People have been bringing their own tools to work since the Stone Age, but networked devices have dramatically raised the stakes.
And the crisis is only getting bigger: since the pandemic, use of employee devices and Bring Your Own Device (BYOD) practices have soared. Recent surveys suggest that up to 83% of companies have a BYOD policy of some kind.
But without visibility or control of devices, BYOD can feel less like a great facilitator of work and more like a bulging can of worms. With default admin access, user logins, unsecured devices and unsecured WiFi in the mix, mismanaged BYOD processes can offer hackers countless ways to penetrate an organisation. To manage BYOD safely and successfully, you need a robust, strategic policy that’s backed with both employee training and technical cybersecurity solutions.
What BYOD is, and why businesses love it
The term Bring Your Own Device (BYOD) sometimes just refers to a policy where employees, workers or customers are allowed to use their devices (typically laptops, phones and tablets) for business purposes. But in IT terms, BYOD goes beyond that and refers specifically to instances where workers’ devices are connected to corporate networks.
Why would organisations encourage BYOD in the first place? Its advantages include lower hardware costs, quicker adoption of new technologies and the facilitation of hybrid work environments (a particular focus since COVID hit), with some research also suggesting it makes employees happier and more productive.
But BYOD has its downsides too
Not all employees love BYOD however, with many feeling that using their personal devices for work blurs the boundary between their work lives and personal lives. For others, it can feel like an invasion of privacy, knowing that their employer can track their physical location and online activity on their personal devices if they chose to do so.
But the biggest headache is security. BYOD is a key player in the shift from an old-fashioned infrastructure and perimeter, in which the organisation controls network access, user ID, endpoints and data location, to something that can – without careful management – feel more like a free-for-all.
Successful BYOD policies need to support a wide range of employee devices and work patterns, as well as account for the risk of lost or stolen devices, the use of insecure or unapproved applications, shadow IT, data storage and security updates.
Concerns about BYOD security have been growing alongside its increased adoption – almost half of companies said their BYOD programmes have increased significantly since the pandemic. A recent study of Australian hospitals showed that personal devices were almost universal – but less than half of hospitals were using BYOD technologies or policies. With more than 8 out of 10 CISOs believing their company is at risk due to inadvertent data leaks by employees, it’s clear that better BYOD strategies are required to counter vulnerabilities.
A practical device policy starts with risk management
Before planning your policy, you should check the legal requirements that concern BYOD. The Australian Cyber Security Centre (ACSC) notes various acts that may influence BYOD adoption in some industries.
Organisations should weigh up the business case for a device policy using risk management, asking questions like:
-
Which employees (or partners or customers) require it
-
What information or applications they need to access
-
What additional issues (such as software licensing and laws around personal data) might arise
-
The benefits it will bring
Key questions for security teams managing BYOD
Security teams will need to consider what vulnerabilities are associated with the levels of access BYOD requires. Are the technological capabilities you already have enough to manage BYOD at scale, and how will additional resources be managed?
Wide-scale use of personal devices may well require shifts in approach. Security tools such as mobile device management that suit company-owned devices are often less appropriate for personal devices, since they may compromise device performance and employee privacy. Cloud-based, agentless security tools can be an effective solution here, as they only monitor company data on the device, do not require installation, and allow security teams to manage sensitive data when required.
There’s no one answer to how much security is required on personal devices. If you already operate within a zero-trust framework, you may be less concerned about attacks spreading from devices. Others mitigate that threat by keeping personal and work operating environments separate with the use of managed containers.
You may opt for different security solutions for different devices, purchase software that’s compatible with multiple devices, or not offer support for some devices. If you don’t permit certain applications, meanwhile, rather than keeping an up-to-date blacklist (which can be a time-consuming job), it may be more efficient to instead whitelist trusted apps, with everything else blocked by default.
How to create a smarter BYOD policy
Once you understand the opportunities, risks and security solutions associated with particular approaches, you can start to build device guidelines that work for you. It’s still worth looking outside your organisation for inspiration, and various templates can be found online – try exploring Sport New Zealand, Business Victoria, and this NSW health district for size. Security frameworks such as Australia’s Essential Eight also offer guidance.
Your approach should be collaborative, with guidelines jointly developed by stakeholders across IT, cyber, legal, HR and employee representatives. That will help you build a balanced approach and get buy-in from different departments, helping different teams understand and stick to the rules.
Classic BYOD policy guidelines
BYOD guidelines should communicate policies and expected behaviour in clear, straightforward language. Key areas to cover include:
-
Requiring strong passwords, with use of passphrases, multi-factor authentication (MFA) and frequent password changes standard
-
Requiring or recommending native security features (such as lock screens and codes)
-
Requiring frequent updates and patching to protect devices from attack
-
Ensuring data is encrypted and mandating which applications can be used for data transfer
-
Guidelines on non-work device use (phone calls, social media), or taking videos or photos during work hours
-
Clear information on company contributions to any personal device costs or bills
-
Noting what technical support is available, and how employees can provide feedback
-
Lists of approved or banned applications (noting the preferred applications for messaging, email etc), as well as any mandatory security software
-
Workers’ obligations around data, and any consequences such as disciplinary action that may result from breaches
-
Explaining to employees how data and activities are tracked, how policies imposed, and who owns what content and applications on personal devices
-
Procedures for removing data and permissions from devices for outgoing employees
Setting a BYOD policy is just the start
Establishing a well-considered BYOD policy is just the first step. Full scale implementation can take time, and IT and security staff may need extra resources to provide ongoing support and monitoring. The policy needs to be widely shared, and awareness and education sessions should continue for both new starters and old hands.
You should regularly source feedback and combine it with monitoring and your awareness of the wider threat landscape. That information can be reported back to senior executives and used to tweak your policy and the software solutions that underpin it. Doing so will help you build BYOD that’s fit for today and can evolve with the devices of tomorrow.
Comments:0
Add comment