‘Bring your own device’ or BYOD is not a new concept in our digitised modern working world, but the practice has become significantly more popular over the last couple of years as a result of the pandemic necessitating more remote and hybrid working styles. Government statistics show that 47% of companies were operating BYOD in the 2021.
Allowing employees to use their own devices offers more convenience, higher productivity and can help to reduce overhead costs for an organisation. However, BYOD comes with a number of security risks that are important to identify and address in order to securely take advantage of the benefits.
Compliance
When dealing with others’ devices, it can be difficult to have the same level of control, visibility and management as you would over company-owned devices. Complying with a company’s security policies and processes is not as straightforward which is why a separate policy to deal with BYOD is preferable.
Depending on the nature of the data and systems one can normally access in a corporate environment, user access privileges may need to change when using personal devices. Sensitive data will not be as well protected outside of corporate systems, so consider the level of risk and impact to your business before allowing access for BYOD users.
Unsupported/out-of-date devices
Devices that are no longer supported are at serious risk of being infected by malware. Companies have to ensure that personal devices being used for work are updated with the latest operating systems and this is a lot harder to manage. This is particularly pertinent for mobile phones, which can often be given less attention than laptops and computers. Users tend to go into autopilot on their phones since we are so used to using them day in and day out, but this can lead to poor security habits.
Blurred lines between personal and business use
There is often very little corporate visibility and control when it comes to BYOD, especially with employees working from home. People working on their personal devices are often a lot more comfortable, and it is unlikely they are used exclusively for work-related activities. Unfortunately, this means a high chance that employees are not using the devices as securely as they should be, downloading dodgy apps or accessing unsafe websites. For example, in 2016, hackers took advantage of the hype surrounding popular app Pokemon Go’s release, and created a modified version with malicious code installed. If this was downloaded onto a personal device also used for work, this could give the malware access to the company network when the user next logged in.
It’s always going to be difficult for companies to monitor all activity on personal devices but policies offering guidelines and rules around usage as well as regular employee training can help to avoid these kinds of security incidents.
Device Movement
When operating a BYOD working style, employees’ devices are not kept securely in an office environment. Remote workers may be travelling around as they work on their personal device, connecting to different wifi networks that are very unlikely to be as secure as your company network. Public networks are often targeted by hackers for this reason. The best way around this is to have employees use a VPN on personal devices, which will provide a secure, encrypted connection for any online activity, protecting information from hackers.
Mistakes happen. Devices moving around have more potential to be stolen or lost. If employees are not following proper security protocols, this could mean cybercriminals accessing important data. For example, an employee may decide to keep all their account passwords stored on a note in their phone making it easy for someone to hack their way in. Companies should ensure they have measures in place to minimise the damage should an employee lose their device, such as using mobile device management software to wipe the device of information as soon as the employee reports it stolen.
Insider Attacks
What happens when an employee no longer works for your company? If they retain access to company applications and accounts that means they could steal data or tamper with files from their own device. It’s important to have user access protocols established, allowing an organisation to immediately revoke access when an employee stops working there so they can no longer access company files and data.
Developing your BYOD policy
Ensuring your company has a proper BYOD policy outlining all security requirements helps to clarify what you expect from employees using their own devices. A lot of the time, staff may not appreciate the part they play in the security of an organisation and why BYOD presents the risks it does. The objectives and concerns will differ for a user and an organisation. Where users want a working style that is convenient and flexible, organisations will want to know they are not posing a huge security risk and exposing sensitive data.
BYOD users should strictly follow the security policies set out by an organisation and this is why it’s important not to allow ‘one-offs’ where an employee might work on their personal device. BYOD should be a fully established flexible working situation that has been carefully considered, with the policy read and acknowledged by each individual user that will be operating that way.
Some of the key areas a BYOD policy should include are:
- Password security: Multi-factor authentication as a minimum requirement
- Network security: Use of a VPN
- User access: what company resources and assets will employees be able to access on their own devices? How will you ensure accesses are revoked when necessary?
- How much control will the company have over employee personal devices? Bear in mind, employees will not want to feel like their privacy is being encroached.
- Minimum security requirements: what are the minimum versions for operating systems and devices that will be expected?
- What rules around BYOD usage will you set? For example, avoiding public networks, downloading certain applications.
- Will you require employees to take part in cyber awareness training to encourage best practices when working on their own devices?
Organisations are still struggling to implement BYOD securely, but only 49% of companies actually have a BYOD policy. Without a policy, BYOD can be even more challenging to manage and you run the risk of employees being unclear about what they can and cannot do with their personal devices for work. Having a clear and understandable policy that deals with BYOD is vital if you expect your employees to do their part to keep things secure. Writing policies can be daunting if you lack the internal resources but external IT providers and security companies can often offer helpful guidance.
BYOD is becoming more heavily adopted by organisations every year, offering numerous benefits, and there is no reason why these cannot be enjoyed as long as security risks are properly dealt with. Allowing company data to be accessible from multiple networks and devices makes it that much more vulnerable, but unpacking the risks and properly mapping out a BYOD policy to address them will allow your business to reap the benefits while maintaining a decent level of security.