Working from home became a thing during the COVID outbreak. Many people discovered they didn't have to be in a cubicle in an office to do their job effecively. Unfortunately that has brought with it some new challenges, especially for people concerned with cybersecurity. One of these is unmanaged devices.
Let's say you are working at home, or in a cyber cafe, on your company-assigned laptop, but you have your own phone/tablet/laptop next to you. You find some app which is helpful to what you are doing: you can't install it on your work computer, but you can on the one you own. Everyone wins: you are more effective, and nobody in management is really going to pull you up for this because they are unlikely to know. So you start answering emails from your device, then shifting more of your work to it. So, without meaning to, you have created a security vulnerability.
Security consultancy Kolide’s recently-released Shadow IT report shows that 47% of companies allow their workers to access resources on unmanaged devices, authenticating via credentials alone. These choices seem harmless on an individual level, but they have played out in countless home offices across the world. Now utilities have a problem where one previously did not exist: the proliferation of unmanaged devices accessing sensitive – sometimes critical – resources.
IT departments and cybersecurity consultancies advise that companies should take a firm line on “Unmanaged devices”. In particular, companies can invest in Zero Trust, a security framework that restricts access to sensitive resources based on a user’s identity and security posture.
Â
The UK's National Cyber Security Center says:
A zero trust architecture is an approach to system design where inherent trust in the network is removed.
Instead, the network is assumed hostile and each access request is verified, based on an access policy.
Confidence in the trustworthiness of a request is achieved by building context, which in turn relies upon strong authentication, authorisation, device health, and value of the data being accessed.
Security-minded organizations should try to minimize the risks of unmanaged devices by assigning company-issued laptops to employees instead of going the BYOD route and by implementing Multi-Function Authentication (MFA)and Zero Trust systems to make it harder for malicious actors to breach security and cause damage.