Thanks to technology advancements that allow us to access the Internet at a moment’s notice, today’s typical employee is more remote and on-the-go than ever before, continually accessing email, company systems, and documents from cell phones, laptops, and tablets.
Doing business without mobile devices simply isn’t an option anymore, and the abundance of personal devices makes it convenient to quickly answer emails, jump on a conference call, or knock out a few items during your commute to the office (assuming you’re not the one driving, of course). That said, how employees are using personal devices for business purposes must be considered when it comes to an organization’s security strategy.
While a bring-your-own-device (BYOD) environment does create many operational benefits for organizations, it also poses substantial cybersecurity risks if not implemented and maintained appropriately. One needs to examine the risks and benefits, as well as best practices that companies can – and should – implement to avoid a disastrous data breach.
Do the risks outweigh the benefits?
As with any technology program, there are both risks and benefits to BYOD programs, and there’s certainly no “one-size-fits-all” standard. What works best for one organization’s environment may not work for another, but there are still a few across-the-board pros and cons every organization should consider before allowing employees to access company data from a personal device.
Simply put, it’s just easier on both the employer and employee. Very few people want to carry around two different devices for personal and company use – or want to go through the hassle of learning a new device for the sake of business. On the same hand, allowing users to utilize their personal device also enhances productivity since the user doesn’t have to learn a secondary device.
It can also provide a cost savings to the company in not having to provide, configure, maintain, and support mobile devices.
Security is often compromised for convenience in BYOD environments. When employers allow employees to work off their personal devices without appropriate protections in place, they have little to no control over the security of the device itself – posing an exponential risk to the organization.
The less effort companies exert in providing employees with secure devices or ensuring the correct security configuration of the devices, the more work is required from IT on the backend to secure the organization’s network and data. Standard consumers aren’t always the best at staying current with patches and security updates on personal devices, so when employees can access business-critical documents and internal communication platforms via their own phones or computers, the whole organization can be put at risk.
The use of unpatched personal devices at work can open the door for hackers to interject themselves into a conversation or online activity or gain corporate credentials and, from there, gain confidential intelligence and/or attack the company’s private network from the inside.
The cost savings of BYOD is not always as large as one might seem, as it can be eaten up by the cost to deploy protective and monitoring systems for the devices. In addition, some states require companies to reimburse employees for using their own devices for work purposes.
So, yes, BYOD is convenient. But not always the right answer.
Implementing the right controls
Major BYOD security concerns can be overcome with careful planning and proper implementation on the operational side. In addition to requiring up-to-date patches, networks can be configured to not allow devices to connect if specific components like passcodes or anti-virus controls – or the most recent updates of those components – are missing. Device encryption and remote-wipe are other methods of protecting data residing on a personal device.
For companies that opt for a BYOD environment, the best protection is an explicit policy of waivers and conditions that employees must agree to and sign in before being allowed to conduct business from a personal device.
Optimally, a policy should include:
- Mandates for keeping the operating system and applications on personal devices continually updated with security patches
- Restricted “approved” uses for personal devices that are clearly defined
- Restrictions on what types of data can be stored on personal devices
- Defined policies for protecting the devices themselves (not just the data on them)
- Mandated encryption of company data
- Restricted access to the network if the device does not meet certain security criteria
- Required annual training for employees and executives regarding BYOD risks and policies
For companies in that league (i.e. government or healthcare organizations) that have remote or on-the-go team members with access to highly sensitive data: go the extra mile and supply them with company-owned devices that can be more easily configured, controlled, and monitored.
When you consider that the cost savings surrounding BYOD could be completely negated in a single incident, consider it an investment – not an expense.
Security is a team effort
At the end of the day, enterprise cybersecurity is everyone’s responsibility. Throughout this “Cybersecurity Training” blog series, I’ve discussed the importance of company leaders talking to employees about security, executives practicing what they preach, and closed it off with the factors to consider with BYOD programs.
If there’s one thing to take away from this, let it be that an organization’s cybersecurity posture is a team effort. Executives and managers are responsible for establishing policies, implementing procedures and requirements, and making employees aware of the dangers facing the company. Equally, employees are responsible for taking the risks seriously, complying with the security mandates, ensuring the prompt reporting of any concerns, and/or asking questions to prevent a potentially devastating chain of events.