BYOD and the Expanding Attack Surface We are Overlooking

The 2025 Verizon DBIR warns: Unmanaged personal devices are fueling credential theft. Here’s what IT heads and employees need to know.

In today’s hybrid, fast-moving work environments, it’s easy to assume that flexibility equals productivity. Employees log in from airports, home offices, and cafes.
They check dashboards on their phones. They respond to Teams messages from personal tablets. Very convenient. It works. But it’s also quietly becoming a major security risk.

The 2025 Verizon Data Breach Investigations Report (DBIR) revealed a critical insight: Bring Your Own Device (BYOD) habits when unmanaged are now among the top contributors to breaches, and researchers found the following:

– 46% of systems with stolen credentials were non-managed, i.e., personal devices.
– Only 30% of compromised devices were enterprise-licensed.
– Many of these devices were used to access corporate systems but lacked any centralized controls, visibility, or protection.

Here’s an Example:
Imagine a regional operations lead at a convenience store chain with hundreds of locations. While traveling between sites, she logs into the store’s pricing and supply portal from her personal laptop, the same one her kids use at home for gaming and streaming.

Unbeknownst to her, that device is already infected with malware from a rogue browser extension. It silently records keystrokes, capturing her corporate login credentials.

She uses the same password for her personal email and the supplier portal. Within days, attackers use those credentials to access inventory data and vendor systems, eventually pivoting to POS configurations across multiple stores.

What follows?

– A multi-state forensic investigation, emergency reconfigurations, and a six-figure cleanup.
– The breach didn’t begin with a zero-day exploit or a nation-state actor.
– It started with a trusted employee and a personal laptop.

As BYOD Grows, So Does the Risk
BYOD policies (or the lack of them) emerge for convenience:

– Employees don’t want to carry two phones.
– Contractors or vendors need quick access to systems.
– Small teams bypass red tape to get things done.

But unmanaged access is an unmanaged risk. Especially when these devices access email, cloud storage, project tools, or anything tied to the corporate network.

What Employers Can Do:
✔️ Audit and classify all access points – With unified enforcement of configurations and security policies, just having centralized access to M365 and saying, “everything is managed in the cloud”, is not sufficient.
✔️ Enforce secure access – Use device posture checks, MFA, and conditional access rules before allowing logins.
✔️ Segment access – When possible, mandate corporate-supplied devices for access, and ensure that third-parties are using their own corporate-provided or managed devices.
✔️ Educate employees- They may not realize that using a personal device for work makes them part of the security surface.
✔️ Update BYOD policy and share it clearly – If it hasn’t been reviewed in two years, it’s outdated.

What Employees Need to Know
Your personal device isn’t invisible to hackers. If it connects to work apps, cloud storage, or email, it’s a risk factor.
One forgotten update. One reused password. One wrong click. That’s all it takes.

Good personal device hygiene includes:
✔️ Keeping software up to date
✔️ Using EDR and XDR tools
✔️ Centralized user access management policies and identity provider solutions with secure storage of keys
✔️ Logging out of work systems when done
✔️ Most importantly: treat work data like company property, even if you’re accessing it from your own device.

Final Thought
BYOD isn’t going away, and neither are the attackers exploiting it.

The solution may lie in allowing BYOD but applying enterprise-level security controls, like MDM (Mobile Device Management), endpoint protection, and the capability to erase corporate data remotely in case of a compromise. It’s visibility, policy, and shared responsibility between organizations and their people. The next breach might not come from a phishing email. It might come from the unlocked phone in someone’s back pocket.