Bring your own device, or BYOD, has been growing in popularity for a few years now. With mobile devices increasingly capable and more employees looking to work from outside the office, this offers a practical, cost-effective solution for keeping your employees connected. It means you don't have to shell out on capital expenditure for company-owned devices and allows users to choose the hardware they're most comfortable with.
But BYOD has taken on increasing significance recently. As millions of workers around the world left the office to work from home with little planning during the pandemic - on personal PCs, laptops or mobile devices - many firms may have compromised on security in exchange for convenience. One report from Verizon, for example, found almost half of firms admitted they had knowingly cut corners on mobile device security.
With remote and hybrid working set to stay for the long term, it's vital that the security implications of BYOD are revisited. Figures highlighted by T-Mobile indicate the market for BYOD solutions is expected to grow at a compound annual growth rate of 15% between 2020 and 2025, reaching a total of $430.45 billion by the end of this period.
There are many potential pitfalls to avoid when implementing a BYOD environment. Here are seven of the biggest nightmares you need to be aware of.
1. Data leakage
The biggest worry for many firms when it comes to BYOD is data loss. There can be many reasons for this, some of which are highlighted in more detail below. But in general, you can reduce the risk of data loss, whether intentional or accidental, by minimizing the amount of information BYOD users can view, putting in place stringent access controls and having comprehensive monitoring tools that can identify when data is accessed and from where.
Malware is a constant threat to any IT device, and this risk only increases when hardware is outside the direct control of businesses. This could mean essential first lines of defense such as firewalls and email protection systems are being bypassed. As a starter to guard against this, firms should insist employees keep their personal devices updated with the latest patches. Mobile device management (MDM) schemes should also require antimalware software to be installed on smartphones and tablets, as many employees still don't realize this hardware is under threat from malware.
3. Unknown apps
One common way for malware to find its way onto mobile devices is via infected apps. Installing programs from unknown sources is a major problem for businesses. Many employees may believe that if they get their apps from the approved App Store or Google Play Store on iOS or Android devices respectively, they'll be safe, but this isn’t the case. Research by NortonLifeLock found that 67% of malicious app installs it identified came from the Google Play Store.
You can prevent this by setting clear policies for BYOD hardware. Consider using MDM tools that allow you to either whitelist or blacklist certain apps. Using whitelisting, where only pre-approved apps can be downloaded, is the safest solution, but you may have to balance this against the need for convenience and usability for employees.
4. Mixing personal and business use
Naturally many employees will expect to continue using personally-owned devices on their own time, as well as for business use, but this presents numerous challenges. If someone opens a malware-infected email on their personal account, or visits a compromised website outside of work hours, this could still lead to problems for the business if you aren't careful.
Avoid this by creating a strong barrier between personal and business use on a device. Containerization to segregate business data and apps from the rest of the device is essential in protecting critical enterprise info from any risky activity users engage in on their own time.
5. Lost or stolen devices
Having any device containing sensitive data lost or stolen can be a nightmare for businesses, but when it's a personally-owned item, this can present even more difficulties. According to T-Mobile, 41% of all data breaches over the last ten years were traced back to lost laptops, tablets and smartphones, and this can cost businesses both operationally and financially.
The best course of action should a device be lost or stolen is to remotely wipe it of any sensitive data, which means good MDM solutions are again a must. However, if this will also affect any personal data employees store on their device, this is something they must be aware of and have agreed to beforehand as a condition of using BYOD.
6. Unsecure networks
It's not just what users do on BYOD hardware that can be out of business' control - it's also where they do it. Connecting to business applications and data via unsecure networks such as public Wi-Fi hotspots can often put your firm at risk. These locations are often targeted by hackers to steal data as it's easy to intercept traffic.
Requiring the use of a VPN is one way to minimize these risks, as it ensures business data can't be intercepted. You may also consider offering users a data package for their device that allows them to remain on their mobile network, which can then be tethered via Wi-Fi to devices that lack mobile data capabilities.
7. Lack of oversight
Ultimately, one of the biggest risks for businesses adopting BYOD is being unable to see what users are doing. To address this, the first step must be to draft a clear set of policies that users must agree to before they can adopt BYOD. This may include areas such as password and single sign-on rules, location tracking and use of apps or connectivity tools.
However, firms still need visibility to determine if these rules are being followed. For instance, are they actually using some of the tools and techniques mentioned above, like VPNs? Are they ensuring their device is updated to the latest version? The use of monitoring tools as part of a comprehensive MDM solution will ensure employees aren’t abusing the privileges that come with BYOD.