What risk and liabilities must be considered in BYOD?

Bring Your Own Device (BYOD) is a practice of allowing employees to use their own personal laptops, smartphones, tablets or other devices for work. It has become increasingly popular in recent years, and especially during the COVID-19 pandemic, as a way of enabling employees to work remotely, accessing their business' network and data from home or on the go.

The practice of BYOD offers many benefits but it is not without risk, especially when it comes to security and data protection.

Advantages of BYOD

For some businesses, a successful, well-controlled BYOD environment can:

• offer greater flexibility
• increase workforce mobility
• increase efficiency and productivity
• raise employee satisfaction
• allow greater choice in device type
• cut hardware spend and software licencing costs
• cut down on device management for business-owned devices

With proper use and safety precautions, allowing employees to use their own devices for work can be an ideal workplace policy for some businesses.

However, where BYOD is not completely understood and adequately regulated, it can seriously threaten the security of business data and systems.

BYOD issues around security and privacy

BYOD raises a number of data protection concerns and can lead to vulnerabilities in information security. For example:

• Intentionally or accidentally, private information could leak from unprotected and unmanaged devices.
• Personal devices may lack data encryption capabilities or can be lost or stolen, increasing the risks of data loss or exposure.
• Personal devices may contain malicious apps or malware or be more vulnerable to attack from online threats.
• Responsibility to manage passwords, anti-virus and anti-malware protection, security patches and other safety measures, falls onto the device owner, meaning you have little to no control over safeguarding the device.
• Storage of business and personal data on the same device may be challenging. You must also consider the security of data once it is stored on the device.
• You may need to modify your current IT infrastructure and tech support to make it BYOD compliant, across the whole range of devices and applications your employees will be using.

From a legal perspective, the responsibility for protecting personal information rests with the data controller (ie the organisation), not the device owner. Read the Information Commissioner's Office guidelines on BYOD and data protection and be aware of your duties under the data protection laws, including the UK General Data Protection Regulation (UK GDPR).

BYOD and home working best practices

If your staff are working from home and using their own devices to access company software, you should:

• consider using multi-factor authentication for remote access
• ensure that the device owner's data and the organisation's data are kept separate
• ensure that staff cannot inadvertently or deliberately move the organisation's data into their personal storage on the device or onto separate personally-owned devices
• be aware that the device's security may be compromised and plan accordingly, eg update out-of-date and unpatched operating systems or software

If your staff are using their own devices and their own software to access your business applications and data, bear in mind the increased potential for your systems and data to be compromised. For example:

• out-of-date software or operating systems, weak passwords or insecure methods of communications, such as personal email accounts, may be vulnerable to exploitation
• devices are likely to be shared between family members, so unauthorised people may be able to access personal data
• personal devices are unlikely to encrypt data, making it vulnerable in the event of loss or theft of the device
• data can easily be moved to other insecure storage, including personally-owned USB sticks and external hard drives, which can increase the potential for loss

Consider these security risks and put in place measures to mitigate them to avoid potential data breaches.

Create a Bring Your Own Device (BYOD) policy

Rolling out a BYOD programme in your organisation requires three critical components:

• a software application for managing the devices that are connecting to the network
• a written policy outlining both the employer's and the user's responsibilities
• a user agreement, acknowledging that they have read and understood the policy

Before developing your policy, you should conduct a thorough risk assessment and carefully consider your responsibility for data access, processing and storage.

A BYOD policy should aim to protect the security and integrity of your company data and technology infrastructure. It should cover things like:

• acceptable use - which activities are allowed/not allowed for business or personal use
• devices - which devices are permitted/not permitted
• apps - which apps are permitted/not permitted, including download of new apps
• ownership of apps and data and their management
• support and service - how to deal with connectivity issues, configuration of apps, etc
• security - what measures will be put in place to prevent unauthorised access to company's data and system, enable remote management of device, etc
• liabilities - eg for costs associated with the device or for the loss of data or device
• termination of access - eg for non-compliance with policy, or an employee exit

As well as a policy, you should at the very least provide your employees with clear guidance on:

• how to secure their device by keeping software up to date
• how to use strong passwords
• how to minimise the storage of personal data on their devices

It is important that staff understand when and how they should report potential data breaches if these occur on their personal devices.

The National Cyber Security Centre (NCSC) has detailed guidance for organisations considering integrating BYOD into their practices.

It’s estimated that over 50% of employees use their personal devices for some work activities. As more people use their personal smartphones or laptops to do their jobs, the security risks at an organization increase dramatically. BYOD — whether instituted as a formal policy or as an adaptation to the pandemic — opens a company’s systems and platforms up to hacking, data loss, and insider threat. Being aware of some of these critical BYOD security concerns is the first step to protecting your important, valuable company information. 

