You have very probably heard a lot about the two vulnerabilities to Apple devices over the past couple of weeks, but did you consider how it would affect BYOD?
If your company has a Bring Your Own Device (BYOD) policy and have iPhones, iPads or Macs using your network, what do you need to know?
The Apple vulnerabilities
The Apple vulnerabilities were serious flaws that left devices potentially vulnerable to attack.
The vulnerabilities affected iPhone 6S and later, iPad 5th generation and later, all iPad Pro models, iPad Air 2, and Macs running Mac OS Monterey.
The flaws could provide full admin access to the device, with obvious ramifications for users and for company networks.
The flaws are being tracked in CVE-2022-32894 and CVE-2022-32893.
Apple has released system updates, iPad and iOS 15.6.1, and macOS 12.5.1 that addresses the vulnerabilities.
But have your users updated their device?
The Apple flaws
The first flaw impacted the kernel, which could enable a hacker to execute arbitrary code with kernel privileges.
The second flaw is to do with JavaScript. More specifically, JSMap and JSSset and something called an ‘out-of-bounds write issue’.
A hacker could use infected web content to inject malware onto the device without the user ever being aware.
As both of these affected the majority of newer iDevices, it’s a critical issue that companies need to address.
So how can you manage BYOD devices without a dedicated MDM (Mobile Device Management) solution?
Managing BYOD
There are a few best practices you can use to help improve the security of your network while using BYOD.
Many of you probably use them already, but for those who don’t:
Device provisioning
If an employee wants to use their own device, there should be an expectation that it will be checked out by the IT department first. If it lacks updates or required apps, there should also be an expectation those will be installed too.
Making it mandatory for IT to check and provision the device before allowing it on the network can save a lot of hassle down the line.
Enforce security software
If you don’t use MDM to control applications on a device, you should at least enforce the use of a security application.
That app should include a firewall, antivirus, malware scanner and drive encryption.
Enforce encryption
Encrypted data is (mostly) safe data so make sure all users use encryption even if your security software doesn’t mandate it.
We all know that encrypted data at rest is far more secure than unencrypted data so enforcing a robust BYOD policy will definitely help.
Mandate regular updates
While system and app updates won’t guarantee safety, they can improve security overall.
Apple quickly released fixes for both of their vulnerabilities, so an update policy could narrow the threat window significantly.
Device password standards
Many phone logins are either a fingerprint or 4 digit PIN. Biometrics are reasonably secure but a 4 digit PIN would be child’s play for a determined hacker.
Enforce strong device passwords in the same way you do for laptops and desktops.
Reporting process for lost or stolen devices
There should also be a robust reporting process for lost or stolen devices used as BYOD. If there’s a remote locator or remote wipe facility, IT should be able to use it as soon as the loss has been verified.
It’s a nuclear option, but if staff carry company data on their device, it’s also a sensible option.
Right to inspect
Finally, and most controversially, the IT department should reserve the right to inspect phones and data at any time.
Privacy is a thorny issue, especially on the employee’s own device, but there should be no expectation of privacy with BYOD.
Make it clear up front that if staff want to use their device at work, that privacy is not something they can expect. They can then make an informed decision about what to do next.
The Apple vulnerabilities have shown us that even devices thought secure can be compromised.
It was a serious wakeup call for all of us, but better now than later!