A bring-your-own-device (BYOD) policy allows employees and other staff to bring their personal laptops and smartphones to work and connect them to the corporate network. BYOD is common across many companies, and employees like it because they may feel more comfortable using their own devices. However, the use of personal devices presents a challenge to the organization’s ability to secure the network environment. Therefore, a BYOD policy must be fully defined to protect corporate data from theft.
Devices owned by the organization are easy to control because administrators control what’s installed on the device and force updates and configuration changes. With BYOD, administrators must balance cybersecurity with device owner privacy.
BYOD security has several components, all of which must be planned to fit your unique business requirements and avoid being too invasive on private user devices. To implement a sound cybersecurity strategy, you must determine applications and assets that can be accessed from a personal computer or smartphone. You might also require specific minimum security controls for the device.
For example, a user might use a smartphone to connect to email or collect other business-specific data. Before the user can connect to your network, they should have antivirus installed. An antivirus application protects the device from malware and keeps your organization compliant. This request protects corporate data but does not interfere with the user’s private device.
Mobile device and smartphone technology changes rapidly, so cybersecurity must keep up with those constant changes. Technology iterations typically follow specific trends, and the more popular a trend, the more attention it gets from attackers. Therefore, cybersecurity strategies must also follow trends.
BYOD strategies also change to develop better infrastructure without invading users' privacy. A few popular BYOD policy trends include:
- Device requirements: Users can only connect to network resources if they have a minimum supported operating system and use only a designated list of device manufacturers. This requirement avoids attacks from hidden malware and outdated operating systems.
- Lost devices must be reported immediately: Ideally, users install a remote wiping application to protect business data in the event of a lost or stolen device. Even without a remote wiping feature, users should still immediately report a device when it is no longer in their possession.
- BYOD privacy policies: All BYOD policies should be transparent so that users can fully understand what must be installed and configured to bring their devices to work. This includes remotely connecting to the network from their devices.
Given that mobile devices typically feature fewer cybersecurity controls and protections, attackers target them more frequently. With a BYOD policy at work, employees could put your business data at risk. Even with the above-stated risks, BYOD offers monetary value to organizations, typically improving budgets and lowering operational costs.
A few interesting statistics for BYOD:
- Mobile devices give employees more incentive to get tasks done, so they work an extra 240 hours per year.
- Email, calendar, and contact management are the most beneficial features of BYOD for employees.
- Smartphone usage at work increases productivity by 34%.
- Improved mobility and additional work hours are the two primary benefits for employers.
- Employees with remote work capabilities make more progress in their workday.
- More than 80% of businesses encourage the BYOD trend.
- Organizations generate $350 of value per employee per year from additional productivity.
- 61% of businesses expect employees to be available remotely even if they do not provide a mobile phone.
How BYOD Works
Businesses that don’t already have a BYOD policy often need guidance on where and how to get started. At a high level, a BYOD policy allows employees to bring a smartphone, laptop, tablet, or any other portable device to their place of work. About 80% of businesses support a BYOD policy, and most employees take advantage of the policy and use at least one of their personal devices to access business applications and data.
While a BYOD policy may increase employee productivity, its primary challenge is the cybersecurity required to protect business data. Businesses can create various policies and strategies to establish standards that gives employees access to business data while also safeguarding it.
The backbone of the way a BYOD works is by establishing an “acceptable use” policy. This policy depends on the business’s industry and any compliance regulations. For example, health care organizations must adhere to strict regulations on patient data and ensure that access uses specific controls. The same can be said for a financial institution storing customer banking information.
Policies covering access to data should include:
- Websites off-limits for browsing and all remote connection to data should be on a virtual private network (VPN).
- Applications that can be accessed from the device, such as email, calendar appointments, messaging, and business contacts.
- Transmission and storage of illicit material should be prohibited to avoid accidental installation of malware that could be used to steal sensitive information.
Compliance organizations often require monitoring. Individuals don’t typically have monitoring software installed on their devices, but it’s required in a business environment. Administrators can install remote management tools on the device to enable access in case of theft or loss. It also allows administrators to install updates to the device’s software to avoid vulnerabilities from out-of-date applications. Remote software will back up data stored on the device, also a compliance regulation requirement.
Once you’ve established and documented your policies, the next step is to notify your employees so that they can be aware of the guidelines. A solid policy also requires updates and changes after review and lessons learned should a policy requirement be proven unnecessary or incomplete.
Benefits of BYOD Security
A BYOD policy has advantages for both employers and employees. The main advantage for businesses is the lowered operating costs. Employees using their own devices means that businesses no longer need to purchase them, reducing costs by thousands of dollars. It’s not uncommon for employers to pay for smartphone cell and data plan services, but this cost is still less than the hardware cost.
