device or user is inherently trusted.
The freedom to empower BYOD and contractors
With passwordless identification, device trust, and continuous authentication in place, organizations are free to empower contracted and BYOD employees without sacrificing cybersecurity. Productivity can be realized while granting security teams previously unheard-of real-time insight into their overall security posture.
As the threat landscape continues to evolve, the modern workplace can’t afford any blind spots; continuous authentication is the key to filling the gap between log-in and log-out and maximizing productivity and security.
About the Author
Jasson Casey is the Chief Technology Officer of Beyond Identity. Prior to his current role, he served as the CTO of SecurityScorecard, VP of Engineering at IronNet Cybersecurity, VP of VolP Product Development at CenturyTel, and as Founder and Executive Director of both Flowgrammable and Compiled Networks. He received his bachelor’s degree in computer engineering from The University of Texas at Austin and holds a PhD in computer engineering from Texas A&M University.
Jasson can be reached online at https://www.linkedin.com/in/jassoncasey/ and at our company website https://www.beyondidentity.com/.
Source: www.cyberdefensemagazine.com