Bring Your Own Device (BYOD) is a practice of allowing employees to use their own personal laptops, smartphones, tablets or other devices for work. It has become increasingly popular in recent years, and especially during the COVID-19 pandemic, as a way of enabling employees to work remotely, accessing their business' network and data from home or on the go.
The practice of BYOD offers many benefits but it is not without risk, especially when it comes to security and data protection.
Advantages of BYOD
For some businesses, a successful, well-controlled BYOD environment can:
With proper use and safety precautions, allowing employees to use their own devices for work can be an ideal workplace policy for some businesses.
However, where BYOD is not completely understood and adequately regulated, it can seriously threaten the security of business data and systems.
BYOD issues around security and privacy
BYOD raises a number of data protection concerns and can lead to vulnerabilities in information security. For example:
From a legal perspective, the responsibility for protecting personal information rests with the data controller (ie the organisation), not the device owner. Read the Information Commissioner's Office guidelines on BYOD and data protection and be aware of your duties under the data protection laws, including the UK General Data Protection Regulation (UK GDPR).
BYOD and home working best practices
If your staff are working from home and using their own devices to access company software, you should:
If your staff are using their own devices and their own software to access your business applications and data, bear in mind the increased potential for your systems and data to be compromised. For example:
Consider these security risks and put in place measures to mitigate them to avoid potential data breaches.
Create a Bring Your Own Device (BYOD) policy
Rolling out a BYOD programme in your organisation requires three critical components:
Before developing your policy, you should conduct a thorough risk assessment and carefully consider your responsibility for data access, processing and storage.
A BYOD policy should aim to protect the security and integrity of your company data and technology infrastructure. It should cover things like:
As well as a policy, you should at the very least provide your employees with clear guidance on:
It is important that staff understand when and how they should report potential data breaches if these occur on their personal devices.
The National Cyber Security Centre (NCSC) has detailed guidance for organisations considering integrating BYOD into their practices.
It’s estimated that over 50% of employees use their personal devices for some work activities. As more people use their personal smartphones or laptops to do their jobs, the security risks at an organization increase dramatically. BYOD — whether instituted as a formal policy or as an adaptation to the pandemic — opens a company’s systems and platforms up to hacking, data loss, and insider threat. Being aware of some of these critical BYOD security concerns is the first step to protecting your important, valuable company information.
What is BYOD?
Before we get into some of the pitfalls of BYOD, it’s important to understand what is BYOD — and why a company might use it. BYOD stands for Bring Your Own Device. It’s a policy that allows employees to work on the device they choose, using their own laptop, mobile phone, or tablet to access their company email, work documents, and more.
BYOD often happens ad hoc or without formal implementation by the organization. An employee who adds their company email to their smartphone, for instance, is inadvertently practicing BYOD. During the pandemic, many employees switched to their personal devices to keep up with the new remote work paradigm.
BYOD comes with a number of security risks and challenges. According to some research, 50% of companies that allowed BYOD experienced a data breach through a personal device. Here’s where BYOD security risks lie — and how to overcome some of these risks.
3 BYOD security challenges
Here are some of the top BYOD security challenges facing businesses today.
Lost or stolen devices
Almost half of data breaches — 41%, precisely — happen due to lost or stolen devices. Consider some of these stats:
Lost devices are potentially the biggest threat to BYOD security. When a device is found by the wrong person, it can easily be infiltrated and mined for personally-identifiable information. Luckily, there are some simple ways to protect your company data in the event of a misplaced or stolen personal device.
BYOD security best practice: Implement a strong mobile device management (MDM) strategy and action plan. This includes tools like data or device encryption, remote wiping capabilities, geofencing and geolocation. Require employees to use some biometric (like a thumbprint) and a strong password to unlock their device. When a device is stolen, make sure your employee immediately lets your IT team know so they can wipe or lock down the device.
Few employees are aware that malware can infect a smartphone, not just a laptop. While they may have anti-malware programs installed on their personal computers, not many employees pay attention when it comes to reading the fine print of an app or downloading content on their phones. “Outdated mobile operating system s can be a major risk factor, with some of the most vicious forms of malware primarily affecting outdated OSs,” added one expert
BYOD security best practice: Make sure your employees are keeping their software up-to-date. Limit what apps an employee can download if they’re using their main device for work. Malicious apps are one of the easiest ways hackers and malware compromise your system. “TechCrunch reports that some of the confirmed malicious apps included titles such as ‘Pokémon Go Ultimate,’ ‘Guide & Cheats for Pokémon GO,’ and ‘Install Pokémongo,’ in order to appeal to fans of the game.”
When an employee logs into work using a coffee shop’s free Wifi, they’re putting your company’s data at risk. Unsecure internet networks, such as those in public spaces like airports and cafes, are often targeted by attacks. Hackers can intercept traffic coming to and from your employee’s device and use it to infiltrate your company’s systems.
BYOD security best practice: Ask employees to download and use a VPN on all their devices. You can also offer a data package that allows employees to tether, or hotspot, their laptop’s internet connection to a mobile device. These options offer a more secure way to get connected. In addition, encrypt every device’s emails, messages, and photos.
Meeting BYOD security risks
Hacking, malware, and data leakage are the biggest BYOD security risks. Bad actors take advantage of unsecured devices, networks, and malicious apps to mine personal devices for company information. A robust MDM approach — or a more modern unified endpoint management approach — is critical to minimizing the risks associated with BYOD.
The pandemic has dramatically increased the number of devices (entry points) through which a hacker could infiltrate a company’s systems. As users add apps like Zoom and Slack to their personal devices, it’s becoming easier to target valuable customer and organizational data stored on cloud platforms. MDM tools and services can help — as well as a cloud data loss prevention service.
Endpoint security, which is what MDM falls under, is just one piece of the holistic cybersecurity picture. Endpoint security solutions lack visibility into cloud applications such as Slack and Google Workspace. Nightfall is the industry’s first cloud-native DLP platform focused on discovering, classifying and protecting data in the cloud. Our tool integrates directly with Slack, Jira, and other cloud service providers on the API level. Then, a machine learning function scans structured and unstructured data and its surrounding context. We can identify when data is at risk and alert your IT team to keep private, valuable data out-of-reach from hackers and malware.
Learn more about cloud DLP and setting up your organization for secure remote work in our complete 2021 Security Playbook for Remote-first Organizations.
Learn more about Nightfall by scheduling a demo at the link below.