When employees use devices they’re familiar with, productivity increases. They no longer need to configure devices to fit their specific preferences because the employee device is already set up to be the most efficient at their job function. Training costs decrease because employees no longer need to learn device mechanics and can learn applications at their own pace.
If an employee wants the latest technology, they buy a new device, improving the business technology required to stay operational. Instead of buying new equipment, the organization can leverage the employee’s latest technology, which can help improve productivity and introduce the latest trends to other employees.
Challenges of BYOD
Even with its benefits, BYOD also has some challenges. An organization should consider these challenges before planning and implementing a BYOD policy.
A few challenges you might face:
- Poor communication: Just like a cybersecurity policy, the BYOD policy should be well communicated. If a user does not understand the policy, the miscommunication may lead to improper BYOD use. For example, if you don’t clearly define the applications that must be installed – such as antivirus software – it’s possible that the user will not have the proper cybersecurity protections on their device.
- Lost or stolen devices: Because users take their devices to and from work, it’s possible that devices with your private corporate data could be lost or stolen. Some BYOD policies require devices to have a remote wiping application to eliminate sensitive data. Some devices, such as Apple iPhones, encrypt storage, but laptops and tablets might need additional storage encryption configured to protect data after devices are lost or stolen.
- Device connections: Connecting to free Wi-Fi hotspots saves data usage, so many mobile device users look for these hotspots while traveling. Attackers focus on free Wi-Fi hotspot areas to trick users into connecting to malicious hotspots. To protect from these malicious connections and avoid data eavesdropping, require users to connect to a company-certified virtual private network (VPN).
- Malicious applications: Users have the freedom to install any application they want on their own devices, but this leaves your data vulnerable to malicious applications and malware. Your policy should block jailbroken phones, as these smartphones are more vulnerable to data breaches with no built-in operating system protections.
- Open, unlocked devices: Although some users choose to leave their devices unlocked and avoid using PINs, it means anyone can take the device and steal your data. Your BYOD policy should require users to keep a PIN or password on their devices, adding a layer of security between your data and an attacker.
The risks of allowing BYOD users relate directly to the challenges the organization might face. For example, one of the challenges of a BYOD is protecting data from theft, but it’s also a risk you face by allowing users to store corporate data on their devices. Malware is also a risk, but it can be stopped using the right antivirus software.
Compliance is one of the most significant risks. Should an attacker steal sensitive data from a stolen or exploited device, your organization could face litigation issues for non-compliance and damage to customer privacy. Defending against litigation is costly and can impact revenue from brand reputation damage.
Users typically understand their own devices, but mobile management is put into the hands of the user rather than administrators. Improper mobile management can mean the device is more vulnerable to malware and other malicious attacks if the user does not know how to stop common threats.
If administrators do not monitor BYOD, the environment could be vulnerable to shadow IT. Shadow IT devices are user laptops, smartphones, and tablets that are not authorized to connect to the network. These devices can be connected to the network maliciously to exfiltrate data and eavesdrop on traffic.
How to Develop a BYOD Policy
Developing an efficient BYOD policy can take months, but a better strategy can be communicated easily and protect your data. You might need help to determine everything that must be included in a policy, and professionals can help you establish a plan of action.
A few tips for developing a BYOD policy:
- Establish security policies: Protecting data is one of the most critical components of a good BYOD policy. Map out every aspect of cybersecurity protections installed on the device so that it’s not vulnerable to virtual and physical attackers.
- Create a usage guide: An acceptable usage policy (AUP) defines websites, software, and network connections approved by the organization.
- Install remote management software: Administrators must be able to patch software and remotely wipe data after a theft. Remote management software gives administrators access to the device to push updates.
- Implement multi-factor authentication (MFA): Should an attacker gain access to the device, the attacker will not have both authentication factors to access your corporate applications and data.
- Train employees regularly: Users must be aware of common attacks and the ways threats steal data from mobile devices. Training helps reduce the risk of a data breach.
BYOD Best Practices
Every corporate BYOD policy is unique to business requirements and compliance regulations, but your organization can still follow best practices to keep policies consistent with the best cybersecurity. These best practices ensure that your policy rolls out smoothly and users easily understand acceptable usage requirements.
A few best practices include:
- Write out a detailed policy: Every aspect of your AUP and BYOD policy should be defined and documented for users and management.
- Implement identity management: Install access controls and identity management to ensure that only authorized users can gain access to data.
- Maintain employee privacy: Remember that the user owns the device, so policies should only affect corporate data and not the device owner’s private information.
- Train employees: Ensure that employees are aware of best practices and how to use their devices securely and safely.
- Remote data wiping: Should the user lose the device, they should be trained to immediately report the loss so that data can be wiped as soon as possible.
- Have an exit strategy: Should the employee leave the company, the device should no longer be authorized to access corporate applications and should be disabled from corporate network connectivity.