BYOD (Bring Your Own Device) or BYOT (Bring Your Own Technology) offers many advantages in the workplace. However, using personal devices to access confidential information or the organization’s applications does pose an increased security risk. As long as the company is aware of these risks, and a BYOD security policy is in place, it is possible to reap the benefits of BYOD.
This article will highlight all the possible risks and challenges your company may face, and endeavor to guide you through how to define and implement a policy that will protect your organization.
The need for BYOD
Trends from 2012 to 2020 shows the rampant increase in the BOYD market in the US. With the ever increasing trend towards smartphones getting smarter; faster and more affordable data networks, more employees have access to devices, even in developing countries.
It makes sense to allow employees to use their personal device for business. Each person is comfortable and proficient using their own device, and having one single device for personal and business provides a seamless user experience without the need to constantly sync or transfer data around, or juggle different user profiles and passwords.
The BYOD market is forecast to exceed $366 billion in 2022. According to a Frost & Sullivan report, 78.48% of US organizations have already embraced BYOD in some way. The UK is slowly catching up at 45%.
BYOD Security Risks
There are various areas of concern that your organization must be aware of, and plan your BYOD policy accordingly.
Mobile devices are easy targets for malware. Users often download applications, games and utilities without much thought to security, granting blanket permissions settings without paying attention to the terms and conditions. While it is possible to revoke permissions, too often it’s too late.
When using a laptop or desktop computer, it’s so easy to keep delaying security updates as it’s not convenient, but this is extremely risky. All patches should be applied when the various manufacturers release them. In a BYOD environment, it is important to ensure all devices are running the latest operating systems with the most recent updates applied.
Many personal devices are poorly protected by the free versions of antivirus software or not at all. Too often these provide a poor defense against cyber attacks.
Data Leakage and Loss
Whether your employee uses their personal device to access their mailbox or other business data, there is a risk for data leak and data loss. If a user falls victim to a phishing attack or malware, that device poses a huge threat to your organization. Once an attacker gains access to a device they can:
- • Read and access all data on the device;
- • Abuse stored credentials to access otherwise unauthorized resources in the corporate network. This is incredibly dangerous and hard to identify as it would appear to be normal legitimate access unless a data breach is reported;
- • Attackers can download and delete all business data, holding companies hostage if they wish to retrieve their data. This highlights the importance of backups for all pertinent data;
- • Lost or stolen devices can pose a risk especially if an employee does not have sufficient security to prevent unauthorized access to their mobile device. If a user stores their passwords on their device, this would be an open door for unauthorized access to various sites and applications.
Mixing Personal and Business Use
When an employee is using their personal device for work, an overlap is inevitable. It’s impossible to regulate what your employees use their personal device for during their personal hours. Personal devices may be used to access websites that may be deemed inappropriate or tarnish the company’s profile.
Jailbreak is a term to describe the intentional removal of restrictions on devices. The most common case of this is to bypass limits of service providers. While this may make the device more user friendly for the individual – it poses increased risks for the organization.
It may be necessary for the company’s IT department to install software or configure a Mobile Device Management (MDM) system to protect corporate data. This poses another problem which may be seen as a violation of your employees and their privacy. Most employees would not give consent to any software that would track or monitor their usage of their own personal device.
Device incompatibility problems
With so many different device manufacturers with different operating systems, the process of implementing BYOD effectively is hindered by the wide variety of setups, hardware configurations and protocols.
Source: Help Net Security, 2020
Security Measures for BYOD
The risks of BYOD can be mitigated with the right security solution. The best BYOD security solution must address each of the issues mentioned below:
Application Installation Control
Your IT department can make use of a number of tools that can control what apps are installed on each employee’s device. It is for example possible to restrict access to the App Store on iOS phones. Using Android Enterprise, access to applications on Google Play can be restricted to only approved applications.
These measures however may be difficult to implement as users may not be willing to have their freedoms restricted or monitored. It’s also reasonable to expect to be able to use your own device however you choose when “not on the clock”. Android Enterprise provides a solution to this by creating containerized environments within your Android devices – keeping business and pleasure separate. Containerization will be discussed in detail later in this article.
Implement Mobile Device Management (MDM) Software Application
Mobile Device Management (MDM) software allows secure remote control over devices that are connected to the organization’s network. These devices include laptops, printers, smartphones and tablets. MDM software is especially useful when a device is lost or stolen, as IT are able to remotely delete any confidential data, or even lock the device to render the hardware useless.
There are many applications available to assist your company in creating a secure BYOD policy. Here are a few popular ones:
- Microsoft Intune: this is a cloud based service that provides a mobile device management (MDM) and mobile application management (MAM) system.
- Cisco Meraki: A secure and scalable unified endpoint management system to manage all your devices and networking hardware.
- Citrix XenMobile Mobile offers a comprehensive solution to manage mobile devices, applications and data.
- VMWare Airwatch Workspace One is another cloud based BYOD security solution that makes it possible to deliver and manage apps on any device.
- Crowdstrike Falcon – Endpoint Protection Available for Android and iOS, crowdstrike allows for application shielding, threat detection and alerts for phishing scams.
- SimplySecure is a cloud based endpoint management service for mobile device management.
Encryption for Data at Rest and in Transit
Due to the nature of BYOD it is imperative for all sensitive data to be encrypted. This applies to data storage and transit. Encryption serves as a safety net should your data land up in the wrong hands.
