With cloud applications causing heavy usage of web browsers, more remote workers and staff on BYOD schemes are becoming cyber targets
Cyber threats arising from the use of unmanaged devices used by third-party service providers and those belonging to employees on a Bring-Your-Own-Device (BYOD) scheme are opening up organizations to multiple avenues of attacks — including the stealing of sensitive information like corporate data and credentials, and employees falling for phishing and impersonation scams that hackers can gather credentials from.
Just as an enterprise should not ask its contractors or freelancers to install intrusive software agents on their devices due to privacy and performance concerns, policies on BYOD practices are difficult to monitor and enforce.
What should companies do to minimize the risks from web-borne threats and BYOD arrangements? Following are some tips contributed by Antoine Korulski and Adi Goldshtein Harel, Check Point Software Technologies…
Web-borne security threats
As web browsers come to be the main interface between users and internet applications due to the rise of cloud-based applications, IT defenders are experiencing four common challenges and dilemmas when screening users and employees with access to web applications from unmanaged devices:
- How do we manage access to these web applications?
- Do I we have protection in place for all sensitive data? Can users download sensitive information into their personal computers?
- Can users upload malicious files or other types of content to the organization’s web applications?
- Do we have visibility into the usage of data? Can data be copied, pasted, or printed outside of the web application?
To mitigate the threats, two main options can be considered:
- Strongly limit the accessibility of those unmanaged devices to your network and applications with strict policies and impose a restricted Virtual Private Network on users. This solution offers some visibility and control to the security team because the devices remain unmanaged but users and their network activities are heavily regulated.
- Enable a web browsing security extension installed at the browser level. This solution can be guaranteed to be non-invasive, and users that allow such an extension to be installed on a specific work browser will allow IT teams to manage risks linked to web pages, web application access, file downloads/uploads, and other vectors of attack. Furthermore, the browser extension offers IT security teams more time to mitigate unusual network and server activity that may be precursors to a breach.
According to the two experts, organizations should take measures to secure the web browsers of all employees and third party contractors before sensitive information leaks and reputation damage can occur.