Bring Your Own Device (BYOD) is a policy that allows employees to bring their own devices to the workplace and use them there. At one time, this was the latest bonus to attract and keep employees happy—plus save a few bucks. Nowadays the question is more like: Is there anyone who doesn't bring his own device (at least a smartphone) to the workplace?
But BYOD is more than just bringing your device along. The expression also implies that you can use your own device to access and use corporate resources. But what are the security issues that this policy opens up for both parties?
The risks for the company
- People outside the company get access. Access by someone outside of the company can happen due to devices being stolen or by people leaving the company.
- Devices leave the company environment. Outside the company environment, the devices are still carrying important information and may be used to access insecure networks elsewhere.
- Devices might not be protected or patched. BYOD devices might not be protected as well as the devices that are under control by the companies IT department. This works both ways, since many companies have a slow patching process to keep legacy applications running and to allow for testing before patches and updates are rolled out. Either way, a discrepancy in updates and patches can result in problems for both sides.
The risks for the employee owner
- This limits the use of the device outside the company. The employee has to be more vigilant than they might be if he didn’t use the device for company matters. For example, browsing in a coffee shop on an open network might be prohibited, or at least dangerous, on that device.
- Who is to blame in case of leaks? Pointing the finger for who is to blame, or fearing the repercussions, can ruin a healthy work relationship. Employees might be more liable if they used a BYOD device instead of a work-issued one.
- There might be discrepancy in patching and updates. The employee may have to wait before he patches or updates his Operating System or applications that are used in the workplace. This leaves his work and personal data vulnerable.
Mitigating the risksTo limit the downside and keep possible damage to a minimum, it helps to:
- Have a clear policy and rules to enforce it. A well thought out policy about BYOD allows you to set rules that everyone understands—not only understand what the rules prescribe, but also why they are needed.
- Have an active mobile device management solution. Even if there are no mobile devices owned by the company itself, there needs to be mobile device management to keep the company-controlled data and applications separated from the private ones.
- Use strong authentication and encryption methods. A suitable method of strong authentication enables you to shut out the owners of stolen devices and terminated accounts. Encryption can also keep your communications and data safe from prying eyes.