BYOD: What are the main risks of using employees’ personal devices in the workplace?
Nowadays, the use of personal devices for work purposes is more than logical. Especially given the increasingly common practice of working from home during the pandemic, and later remote work due to the full-scale russian invasion.
The practice in which employees can use their own gadgets (laptops, tablets and smartphones) at work is called BYOD (Bring Your Own Device). BYOD as a phenomenon has been around for almost a decade, but now is the time to consider this extremely important topic from the cybersecurity point of view.
What are the cyber risks of this practice? And most importantly, how can organizations protect themselves from the possible penetration of intruders through non-corporate devices?
Advantages and disadvantages of BYOD
BYOD has its advantages and disadvantages. Why are so many companies positive about the use of personal devices by employees?
Funds savings. If an employee works on his own device, the company doesn’t need to spend resources on buying work gadgets.
Productivity improvement. Working on a familiar laptop with a customized environment is often more convenient for the employee and helps them complete more tasks in less time.
Attractiveness for new talents. The times of the pandemic have shown that many companies can work completely remotely. Now this is what candidates are expecting while looking for a new job.
However, there are several downsides of using BYOD.
Increased vulnerability of employee gadgets to theft or loss. If the working laptop is in the office most of the time, it’s easier to protect it – it’s more difficult to steal or lose it while staying in a hotel.
Infection with dangerous software. It’s easier to organize control over the protection of an exclusively working device. System administrators typically ensure that security solutions are in place and that these software suites are updated and not shut down, and that account access is minimally sufficient – administrative access doesn’t required for most day-to-day tasks. These laptops and tablets will connect to secure work networks. At the same time, on a personal device, a person may not take care of security software that much. In addition, if the device isn’t used for work only, but in everyday life as well (for example, for social media or watching online movies) catching a virus in this case is much easier. It’s also difficult to protect these devices from connecting to unsecured Wi-Fi networks, which can also be a source of problems. In addition, in the case of a successful phishing attack, there is almost no chance of identifying infected system elements when using your device, unlike a corporate-managed device that must be connected to the Security Operations Center (SOC).
Confidential information leakage. Among the employee’s work tasks may be those related to access to confidential information, sensitive data regarding the company's internal network or important financial data or even personal information. “Hacking” of an employee’s personal device with subsequent leakage, or simply mistakenly sending valuable information can lead to huge financial and image losses for the organization.
BYOD Security Policy
If the rules of the work in the company allow employees to bring their own devices to the workplace – smartphones, tablets or laptops, then a special security policy must be created for this. This document should prescribe in which situations the use of the employee’s own devices is possible, which rules should be followed, how these devices should be protected and how to solve security problems that may arise in the event of theft or loss of the device.
What aspects should be outlined in a BYOD policy?
1. It’s necessary to create a list of permitted and prohibited applications/software on personal devices used for work. Without a list of approved software, employees can choose them at their own discretion, regardless of their level of protection. It’d also be better to create a list of permitted software and clearly prohibit the use of unapproved applications.
2. Clearly state what applications/software and corporate networks employees can access from their personal devices, and which are prohibited from connecting to them (of course, the IT department and the Cybersecurity department should monitor the implementation of this policy).
3. Regulate what the security control of such devices should be (what security software should be used, what are the requirements, what are the rules regarding protection of access to other applications installed on the device).
4. Write down what rights the company has in case the specified device is stolen or lost. For example, in what cases is it allowed to remotely delete data from lost devices and which data.
5. Develop strict requirements for passwords for accounts and for corporate resources that can be accessed from personal devices. Separately, it’s necessary to prescribe a policy on the publication of passwords, rules on their complexity and frequency of change.
6. Define additional conditions, for example, the presence of two-factor authentication.
7. Agree on provisions for maintenance of devices, their repair and replacement, the possibility of receiving a temporary laptop/tablet while employee’s is being repaired.
8. And, of course, the policy should clearly include a requirement for each employee to undergo Cybersecurity Awareness training. Actually, such a requirement should be regardless of whether the employee uses a BYOD device, but in the case of using the latest cyber hygiene is extremely important. Learn more about how we carry out such projects via the link.
It's a good idea to agree with employees that if they want to use their own devices for work (in case they have such a choice), then the BYOD policy should also clearly explain the company’s rights to the data stored on devices used for work tasks and outline the possibility of losing the confidentiality of the user’s own data.
This will simplify further communication and the work of both the employee and the technical specialists. For example, if the work in the company involves the analysis of the user’s online activity or the installation of software to monitor certain processes, then the person should be warned about this and understand all the risks. If he/she wants to read his/her own social media or view content of a personal nature, he/she should understand that the employer can find out about it.
It will not be superfluous to write down some general rules not related to cybersecurity in the BYOD policy, for example, a ban on using a work device while driving a car, a ban on taking photos and videos of work premises, colleagues, work processes, etc.
Using MDM (Mobile Device Management) tools
Using the BYOD concept should allow the company to remotely access employees’ devices. Therefore, when implementing BYOD, one should take care of using mobile device management (MDM) software. These tools allow IT professionals to remotely monitor any device connected to the organization’s network, such as a laptop, printer, smartphone, tablet, and additionally protect them.
Thanks to the availability of MDM tools in case of loss or theft of the gadget, it’s possible to organize the remote deletion of confidential data.
User responsibility and release policy
When developing a BYOD policy, it’s also worth prescribing the responsibilities of employees while the dismissal procedure. It’s necessary to create a release protocol – a list of actions that must be performed to remove programs and data from your own device, as well as access to work accounts. At the same time, it should be emphasized that these actions will not concern the user’s personal information.
A BYOD policy should also include employee liability for leaks of confidential company data caused by negligence or non-compliance. In the absence of personal device management tools, it’s unlikely to be able to provide an evidence base that the leak occurred due to negligence, and therefore the responsibility of the employee should be declarative, of course if there is a choice not to use a BYOD device.
Security around the BYOD phenomenon, like enterprise security, requires a multifaceted approach that addresses potential risks while minimizing intrusion into employee privacy. Properly built processes regarding BYOD will allow you to benefit from this concept.
A well-thought-out BYOD policy should be part of an overall set of measures to maintain a high level of cyber hygiene among employees. Constant corporate trainings with the involvement of specialized companies, security protocols testing and the best global practices studying – this is the secret of successful work in the field of cyber hygiene.