BYOD, why don’t you?

BYOD, why don’t you?

Bring Your Own Device (BYOD) is a policy that allows employees to bring their own devices to the workplace and use them there. At one time, this was the latest bonus to attract and keep employees happy—plus save a few bucks. Nowadays the question is more like: Is there anyone who doesn’t bring his own device (at least a smartphone) to the workplace?

But BYOD is more than just bringing your device along. The expression also implies that you can use your own device to access and use corporate resources. But what are the security issues that this policy opens up for both parties?

The risks for the company

  • People outside the company get access. Access by someone outside of the company can happen due to devices being stolen or by people leaving the company.
  • Devices leave the company environment. Outside the company environment, the devices are still carrying important information and may be used to access insecure networks elsewhere.
  • Devices might not be protected or patched. BYOD devices might not be protected as well as the devices that are under control by the companies IT department. This works both ways, since many companies have a slow patching process to keep legacy applications running and to allow for testing before patches and updates are rolled out. Either way, a discrepancy in updates and patches can result in problems for both sides.

The risks for the employee owner

  • This limits the use of the device outside the company. The employee has to be more vigilant than they might be if he didn’t use the device for company matters. For example, browsing in a coffee shop on an open network might be prohibited, or at least dangerous, on that device.
  • Who is to blame in case of leaks? Pointing the finger for who is to blame, or fearing the repercussions, can ruin a healthy work relationship. Employees might be more liable if they used a BYOD device instead of a work-issued one.
  • There might be discrepancy in patching and updates. The employee may have to wait before he patches or updates his Operating System or applications that are used in the workplace. This leaves his work and personal data vulnerable.

Mitigating the risks

To limit the downside and keep possible damage to a minimum, it helps to:

  • Have a clear policy and rules to enforce it. A well thought out policy about BYOD allows you to set rules that everyone understands—not only understand what the rules prescribe, but also why they are needed.
  • Have an active mobile device management solution. Even if there are no mobile devices owned by the company itself, there needs to be mobile device management to keep the company-controlled data and applications separated from the private ones.
  • Use strong authentication and encryption methods. A suitable method of strong authentication enables you to shut out the owners of stolen devices and terminated accounts. Encryption can also keep your communications and data safe from prying eyes.

Allowing your staff to BYOD has mutual benefits, but we recommend taking some precautions if you don’t want the downside to outweigh the good. Being aware of the potential dangers is important, but only a small part of what needs to be done. Securing personal devices at the workplace and securing workplace devices at home is equally important, as well as creating and implementing a strong cybersecurity policy that covers this type of flexibility. Take these steps and you can better enjoy a less cumbersome, more fluid work environment.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.