Why Your Organization Needs A Corporate Device Strategy

The corporate device management landscape has evolved beyond rooms full of cubicles and desktop workstations to encompass a wide array of new technologies and organizational models. Most recently a trend towards a work-from-home (or remote work) model has created new challenges for IT security. Over the past decade or more mobile devices such as smartphones and tablets increased productivity on the go, but also created new challenges for security. Other areas where corporate device strategy has had to evolve is to accommodate more peripheral devices such as Multifunction Devices (MFDs), and Internet Of Things (IoT) devices. 

In 2024, a corporate device strategy is not merely about purchasing, provisioning, tracking, and deprovisioning devices. Safeguarding the heart of the organization (both its systems and data) is the most critical goal. This goal requires mitigating a host of potential attack vectors.

In this article, our ethical hackers examine the importance of corporate device strategy by reviewing some common weaknesses in device policy that could lead to a consequential IT compromise. 

Standard Corporate Device Policies

One of the most important precursors to developing a corporate device strategy is to decide which devices staff will be allowed to use for work purposes, and whether hybrid use (work and personal) will be allowed. 

Let's start with a review of the standard corporate device policy models: 

• BYOD (Bring Your Own Device): This most basic policy allows employees to use their own personal devices for work purposes. This model is the least secure because personal use introduces many risks of malicious applications, malicious web resources, and social engineering from personal use could result in compromise of sensitive corporate information

• COBO (Corporate-Owned, Business Only): A policy where the organization retains full ownership and control over the device, which is strictly used for business purposes with no personal use allowed. This is the most secure device strategy for protecting corporate data

• CYOD (Choose Your Own Device): A flexible policy that allows employees to select from a range of corporate-approved devices for their work, accommodating personal preferences while maintaining corporate security standards. By limiting the number of device models that users can choose, an organization can increase their security assurances and reduce the workload of tracking potential vulnerabilities across a wider range of devices and mobile OS

• COPE (Corporate Owned Personally Enabled): This strategy involves the organization providing devices to employees for work, with the added flexibility for personal use, balancing corporate control with personal freedom

Why Your Organization Needs A Corporate Device Strategy

In 2024, a corporate device strategy is critical for securing all IT infrastructure against unauthorized access. Careful consideration should be made when building a comprehensive corporate device policy and adjusting security controls to compensate for any non-work related activity that may take place on corporate devices. As businesses continue to navigate the complexities of remote work, the integration of mobile devices, and the burgeoning realm of IoT, the absence of a coherent device strategy could lead to significant vulnerabilities within an organization's IT infrastructure.

Here are some additional security risks that policy makers need to consider when building a corporate device strategy:

Shadow IT

Shadow IT refers to devices, software, applications, and services without explicit IT department approval. Unmanaged and unsecured devices pose a significant risk, offering a gateway for unauthorized access to sensitive intellectual property and critical data. Examples of shadow IT include unauthorized use of cloud storage services to store sensitive corporate information, using personal smartphones for work tasks, and installing non-work related third-party apps to a work device.

Unified Threat Management (UTM) and endpoint security products play a crucial role in verifying device security by monitoring for malicious activity and scrutinizing and managing applications and configurations against a set of predefined security policies and enforcing accept or block listing of applications, ensuring only trusted software devices can access corporate network resources. Accept and deny listing involves explicitly approving or blocking certain devices and software to prevent such unauthorized use and mitigate the risks associated with shadow IT. 

Physical Access to Corporate Devices

Physical access to corporate devices presents a critical security concern, since physical access can bypass many traditional cybersecurity measures and give unauthorized access to sensitive information and malicious actions such as installing malware. The risks are magnified in the case of lost or stolen devices, which could easily fall into the hands of malicious actors intent on exploiting the data and access those devices contain.

In response to these concerns, many organizations have adopted remote wipe capabilities as part of their security strategy. Remote wipe allows IT administrators to erase the data on a device remotely if it is reported lost or stolen, thereby minimizing the risk of sensitive information falling into the wrong hands. However, the effectiveness of remote wipe depends on the device being connected to the internet, and there may be a window of opportunity for attackers to access data if the device is not immediately wiped.

Also, the Zero Trust security framework operates on the principle of "never trust, always verify," meaning that every attempt to access corporate resources is authenticated, authorized, and encrypted. This model extends the Defense in Depth philosophy to ensure that even if an unauthorized user gains physical access to a device, they would still be unable to access sensitive corporate data without the necessary authentication credentials.

Device Repairs and Electronic Snooping

Electronics snooping is a major concern for organizations when corporate enabled devices need to be repaired. A CBC Marketplace investigation revealed that 50% of stores reviewed accessed private data on devices dropped off for repairs. The devices had monitoring software installed which revealed technicians at nine stores snooped through files, with one copying photos to a USB key.

The most obvious option is to enact a policy that mandates all devices must be repaired "in-house", under proper oversight. However, in the case that an external third-party repair service is used, it's important to ensure devices have been properly secured before they are handed over. Official instructions from Apple and other device manufacturers for enabling "Maintenance Mode" outline best practices.

The Prevalence of Remote Work, Work From Home, and Hybrid Work Arrangements

The shift towards remote work and hiring freelancers who may have a "digital nomad" lifestyle also underscores the need for a comprehensive corporate device strategy. as these models introduce risks from insecure networks and both digital surveillance threats like Man-in-the-Middle (MiTM) attacks and other forms of surveillance. Remote work often relies on SOHO routers, which might not offer the same level of security as corporate networks, making devices vulnerable to attacks.

In contrast, digital nomads working from various locations, including hotels with insecure networks, face even greater risks. Implementing a zero trust security framework, which verifies every access request regardless of location, and ensuring the ability to remotely wipe devices if compromised, are critical strategies for safeguarding organizational data in the face of these evolving work environments.

Conclusion

There is a critical need for a corporate device strategy considering the challenges of the evolving workplace, such as remote work and digital nomadism, shadow IT, and the risk of third party device repairs. A comprehensive strategy should consider the various risks of BYOD, COBO, CYOD, and COPE models to secure IT infrastructure against unauthorized access and data breaches. Emphasizing zero trust principles and remote wipe capabilities can further safeguard sensitive information against the reliance on networks whose security cannot be verified.