This morning I noticed an article from Infosecurity Magazine that referenced a study from CyberArk. The article is here so you can see it in context, but check this out:

Employee work from home habits are putting businesses at a higher risk of cyber-attacks, according to a study by CyberArk. It revealed that a large proportion of remote workers in the UK regularly engage in practices including using unmanaged, insecure BYOD devices to access corporate systems (60%). 

https://www.infosecurity-magazine.com/news/employee-work-from-home-habits/

I wasn’t able to find a full survey report for this, but it seems like the data is coming from here. Now normally I don’t complain about this stuff – or rather I do but usually do it privately (with my indoor voice.) I felt like this one was worth pointing out though because I’ve seen pickup of it around the trade press (both in Infosecurity and other places). Which is that I’d debate whether the conclusions logically follow from the data points collected.

For example, there are a few assumptions in this that I’d question. There’s the assumption that BYOD devices are by definition less secure (“77% of remote employees are using unmanaged, insecure “BYOD” devices…”) To support the conclusion that BYOD “puts enterprises at risk”, the implication is that any BYOD must always be less secure than provisioned devices. This has to be the argument for the conclusion to logically follow. But I can cite numerous examples where it’s not the case. For example, the use of my BYOD equipment two jobs ago (i.e. my laptop running a hardened virtual machine) compared to my provisioned desktop computer from 1996. I guarantee you that the BYOD usage of those two is safer. Now, I’m not saying it’s not possible, probable, or likely that BYOD tends to be less secure. Could be. But is it a valid assumption for this conclusion? I really don’t think it is.

The second is the implication that Zoom and Teams are necessarily “insecure” due to having security vulnerabilities discovered recently (“66% of employees have adopted communication and collaboration tools like Zoom and Microsoft Teams, which have recently reported security vulnerabilities…”) Sure, they have. So have Microsoft Windows, Chrome, and VMWare and hundreds of other commonly-used software products across the same time period. Are these technologies always insecure too? If they are, there aren’t too many people out there writing about it.

Anyway, there’s other stuff to potentially nitpick at, but the reason why I even cared enough to write this in the first place is that I think people really are struggling with how their security models hold up in a remote-only context. And many people are struggling with how to secure teleconferencing and equipment considerations and numerous other things. I’m all about asking questions and gathering data, but I do think we need to be careful about the presuppositions that we bring to the table when analyzing the data.