Strong passwords are not enough. Data must be encrypted for the entire lifecycle of the data, while at rest and in transit. All encryption keys should be under the management of the organization’s IT department.
Containerization is the packaging and segregation of a device into a safe bubble. Each “container” can be protected by a separate password with its own security policies. This allows the users to access their device without a risk of cross contamination and introducing security risks to the company’s network.
When accessing data or applications within a container, all other applications or parts of the device not included in the containerized area become inaccessible. Containerization offers the best of both worlds as the employee can still access their device, but personal apps are inaccessible during work hours.
Containerization doesn’t provide any security to the user’s personal data outside of the container.
Certain applications can be disallowed or blacklisted if it is deemed to be a security risk. Companies can restrict access accordingly. Things deemed not relevant to work, such as video streaming or games can be blocked to improve productivity. Some document sharing platforms are also blacklisted to avoid data being shared indiscriminately.
Blacklisting is not viable in a BYOD environment. It’s not appropriate for companies to prevent employees from accessing whatever applications and websites they want to on their own device during their own personal hours.
The opposite of blacklisting, whitelisting involves a list of approved applications that employees can access. Whitelisting is a more effective means of control as it’s much easier to say what is allowed rather than trying to keep abreast of all applications available on the internet.
Like blacklisting, it’s difficult to control what employees can access on their personal devices.
Ask for Registration with the IT Department
It is recommended that all employee devices are registered with the company’s IT department. This makes it easier for IT to keep track of what is accessing the corporate network making it easier to detect any unauthorized connections. This is something that can be easily done during the employee onboarding process.
Consider an Employee Exit Policy
When an employee leaves the company, there must be a process whereby all corporate data is removed from the employee’s personal devices. It is advisable to create exit protocols to ensure that this happens without compromising the employee’s own data or personal information. It is advisable to make a backup of all personal data before any removal process is initiated.
Educate Your Employees about Security
Many security breaches are as a result of human error. It is of utmost importance to educate all staff members of the company BYOD security policy. It must be clear what each person may or may not do on their devices and why. Repercussions must also be made clear at the onset. It is important to highlight the fact that a BYOD policy is to protect everyone.
Remote Work Device Practices
A survey by Mordor Intelligence conducted on 1013 employees provides an interesting insight into company BYOD policies.
Just over half (51.0%) said their companies had specified BYOD policies on how personal devices must be secured. 11.1% reported they were unsure.
When asked whether companies spent money to secure both work issued and / or personal devices – 84.8% only secure work issue devices. Companies that offer paid security for both work issued and personal devices came in at 76.4%. Personal devices were only covered by 49% of employers.
Passwords are still the most relied upon security measure for both work issued and personal devices. Personal devices tend to use Antivirus software more as their first line of defense at 61.4% over 57.2% for passwords. Encryption comes in last at around 45% for both work and personal devices.
BYOD when implemented correctly can be beneficial to both organization and employee alike.
The 1013 employees surveyed offered many different reasons why they use their personal devices at work. The most popular reason, at 31%, was the convenience of having a centralized location for everything work and personal alike. Other reasons included 29.3% where organizations simply didn’t provide their workforce with the required hardware. 22.6% found work issued devices simply lacking in performance and function, and 22.3% liked not having to switch between devices.
With the increase in remote working due to Covid 19, the use of personal devices for work over the surveyed group, increased by over 58%. 61.8% report not receiving any work stipend for using their personal devices for business.
- • Financial Savings. Not having to supply your workforce with hardware translates to a huge saving. The company still has to finance the security policies such as mobile device management (MDM) software though this generally costs a lot less than the cost of buying and maintaining equipment.
- • Increased productivity. Employees know their own devices best. This means less learning time and more productivity. Employees also tend to take care of their own devices better than they would a work issued device.
- • Flexibility and independence. Employees are free to work wherever and whenever they want. They are also not limited to brands or devices preferred by the organization.
- • Increased employee satisfaction and job satisfaction. Employees don’t have to carry several devices around with them. They are also free to choose their own device that meets their own preferences.
- • Potential future employees will find it appealing. Reports suggest that employees prefer an organization that allows employees to use their own device. This positive image can help the company attract a better workforce.
- • Better employer-remote employee relationships. Communication between employer and employee and even between employees is improved as staff tend to have their personal device with them all the time.
- • Less Training. With the familiarity of their own preferred device, the company need not provide training for their employees on how to use specific devices.
BYOD Trends and Predictions
With hybrid working, BYOD is only forecast to become ever more popular. According to the research the market is predicted to reach $367 billion in 2022. This is a 1000% increase since 2014.
Between 2017 and 2022, the compound annual growth rate (CAGR) of the BOYD market is estimated to be 15%.
Nearly 60% of surveyed employees confirmed that their use of personal devices for work increased during the Covid pandemic. 30.6% said the pandemic had no effect on their use of personal devices, and 11% reported a reduction in personal device use.
There is a prediction that BYOD will extend to include wearable technology in the workplace. This includes the likes of smart watches which can be used to read messages or emails allowing employees to be reachable and online from anywhere.
While the increased popularity of BYOD may bring cost savings and increased productivity, it also exposes the company to greater security risks. IT departments must be ready to implement and monitor security policies constantly to make the BYOD model a success.