Why allowing staff to use their own devices is a risk

Providing IT support and solution to small and medium businesses. Servicing Edinburgh, Livingston, Fife and surrounding areas. Responsive, Flexible, Professional and friendly local support.

Why allowing staff to use their own devices is a risk

On the 1st of April 2023, 3CX broke the news that their latest release had been impacted by a supply chain attack. Their latest release had a malicious payload installed into it. This had been in turn pushed out to all 3CX customers that used the Desktop version of 3CX.

In most cases, corporate Antivirus had picked up and blocked the encoded malware. 3CX enlisted the help of “Mandiant Consulting” to help diagnose how the vulnerability was injected. on the 20th of April 2023, 3cx and Mandiant released the results of their findings the results are a wake-up call to businesses on the perils of allowing staff to use their own devices.

What happened

A user working on their own device with admin access downloaded some software they thought would be useful. This software had malware embedded in it. The user then signed in to check is email the malware gathered his credentials and shared them with a hacker. They then used these details to connect in to the company’s VPN and gain access behind the firewall as that employee. From there they were then able to use tools to infect both Windows and MacOS build areas.

What can your business do to prevent this type of attack

Prohibit the use of personal devices from logging in to company assets both as an employee handbook/policy and with conditional access policies (Office 365).

Educate. Let your staff know the perils of using their own device and the risk

Admin right. Remove all users’ admin access and review access. General advice the user that is logged in and browsing the internet should not have admin access they should always be prompted to enter a password. This prevents silent/accidental installation of software

Zero Trust application. While painful to set up using a Zero Trust application policy is a great way to help reduce your risk. EDR/XDR provide further enhancements to your security

Role out In Tunes MAM/MDM. MAM – Mobile Application Management and Mobile Device Management, can assist with protecting company assets. MAM allows companies to allow staff to access company resources on personal/BYOD devices in a secure manner via InTune Intune APP provides a secure, containerised solution that enforces encryption, and device pin and checks device health before allowing access to Office 365.

MAM Allows businesses to rollout company resources to personal devices providing the following functions

  • Assigning employees mobile apps
  • Configuring apps with standard settings
  • Controlling and sandboxing the use of corporate data
  • Removing corporate data from apps
  • Keeping apps updated
  • Tracking app usage and reporting on inventory

Conditional Access Policy Licensing Requirements

To enable Conditional Access-based policies, your business needs to have one of the following licenses:

  • Azure Active Directory Premium P1 or P2
  • Microsoft 365 Business Premium
  • Microsoft 365 E3 or E5
  • Enterprise Mobility and Security E3 or E5

If you are an educational or government organization, you must use the equivalent “A” or “G” license.

Intune MAM/MDM Licensing Requirements

The following licenses Include Intune Plan 1 which provides access to MAM and MDM

  • Microsoft 365 E5
  • Microsoft 365 E3
  • Enterprise Mobility + Security E5
  • Enterprise Mobility + Security E3
  • Microsoft 365 Business Premium
  • Microsoft 365 F1
  • Microsoft 365 F3
  • Microsoft 365 Government G5
  • Microsoft 365 Government G3
  • Microsoft Intune for Education

For Educational licenses

Intune Plan 1 for Education is included in the following licenses:

  • Microsoft 365 Education A5
  • Microsoft 365 Education A3

What to do next

Speak to one of our Cyber Essentials team. We will start with a basic review of how you are working and then look at how we can help with your particular requirements.


Other information that you may find interesting