International Cyber Expo International Cyber Expo
  • About Us
Wednesday, 8 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

How DaaS Solutions Can Create New Security Challenges For BYOD Teams

by David Soffer
July 8, 2026
in Data Protection
laptop-working
Share on FacebookShare on Twitter

Bring your own device (BYOD) arrangements can help organisations work with contractors, staff who travel, and employees who prefer their own hardware. The tradeoff is straightforward. Company systems are accessed from machines that IT did not buy, configure, or repair. Some will be patched late. Others may be shared at home or used on networks the organisation cannot see.

The risk is not limited to the laptop. Vulnerability exploitation now accounts for 31% of breaches, making it the primary cause of data theft. The figure does not measure BYOD exposure specifically, but it is a useful reminder that remote work depends on several components being maintained properly. A personal device, browser, login service, and cloud desktop can all become part of the same access path.

Often, the go-to answer is Desktop as a Service, or DaaS. You put a company-managed desktop in the cloud and stream it down to whatever laptop, tablet or smartphone the remote team member is using. Nothing sensitive ever sits on the actual device, so the hardware itself becomes less of a concern. But that’s not really how it works. DaaS doesn’t get rid of the trust boundary, it just drags it somewhere else. Now everything comes down to the endpoint – how someone logs in, how the session is locked down, and how the streaming client itself is set up. 

Sure, hosting a work desktop in the cloud puts some distance between company files and personal equipment. That has obvious value, particularly for organisations that need to support people on unmanaged devices. It does not make securing the personal device irrelevant, however, nor does it simplify every security decision that follows.

A Hosted Desktop Does Not Address All Endpoint Risk

Organisations considering DaaS solutions should look beyond where the desktop is hosted. Applications, files, and processing may sit in a centrally managed environment, but a user still reaches them through a personal device. Their session depends on the security of that device, the identity service, the access client, and the rules that govern the desktop.

Industry guidance on telework and BYOD recognises that virtual desktop infrastructure can help protect work carried out on devices outside an organisation’s control. However, it should not be read as a guarantee that an unmanaged endpoint is safe. 

The endpoint still handles credentials and displays potentially sensitive information. The DaaS environment also needs secure images, session settings, and access level.

The Personal Device Still Sits In The Middle

DaaS can reduce the need to use local storage, but it cannot turn an unmanaged laptop into a trusted corporate endpoint. Malware may steal credentials before a user starts a hosted session. A malicious browser extension can interfere with a login. On a shared computer, an unlocked session or a saved password may be enough to expose company information.

The policy needs a practical baseline. A supported operating system, browser updates, encryption, and a screen lock may be reasonable requirements for most users. More sensitive work may justify stronger checks before a session begins. 

The goal is not to impose full corporate management on every personal device. It is to stop a low-assurance machine from reaching systems where the consequences of compromise are high.

Stolen Credentials Can Open a Wider Workspace

A virtual desktop may become the doorway to email, internal applications, and shared data. That makes an account takeover more serious than a single-service login. An attacker who gets through may inherit much of the user’s working environment.

NIST’s digital identity guidance requires systems at Authentication Assurance Level 2 to offer a phishing-resistant authentication option. Cyber teams using DaaS should consider phishing-resistant sign-in methods, shorter sessions for sensitive roles, and an extra check before high-risk actions.

Administration needs its own set of rules. The people who manage desktop images or access policies should use separate privileged accounts rather than the identities they use for day-to-day work. That keeps a routine email compromise from immediately becoming a management-plane compromise.

Virtualisation Involves Additional Maintenance Work

A DaaS service can reduce the workload of maintaining a fleet of company laptops. However, it also introduces more services to configure and monitor. Desktop images need patching. Identity and network rules need review. Management consoles, brokers, and cloud accounts each have permissions that can be set too broadly or left unchanged.

The shared-responsibility model needs to be translated into named tasks. A provider may protect the underlying infrastructure, while the customer remains responsible for access rules, image hygiene, monitoring, and incident response.

A gap between those assumptions is where vulnerabilities and blind spots tend to remain. Security teams should know who owns each configuration decision, who reviews the logs, and who responds when a compromised user account reaches a virtual desktop.

Bad Performance Changes User Behaviour

Security controls face a practical test when a remote desktop is slow, drops connections, or makes routine tasks awkward. Employees under pressure will find another route. They may download a file to a personal folder, send it through private email, or move a discussion to an unapproved collaboration tool. This defeats the purpose of establishing controls in the first place.

A pilot should cover the conditions people actually work in. Include typical home internet connections and older devices, rather than testing only on a fast office network. Ask users to perform their normal tasks. Login success alone says very little about whether the service will be used as intended.

A secure design that is frustrating in daily use can eventually produce its own shadow IT problem. That is especially relevant for employees whose roles involve large files, video calls, specialised applications, or time-sensitive customer work.

BYOD Controls Can Go Too Far

Organisations need some assurance about devices connecting to business systems. Employees still have a reasonable expectation that their personal files and activity remain personal. The friction begins when an endpoint tool appears able to inspect everything on a laptop, monitor non-work activity, or wipe the whole device following an incident.

The policy should state what the organisation can see and what it can remove. Selective removal of corporate information is easier to explain than a full wipe of a personal device. Those details should be agreed upon before access is granted, not raised after an employee has installed the required client.

People are more likely to accept controls when the boundary is specific and credible. A vague assurance that the company will respect privacy may not be enough when employees are being asked to install software on a device they also use for banking, family communication, and personal storage.

Start With the Work, Not The Desktop

DaaS can be a strong option for BYOD programmes because it keeps business applications and data in a controlled environment. Its security depends on the path users take to reach that environment and the permissions they have once inside.

Before choosing a platform, organisations should understand the work being done, the devices being used, and the data that could leave the session. That gives them a clearer basis for deciding which controls are essential, which conveniences are acceptable, and where a personal device should stop having access.

ShareTweet
Previous Post

AI Needs Human Expertise: How Securonix and Acora Are Transforming Security Operations

Next Post

Black Duck Lands Leader Spot in Gartner’s Brand-New Software Supply Chain Security Magic Quadrant

Recent News

malware

Huntress Uncovers ‘Vibe-Coded’ Malware Used to Map Active Directory Environments

July 8, 2026
Check Point’s ThreatCloud AI Blocked 4.6 Billion Attacks in 2025, Latest ESG Report Reveals

Check Point’s ThreatCloud AI Blocked 4.6 Billion Attacks in 2025, Latest ESG Report Reveals

July 8, 2026
Kirsty Fowler, WorkNest Secure

Next Gen Spotlights: Building a More Resilient Future – Q&A with WorkNest Secure

July 8, 2026
Mike Winston on Why Jet.AI Shifted From Aviation to AI Infrastructure

Mike Winston on Why Jet.AI Shifted From Aviation to AI Infrastructure

July 7, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol