“Bring Your Own Device” (BYOD): Risks and Best Practices

Modern workplaces demand seamless access to enterprise networks and data at any time, from any location, using an array of devices such as both organization-issued and personal devices. However, managing these devices effectively is a complex task, requiring your IT team to devise a unified approach that encompasses both organization-owned and personal mobile devices. Moreover, robust policies and procedures need to be established for mobile device management.

Organizations are increasingly embracing Bring Your Own Device (BYOD) policies to provide employees with greater flexibility and mobility.

What is BYOD?

 BYOD stands for ‘Bring Your Own Device’. It is a workplace concept that enables employees to use their devices for work purposes, such as smartphones and laptops. BYOD supplies more flexibility in the way employees work, as they can access corporate resources and applications without needing to be physically present in the office.

Regulating Bring Your Own Device (BYOD) can be challenging because the devices are owned by employees, limiting the technical controls that can be enforced. However, these devices regularly connect to the organization’s networks, servers, and file systems. Therefore, it is important to establish certain requirements such as defining which applications on the device can interact with organization data and implementing strong passwords and PINs.

To gain additional control, there are technical tools available such as Mobile Device Management (MDM) and Mobile Application Management (MAM) solutions such as Microsoft Intune. This solution helps strike a balance between keeping corporate data safe and allowing employees the freedom to perform their jobs. MDM and MAM allow you to define which applications on a user’s device can interact with corporate data and specify the minimum operating system requirement for the device. MDM and MAM can protect corporate data on personal devices through containerization and controls such as passwords or thumbprints. This provides an extra layer of protection for corporate data in case of loss or theft of the device. Additionally, the solution allows for the selective wiping of corporate data while leaving the user’s personal data intact. Before selecting an MDM/MAM solution, it is important to analyze the options available, as some vendors may have better controls for certain devices, such as iOS devices over Android phones and tablets.

Check out our blog about “How to Manage Company Mobile Devices?”

What is a BYOD Policy?

A Bring Your Own Device (BYOD) policy is an organizational approach in which employees are allowed to use their own devices, such as smartphones and laptops, for work-related purposes. A BYOD policy is a set of rules governing an IT department’s level of support for employee-owned devices such as laptops, tablets, and smartphones/SIM cards, and it outlines the responsibilities of the employees.

What are the Risks Associated with BYOD?

• Lost Devices: If a device is lost or stolen the sensitive information on that device can be accessed by an unauthorized user and become compromised, which can lead to a data leak/security event. Additionally, when a device is lost or stolen, the person who took that device may install malware on the device, which can provide them with remote access to the device as well as any associated networks.
• Outdated Operating Systems: If an organization neglects to update the software and operating systems on their employee’s devices, they’re creating a path for cybercriminals to harness sensitive data. With unpatched vulnerabilities, individuals with malicious intent have essentially unrestricted access to sensitive stored data on the organization network.
• Unsecured Networks: An unsecured network offers an effortless access point for attackers to initiate many kinds of attacks on devices and networks, making them a considerable security risk. Public Wi-Fi and open wireless networks are types of unsecured networks that can easily be accessible to everyone, making them susceptible to attacks.
• Jailbroken/Rooted Devices: Jailbroken/Rooted devices have increased exposure to malware attacks since security protocols built into the device’s operating system are often disabled during the jailbreaking/rooting process. Jailbreaking/Rooting devices will make it easier for attackers to access sensitive data or take control of the device.
• Malware: Malware can supply unauthorized access to malicious individuals who can infect devices through email attachments or malicious links. Malware could steal a device’s sensitive data, such as passwords or credit card numbers.
• Spyware: Spyware can collect a large amount of data without the user’s consent. The data collected by spyware can be used for nefarious purposes such as identity theft, fraud, and targeted advertising. Spyware may be installed on a user’s device without their consent or masquerading as an innocuous app, like a game or a picture editor.
• Privacy: Some well-known social media apps have been found to collect data from their users, including their location, IP address, browsing history, clipboard, device information, and so much more. This has raised concerns over the safety and potential misuse of user data. Furthermore, these apps will soak up information indiscriminately. At least one of these apps has been associated with sharing that data with foreign nation-states.
• Lack of Visibility: Without using a Mobile Device Management (MDM) solution, IT managers cannot achieve full visibility, making it harder to detect and address potential security vulnerabilities. It also complicates the process of remotely wiping sensitive data or locking lost or stolen devices.

As the use of multiple devices like laptops, smartphones, and tablets increases among employees, a robust security and mobility strategy is critical for successful BYOD implementation. Failing to establish proper policies and procedures can quickly lead to significant security issues. Many organizations make the mistake of adopting BYOD policies without established guidelines, rules, or policies to ensure their success. To mitigate these risks, businesses must have clear BYOD guidelines and policies in place about the types of devices allowed for use and a proper protocol for employees when using their personal devices at work.

What are the BYOD Best Practices?

• Require strong passwords and Multi-Factor Authentication (MFA): Strong and unique passwords in addition to multi-factor authentication (MFA) are two of the most prominent practices a person can take to secure their devices. The password should be composed of a combination of upper and lower-case letters, numbers, and special characters. To further secure your device, the password should be the length of at least eight inconsecutive characters. Additionally, using MFA creates an added layer of security by requesting a secondary form of identification such as a one-time password sent to your phone or email address further strengthening the security of your device. This configuration enables users to keep peace of mind that their data has increased security.
• Restrict Data Access by using a Zero Trust Policy: When organizations use a Zero Trust Policy, they will be able to enhance the security of sensitive data while also allowing employees to use personal devices for work. This policy aids in reducing security risks by preventing unauthorized users from retrieving sensitive data. Additionally, this policy helps to counteract malware attacks and comply with business regulations.
• Backup Devices: In the event a device gets lost or stolen, it is essential that the data on that device was backed up in the cloud. Cloud backups offer an added layer of security to an organization’s sensitive data, providing workers with increased access to information regardless of location. Additionally, if an employee’s device gets lost or stolen, cloud backups enable organizations to remotely remove the sensitive data from that device.
• Educate Employees about Bring Your Own Device Security: Employees need to be educated on risks related to BYOD and on how to best protect organization data by undergoing security training. Users need to understand what level of access they have to their personal devices, why the security procedures are important when using them, and what the outcomes of breaking the policy are. The organization’s BYOD policy must be evaluated and revised periodically to ensure that it is up to date on current security risks.
• Contain Organization Data: Organization data should be secured separately from the rest of the user data in a “walled garden”. This is known as Mobile Application Management (MAM). The “walled garden” is an encrypted container, with organization data, which may be configured with additional PIN/Biometrics, separate from the device itself. Furthermore, depending on the MAM solution, added precautions may be taken by enabling features like disabling copy and paste between the container and the rest of the device, self-destruct, and container auto-wipe. The main benefit of this approach is that it enables organizations to provide BYOD users with accessibility while ensuring the organization’s data remains secure and separate from the user’s personal data and apps.

How to Get Started with a BYOD Policy?

 Implementing BYOD policies to protect both the business and their employees is a requirement today. Do not rely on informal conversations and assumptions.

All Bring Your Own Device Policies Should Include the Following Three Components:

1. A software application for managing the devices that are connected to the organization network.
2. A written policy that outlines the responsibilities of both employer and user.
3. An agreement that users must sign acknowledging that they read and understand the policy.

Communicate Clear Expectations

Because the lines of employee privacy can get blurry when enforcing controls and expectations on personal devices, good communication is key.  Clearly articulate and document your expectations to employees, such as:

• Minimum PIN/password requirements: It used to be that a 4-digit PIN was accepted, but today a 6-digit or 8-digit PIN is standard.
• What information cannot be sent/accessed through personal devices: Will you allow personal devices to connect to your VPN? Can users access corporate email on their devices? Will employees be able to copy and paste organization information into their personal applications?
• Define when and why the organization would wipe an employee’s phone: You need to make these conditions very clear to employees – both during onboarding and when their devices first connect to the wi-fi network. If an employee leaves the organization and you wipe the phone on the way out the door, the situation could raise legal issues for your organization. This is why all employees should sign a BYOD agreement before allowing personal devices to touch their corporate network or data.
• What happens to personal devices during off-boarding procedures: Make sure that your BYOD policies enforce technical controls and are clearly explained to users during off-boarding and in the BYOD agreement.
• What qualifies as an incident and what steps will be taken as a result:  Define incidents in as much detail as you can, by spelling out requirements in policy, users understand why such an extreme reaction may be necessary, and there is less chance of disagreement between IT and other teams. Furthermore, having well-defined incident definitions allows IT departments to respond quickly and appropriately when incidents occur. For example, if a user’s device is found to have malware, then wiping the device would be an appropriate reaction, as long as it is done by the policies set out by the organization. Transferring files using portable hard drives, cloud storage, and personal devices is convenient but difficult to monitor from a corporate perspective. Proper training on the use of these tools in a work environment is crucial, including guidelines on storing and transmitting sensitive information. Equally important is ensuring users understand the consequences of an incident on their devices and storage media.

For organizations looking to enhance security and streamline employee onboarding and offboarding processes, Strong device management is a powerful solution even when employees use their own devices.

Create an Effective and Flexible Working Environment with an Excellent BYOD Policy

PSM Partners helps customers embrace BYOD through security solutions. We can help you establish device management policies and procedures specific to your business needs. Your employees can access all their apps and data on any device while allowing IT departments to maintain full visibility and control.

These solutions empower employees to work and collaborate the way they prefer, with complete freedom to use any PC, laptop, or mobile device they choose—all while allowing organizations to protect sensitive data from loss and theft, and to keep personal data private. To learn more, call PSM at (312) 940-7830 or submit a contact form today.