Bring Your Own Device (BYOD) remains both a major opportunity and challenge for enterprises. By following the right approach to identifying BYOD risk and developing effective BYOD policy it is possible to capitalize on the benefits of BYOD without adding significant risk.
If your company allows employees to bring their own computing devices to the workplace – whether they are smartphones, tablets, or laptops – you need a BYOD security policy. Initially, employees used only company-issued devices in the workplace. Today, smartphones and tablets have proliferated in the consumer market to the point that nearly every employee comes to work with their own internet-connected device. This means higher potential for an employee introducing security risks to your company.
DEVICES AT WORK VS. DEVICES FOR WORK
It’s one thing for an employee to bring a personal device to work and use it strictly for personal communications. This practice can still create risks, but the most substantial security risks are associated with employees using personal devices to conduct business, whether simply sending work-related emails or actually accessing secure company applications from their own smartphones or tablets.
The difference is essentially that in one case, employees are using their personal devices at work; in the other, employees are using their personal devices to conduct work. Devices that are brought to the workplace but do not have access to the company network are not usually problematic; however, due diligence is necessary in all cases with strict, clearly defined BYOD policies and enforcement.
THE CHALLENGES OF BYOD SECURITY
BYOD security is often a challenge for enterprises and SMBs alike. This stems from the fact that in order to be effective, companies must exert some form of control over smartphones, tablets, and laptops that are not owned by the company but are employees’ personal assets. As BYOD has become increasingly common and awareness of security risks has grown, BYOD security policies are becoming more widely adopted and accepted by both companies and their employees.
BYOD is more prevalent in the workforce than just a few years ago. In fact, a November 2014 survey from Tech Pro Research found that 74 percent of organizations either already allowed employees to bring their own devices to work or were planning to do so. As of 2016, 87% of companies were relying on employees to use their personal smartphones to access mobile business applications, and 45% of U.S. employees were required by their employers to use their personal smartphones for business purposes.
Companies adopting BYOD benefit from reduced hardware and software costs, but at the same time, BYOD places additional responsibilities on IT departments, which must maintain the devices as well as ensure that the practice does not introduce unnecessary vulnerabilities to the company network and data. Interestingly, among the 26 percent of Tech Pro Research’s survey respondents not adopting or planning to adopt BYOD, security concerns were the most common reason cited for ruling out the practice.
THE NEED FOR BYOD SECURITY
According to one recent study, the BYOD market will reach more than $350 billion by 2022 (up from $94 billion in 2014), and significant growth is expected in the global BYOD market between 2020 and 2026. This growth is driven by heightened smartphone demand and employee’s desire to perform work-related tasks such as sending emails even when they’re outside the office.
Of course, in 2020, the world experienced significant disruption resulting from the COVID-19 pandemic, which accelerated the work from home culture and, in many cases, made it necessary for employees to access work-related applications from their personal devices. While 95% of organizations allow the use of employee-owned devices in the workplace in some way, two out of three employees use their personal devices at work, regardless of the company’s BYOD policy. That means some employees are using their personal devices to access company networks and applications even if those activities are forbidden.
These findings illustrate the likelihood for employees to use personal mobile devices to conduct business activities whether or not the company has prior knowledge and/or policies regarding the use of personal devices. In other words, companies who choose to ignore the likely use of personal devices are ignoring what could be a serious security risk.
Employers have two options: either embrace BYOD by enacting BYOD policies and security measures to make the practice a safer one, or prohibit BYOD entirely and find a way to enforce it. For most companies, it makes sense to embrace the BYOD trend and capitalize on the benefits it offers, such as increased employee productivity and greater employee satisfaction through better work-life balance, while implementing security measures that mitigate the risks involved.
STAKEHOLDER AND EMPLOYEE BUY-IN
To adapt to the growing use of BYOD among enterprises and SMBs, many companies may be inclined to jump immediately to policy creation, but that approach is often met with friction. The first step, before working on policy, is to gain both stakeholder and employee buy-in.
Stakeholders will be essential to the policy planning process, providing a variety of perspectives from various departments and interests within the organization. Executives, human resources, finance, IT operations, and the security team should be represented within a BYOD project management team and can each contribute to policy development.
