Should employees use their own devices for work?

Welcome to the new 56 cyber warriors who joined us last week. 🥳 Each week, we'll be sharing insights from the Black Hat MEA community. Read exclusive interviews with industry experts and key findings from the #BHMEA23 keynote stage.

Keep up with our weekly newsletters on LinkedIn, Subscribe here.

This week we’re focused on…📣

The pros and cons of an organisation letting its employees use their own mobile devices for work.

Why? 💭

Because we’ve been thinking about something Georgia Weidman (Founder and CTO at Shevirah and Bulb Security LLC) said at #BHMEA22:

“...a lot of the assumptions we’ve made about security up until now break down the moment we allow mobility into our enterprise.”

That’s because conventionally, security has been able to rely on a relatively clear understanding of exactly what devices are involved with a network, and how traffic flows into and out of that network. But when user endpoints are complicated by the addition of mobile devices, the picture of the threat landscape becomes a lot murkier.

So should organisations allow everyone to use their own devices? 🤔

Well, there are pros and cons.

Allowing the use of personal devices is good because…

• Giving employees that freedom to work on the devices they want to work on has been found to increase productivity and job satisfaction.
• It reduces company hardware costs – you don’t have to buy everyone a smartphone.
• Employees may be more likely to take care of devices they own, which can reduce the risk of devices being lost or stolen.

But it’s not all good. The cons include:

• You don’t have administrative access or control over employee-owned devices – so you can’t ensure they’re updated with mobile device management and mobile application management software.
• While you can govern organisation-owned devices with a security policy, it’s harder to ensure that employees follow best practices for cybersecurity on their own devices – including using strong passwords and multi-factor authentication.
• While users might protect their own devices against loss or theft, it’s still more likely that mobile devices will be lost or stolen than larger, in-office devices – and a stolen device that isn’t up-to-date with security best practices can pose a big risk to your network.

Do you pen test employees' mobile devices? 🤳

1. Yep! 😎 vote

2. No - not yet 🙊 vote

And there’s also reality 👁‍🗨

The reality is that more and more employees expect to be able to use their own devices to access work networks – especially when it’s more convenient for them to do so than going into the office, or carrying around an additional employer-owned device.

Which means that limiting access to a network to approved devices only is becoming increasingly difficult – and the solution now is to focus on how to increase the security of user-owned endpoints.

For Weidman, pen testing mobile devices is a critical tactic.

“My goal with the software I’m releasing is to make it possible for security researchers, as well as enterprise professionals, to be able to bring mobility into the penetration test.”

Learn more in our new blog post: Why pen testing is crucial for mobile architecture

Do you have an idea for a topic you'd like us to cover? We're eager to hear it! Drop us a message and share your thoughts. Our next newsletter is scheduled for 27 September 2023.

Catch you next week,
Steve Durning
Exhibition Director

P.S. - Mark your calendars for the return of Black Hat MEA from 📅 14 - 16 November 2023. Want to be a part of the action?

*Referral program terms and conditions