Cyber attackers are remarkably resourceful. They can be inventive and pretty creative in how they infiltrate your systems. We have seen situations where work information is taken from a personal device, and so here we investigate ways to prevent that from happening.
People work from home. People are on the move, and they might be using their own smartphone or their own laptop to access corporate or company data. This is known as BYOD (Bring Your Own Device). We’ll discuss it in the context of Microsoft 365, as that's where we are centred and it's a great place to start.
Manage Devices with Microsoft 365
Many businesses use Microsoft 365 as a platform, without realising that it's an excellent security platform and you can use it to manage your devices, including laptops, desktops and smartphones, iOS and Android.
When discussing the concept of Bring Your Own Device within the context of a small to medium-sized business, you must strike a balance between being secure, but actually having usability for the systems. To do that you need policies for Bring Your Own Device.
In Microsoft 365 that are two licences that we leverage when managing personal laptops and personal phones and those are Microsoft 365 Business Premium or Microsoft 365 E5.
They're the two licences that come packaged with all the security features that enable you to manage a personal device or create a space on a personal device that can be managed by your organisation.
Conditional Access
For laptops, one of the cornerstones is conditional access. It's a feature that will allow you to define policies for operating the company's data within your personal laptop or your operating system.
Also, if you bring a device into the corporate network, the condition could be that the computer must be up to date and have anti-virus software installed. When you plug into the network, you'll be stopped from working until you run all your updates and make sure you have a valid anti-virus programme.
Within the conditional access, you can also prevent data from the work applications being copied to personal applications. And the same goes for mobile devices as well.
Windows 365 Virtual Computer
When you're using a laptop, another innovative solution that you can use is Windows 365. Windows 365 is a virtual computer in the Microsoft 365 ecosystem that's within your business’s Microsoft 365. You use it to connect to a virtual computer, thus firewalling or separating your corporate device from your personal device. So, you're not actually using the resources or the programmes or anything on your personal device. You're merely using your personal device as a window to your virtual computer or your remote computer in the office.
You might be using your own phone or your own laptop, which potentially would increase productivity because you're able to use them whenever you want.
Team members often like working that way, especially with phones, as having two phones can be a bit of a hassle. To be able to ring-fence or separate your work information from your personal information is a really useful option.
Company Portal
Microsoft 365 has a facility, called Company Portal, where you can separate your work apps from your personal apps. The Company Portal will then allow you to manage your device and allow your organisation to manage only the work portion of your device.
For instance, if you've got “find my phone” running on your iPhone and you send a wipe command, it wipes the whole device. But if you only want to wipe the work information to take it off the phone, the Company Portal will allow you to do that, which is extremely helpful.
Or, if an employee is leaving your organisation, you know that when you take away Company Portal access, all the company information is immediately removed from that phone.
Separate Work & Home Apps
Using Company Portal, when you swipe into your applications, you will find a personal space and a work space which separates all the applications you use at home from those you use at work. Don’t worry if you, for instance, use the Outlook application or the OneNote application for personal use as well as work. You can have the app installed as both a personal and a work option, or just one or neither. From a work point of view, your organisation can choose which applications you can install, which adds extra security.
As an example, a few years ago there was a face-changing app where the images that you uploaded went to foreign country servers where they were used for more than just the fun part of swapping your face with somebody else's. With the Company Portal you can prevent these kinds of applications from being installed in a work environment.
Data Protection
An important feature of the Company Portal and mobile device management, or mobile application management, is that you can restrict what you allow to happen between the work and the personal sections of your phone. As an example, if you go into your work OneNote and copy a piece of information and then go to the personal application, and try to paste it, there’s not even an option to paste. That way it protects your company data from getting into the wrong hands.
The other situation to consider is what happens if somebody picks up this phone and gets access to it. You know that there's an extra layer of security in place.
In the Company Portal you can also set a time out. So after, say, 10 minutes of inactivity you have to either use your fingerprint, face ID or a pin code to get back into it, on top of your personal pin code, fingerprint or face ID or whatever you use to get into your phone.
Holiday Mode / Pause your Work Apps
Another great feature is that if you're on holiday or you're away and you don't want to be disturbed by work messages and you don't need to check your work information, you can click “pause work apps” to hide them on your phone until you return.
The benefits of having separate personal and work profiles on a mobile phone are significant. The fact that you can separate the data definitely helps reduce the risk of accidental data leaks.
Security
It also allows your IT department or your business to enforce security policies on your work profile only, without clogging up your personal phone with lots of security prompts and extra layers (unless you want it to). So things like encryption and password protection can all happen without affecting your personal profile on your mobile phone.
Controls & Privacy
If an employee prefers to manage everything on their personal phone that's fine, your IT department or your managed services provider, can manage all the privacy and security with respect to the work data only, which is very useful.
Ease Of Use
Being able to switch between the two profiles using the Company Portal is really handy as it maintains productivity without compromising your time or your security.
SIM Lock Advice
In terms of the security of devices, most people think that it is not an issue because they have a fingerprint, a PIN code, Face ID. They believe that if their phone gets stolen it doesn't matter because nobody else will be able to access that device anyway. However, we would alert people to the security of their SIM card.
Many information systems, such as your bank or even some of your work systems, text you a six-digit code as an extra layer of security. If somebody physically has your phone, they can pop your SIM card out, put that into a new phone, and, if you don’t have that SIM card protected with a PIN, the person who has that can now receive security texts on your behalf.
But if you've got that PIN protected, you have an extra layer of security. Therefore, we would urge people to set a PIN for their SIM card.
SIM Lock on Android
Go into your Settings - Security & Privacy Settings - More Security & Privacy and then look for SIM lock, you can open that and flick the switch to lock the SIM.
SIM Lock on Apple
Go to Settings - Mobile Service – SIM PIN and switch it on.
You may first need to enter the default pin for your network provider, then change the PIN or create a new PIN. Make it complicated but make sure you can remember it.
Now if somebody were to pop that SIM out of this phone and plug it into another, they would be challenged for a PIN before they could actually use the network for texts.
It’s a little piece of advice, but a very valid piece of advice for people to consider.
In conclusion, “Bring Your Own Device” or BYOD for small to medium-size enterprises, supported by Microsoft's Business Premium or 365 E5, provides a really flexible, secure way to manage laptops and desktops that you don’t own as a business, but you might want your employees to use to improve productivity. It's about making sure that you're secure without compromising your team's efficiency.