In addition to these stakeholders, employee input is essential for creating effective BYOD policies. Blindly creating policies based solely on the company’s interests can backfire. Policies that are too restrictive or fail to offer support for the right devices will lead to a lack of participation by employees, ultimately wasting the resources the company invested in creating the policies.
An employee survey is an effective way to gain data on the devices employees currently use (and are likely to purchase in the future, as these devices must be supported by your company’s BYOD policy), what employees see as advantages and disadvantages to using their own devices for work purposes, and what applications they perceive as necessary to be able to carry out business tasks on their personal devices. For instance, some employees may have concerns about their own privacy should they use their personal devices for business. Armed with this data, you can begin to craft a BYOD policy that addresses these concerns and encompasses the full range of devices your employees are likely to use.
DEFINING A BYOD SECURITY POLICY
Defining a BYOD security policy is a critical step in maintaining company security when employees are bringing their personal devices to the workplace. TechTarget SearchMobile Computing outlines a few essential elements of a BYOD policy, including:
- Acceptable use: what applications and assets are employees permitted to access from their personal devices?
- Minimum required security controls for devices
- Company-provided components, such as SSL certificates for device authentication
- Company rights for altering the device, such as remote wiping for lost or stolen devices
In an article for CIO, Jonathan Hassell describes a few additional components of effective BYOD policies, such as specifying the permissible device types and establishing a stringent security policy for all devices. For example, consumers may opt not to utilize native security features such as the ability to lock device screens or require passwords because these features create additional steps that inconvenience users. Employees are motivated to make use of these simple features when clear company policies exist, and even simple measures can enhance company security.
Additionally, your BYOD policy should clearly outline a service policy for BYOD devices, including what support is available from IT for employees connecting to the company network, support for applications installed on personal devices, and support for resolving conflicts between personal applications and company applications
Your BYOD policy should clearly outline the ownership of apps and data, as well as the applications that are permitted or prohibited and reimbursement (e.g., will the company reimburse employees a standard use fee, pay for certain applications, or a portion of monthly bills?). It should also outline security requirements for BYOD devices (e.g., will the company provide a mobile device security application that must be installed on employee devices before they are granted access to company data or will employees be permitted to choose their own security solutions provided they meet criteria outlined by your IT department?).
Employee exits are also an important consideration when outlining your BYOD policy. When an employee leaves the company, what happens to the company data that may be stored on the employee’s device? Defining clear policies that explain the procedures that must be followed when an employee separates from the company, such as the wiping of the employee’s device by IT, should be explained in detail in written policies.
Finally, risks, liabilities, and disclaimers should be disclosed in a written BYOD policy. This includes company liability for an employee’s personal data, should a device have to be wiped for a security precaution, as well as employee liability for the leakage of sensitive company data brought about by employee negligence or misuse.
EXAMPLE ELEMENTS OF A BOYD POLICY
There is a great deal of technology to better secure employee-owned devices. That said, a strong policy and widespread adoption of the policy is vital to ensuring proper (and secure) BYOD use in an organization. While each company is different, there are a number of elements (relatively) universal to most policies.
For sensitive information, either belonging to the company or its customers, password protections are non-negotiable. Most organizations require strong passwords on mobile devices and computers. Some enact regular password changes every 30 or 90 days, for example. You also may want to consider 2-factor authentication for any applications and programs accessed from employee-owned devices.
Company data belongs to the company, but it happens to be on a privately owned device. Privacy is a big deal, and your BYOD policy needs to address how you protect data while ensuring employees’ privacy. Some companies choose to tell workers to expect no privacy when using personal devices for work purposes.
Data Transfer Provisions
It only takes one person to use a new app with sensitive data for a breach to occur. If someone is using a certain app that’s unapproved to transfer data, and this application is breached, there could be serious legal ramifications. Data should be encrypted, password protected and only transferred on company mandated applications.
Patches and updates not only provide new features, but also shore up the code from known attacks. Keeping devices and applications up-to-date is a major part of overall digital security and must be included in any company or private device use policy.
Common Sense Provisions
Technology is indifferent, but people have bad habits. Work selfies and short “vlogs” may occur, even when prohibited. And without provisions in your policy, device misuse is sure to occur more often. Other common-sense rules include things like:
- No device use while driving
- Limit personal calls while at work
- Do not take video (except possible in areas like break rooms with coworker permission)
This article was originally published on Digital Guardian.