Report: Companies allowing personal employee devices onto their network are opening themselves to attack.
By Jason Cole, CyberWire staff writer.
Jul 13, 2023

SpyCloud takes a look at the risk of mingling the personal with the professional (device- and access-wise).

Report: Companies allowing personal employee devices onto their network are opening themselves to attack.

SpyCloud released its Malware Readiness & Defense report today, which was conducted with a survey of almost 320 “mid-market and enterprise IT security professionals from the US and UK” to assess “how organizations are detecting and addressing the threat of malware as a precursor to cyberattacks like account takeover and ransomware.” One of the main problems discoverewas the lack of regulation, by the businesses, for employees mixing unauthorized applications and work credentials on their personnel and work devices. “57% of organizations allow employees to sync browser data between personal and corporate devices – enabling threat actors to siphon employee credentials and other user authentication data through infected personal devices while remaining undetected,” SpyCloud wrote in its press release. IT also explained that organizations are struggling with applying “shadow IT” due to employees using unsanctioned applications, and employees being allowed to use their personal and work devices interchangeably. 

Key risk factors. 

The number one key risk factor, the study finds, is human behavior. “The lack of robust security practices and resources leaves gaps in defenses. The modern workforce expects ease and convenience, including the ability to access applications and data from anywhere with limited friction. Unfortunately, providing this convenience often sacrifices security. We found that many organizations continue to allow poor security practices, such as access to business applications by unmanaged or shared devices and the ability to sync browser data between corporate and personal devices.” A main driver of this trend seems to be the shift to hybrid and remote work environments. Often these moves come with promises of reducing friction in an employees life, however the technologies and adopted practices seem to be outpacing the cybersecurity industry’s ability to keep up. “As tech evolves, employees’ digital-first lives – which call for convenience, ease, and minimal friction – are scaling beyond the IT and security teams’ control and impacting security posture.”

Associated threat risk of allowing employees to work from personal devices. 

A large risk factor in working from home that’s often overlooked is the allocation of company controlled devices. Often companies will allow employees to use their own devices to lessen friction and maybe even save a few dollars, but this creates an IT blind spot. An organization can’t monitor an employee’s phone, and by allowing the employee to log into company spaces and applications via an unsanctioned device the company is opening themselves up to an attack vector which they can’t monitor. SpyCloud observes, “Malware-infected employee devices create a direct path into an organization as infostealer malware exfiltrates fresh, accurate data from target URLs, login credentials, passkeys, and authentication cookies/tokens to device and system information that enables easy impersonation. With this data, attackers can mimic employees’ access with a high degree of success and perpetrate cybercrimes like account takeover, session hijacking, and ransomware attacks.”

Steps to mitigate the risks. 

The report highlights that, while many organizations are implementing employee cybersecurity training, the real responsibility for cybersecurity is carried by the IT team. “While employees may be aware of threats and best practices, it doesn’t mean they’re changing behaviors and it really falls back to the IT and security teams to make sure they have stopgaps in place at every

Stage.” The study found that most organizations were satisfied that 85% of their devices connected to the network were loaded with the most recent updates and security patches, however that still leaves 15% which are vulnerable. 15% is still a large gap in your cybersecurity defense posture and can easily lead to a data breach or ransomware infection. Cybercriminals are not going to quit attacking a network because it is mostly protected, their means of making money is by attacking and exploiting the 15% of devices that are still vulnerable. 

Switch from a device centered response to an Identity centered one. 

The report also offers tips on post-infection response, stating that companies should transition to an identity centric response instead of a machine focused one. In securing a compromised employee identity the security team can reset all authentication and close all sessions it has accessed, effectively quarantining off the device and the user from the network. Then the company can work to secure the network from any remaining security breaches it was subjected to. As SpyCloud concludes, “An identity-centric approach disrupts ransomware and other attacks by going beyond traditional malware response to remediate exposure beyond the device, with affected users and applications at the forefront. Post-Infection Remediation is a series of  additional steps in a malware infection response framework designed to negate opportunities for ransomware and other critical threats by resetting the application credentials and invalidating session cookies siphoned by infostealer malware.”