What is BYOD?

Before we get into some of the pitfalls of BYOD, it’s important to understand what is BYOD — and why a company might use it. BYOD stands for Bring Your Own Device. It’s a policy that allows employees to work on the device they choose, using their own laptop, mobile phone, or tablet to access their company email, work documents, and more. 

BYOD often happens ad hoc or without formal implementation by the organization. An employee who adds their company email to their smartphone, for instance, is inadvertently practicing BYOD. During the pandemic, many employees switched to their personal devices to keep up with the new remote work paradigm. 

BYOD comes with a number of security risks and challenges. According to some research, 50% of companies that allowed BYOD experienced a data breach through a personal device. Here’s where BYOD security risks lie — and how to overcome some of these risks. 

3 BYOD security challenges

Here are some of the top BYOD security challenges facing businesses today. 

Lost or stolen devices

Almost half of data breaches — 41%, precisely — happen due to lost or stolen devices. Consider some of these stats: 

• Out of 70 million devices stolen each year, only 7% are ever recovered. 
• Only 56% of BYOD companies use remote wipe and MDM to deal with security
• IT theft ranks almost as high as car and transportation theft

Lost devices are potentially the biggest threat to BYOD security. When a device is found by the wrong person, it can easily be infiltrated and mined for personally-identifiable information. Luckily, there are some simple ways to protect your company data in the event of a misplaced or stolen personal device. 

BYOD security best practice: Implement a strong mobile device management (MDM) strategy and action plan. This includes tools like data or device encryption, remote wiping capabilities, geofencing and geolocation. Require employees to use some biometric (like a thumbprint) and a strong password to unlock their device. When a device is stolen, make sure your employee immediately lets your IT team know so they can wipe or lock down the device. 

Malware

Few employees are aware that malware can infect a smartphone, not just a laptop. While they may have anti-malware programs installed on their personal computers, not many employees pay attention when it comes to reading the fine print of an app or downloading content on their phones. “Outdated mobile operating system s can be a major risk factor, with some of the most vicious forms of malware primarily affecting outdated OSs,” added one expert

BYOD security best practice: Make sure your employees are keeping their software up-to-date. Limit what apps an employee can download if they’re using their main device for work. Malicious apps are one of the easiest ways hackers and malware compromise your system. “TechCrunch reports that some of the confirmed malicious apps included titles such as ‘Pokémon Go Ultimate,’ ‘Guide & Cheats for Pokémon GO,’ and ‘Install Pokémongo,’ in order to appeal to fans of the game.” 

Unsecure networks

When an employee logs into work using a coffee shop’s free Wifi, they’re putting your company’s data at risk. Unsecure internet networks, such as those in public spaces like airports and cafes, are often targeted by attacks. Hackers can intercept traffic coming to and from your employee’s device and use it to infiltrate your company’s systems. 

BYOD security best practice: Ask employees to download and use a VPN on all their devices. You can also offer a data package that allows employees to tether, or hotspot, their laptop’s internet connection to a mobile device. These options offer a more secure way to get connected. In addition, encrypt every device’s emails, messages, and photos. 

Meeting BYOD security risks

Hacking, malware, and data leakage are the biggest BYOD security risks. Bad actors take advantage of unsecured devices, networks, and malicious apps to mine personal devices for company information. A robust MDM approach — or a more modern unified endpoint management approach — is critical to minimizing the risks associated with BYOD. 

The pandemic has dramatically increased the number of devices (entry points) through which a hacker could infiltrate a company’s systems. As users add apps like Zoom and Slack to their personal devices, it’s becoming easier to target valuable customer and organizational data stored on cloud platforms. MDM tools and services can help — as well as a cloud data loss prevention service. 

Endpoint security, which is what MDM falls under, is just one piece of the holistic cybersecurity picture. Endpoint security solutions lack visibility into cloud applications such as Slack and Google Workspace. Nightfall is the industry’s first cloud-native DLP platform focused on discovering, classifying and protecting data in the cloud. Our tool integrates directly with Slack, Jira, and other cloud service providers on the API level. Then, a machine learning function scans structured and unstructured data and its surrounding context. We can identify when data is at risk and alert your IT team to keep private, valuable data out-of-reach from hackers and malware. 

Learn more about cloud DLP and setting up your organization for secure remote work in our complete 2021 Security Playbook for Remote-first Organizations. 

Learn more about Nightfall by scheduling a demo at the link below.