What is BYOD (Bring Your Own Device)?
What is BYOD?
Bring your own device (BYOD) refers to a business policy that allows employees to use personal devices for work purposes. BYOD was already common before COVID and is now the norm, even for businesses that were previously wary of the policy’s potential security risk. Common personal devices include smartphones, laptops, tablets, and USB drives.
BYOD comes in many forms in the corporate environment, differing depending on who owns the device and how it can be used.
- Bring your own device (BYOD) means the device is owned by an employee and is used for both work and personal purposes.
- Choose Your Own Device (CYOD) is when the organization offers users a choice of devices from a limited list. These can be owned by the company or the employee, but either way, any customization must go through the IT department.
- Company Ownership Personally Activated (COPE) is when the device belongs to the company and is given to the employee, who is also authorized to use it for personal activities. The most restrictive category is
- Company Owned Company (COBO) Emissions is the most restrictive category, i.e. when the company owns the device and the employee can only use it for work-related activities.
Why is BYOD important?
Employees will access sensitive company data from their personal devices, whether it is against the rules or they have another company-provided device for efficiency or negligence. Organizations should take the time to consider implementing a BYOD policy for their own benefit and that of their employees. Key benefits include:
- Increased productivity: Users have already selected devices that suit the way they interact with technology and they are comfortable with their devices. They don’t need to be trained, so they can get to work without the need for educational technology. They know the capabilities of their devices, so they can use them fluently to complete their tasks quickly. No one has to experience the frustration of using a device they don’t understand or like, which boosts morale and improves performance.
- Cost savings: According to Wired Magazine, most organizations report savings of around $300 per BYOD user per year, which is insignificant for a small business but significant for a mid-size business or a business employing hundreds or thousands of people .
- Improved technology: Depending on the job, employees tend to have very up-to-date technology. This eliminates the need for IT to replace technology, spend extra money on hardware or software licenses, and update devices.
What are the risks of BYOD?
While BYOD brings many benefits, organizations must also consider the risks of using a BYOD policy.
Increased complexity of vulnerability management
As all security professionals know, an organization’s greatest vulnerability lies with its users. Each device brings its own vulnerabilities. Allowing users to connect to the corporate network with personal devices that are not governed by the organization and which mix personal employee data with corporate data is risky. Additionally, there’s no way to control an employee-owned device if it’s lost or stolen, and there’s no way to tell if a logged-in user is the credentialed employee or friend or the certified employee’s parent. Organizations need to create complex vulnerability management protocols to keep every device secure.
Increased Cybersecurity Risks
Integrating employee-owned devices into the organization’s network increases the risk of cyberattacks by:
- Open-source code: The app is a big concern because IT can’t know what apps are installed on the BYOD device. Almost all applications use open source code, which is not inherently dangerous – but if the application developer does not pay attention to news about newly discovered vulnerabilities in open source code and takes appropriate measures to secure the application, there is a problem. And that’s the norm. Developers usually integrate open source code once and never think about it again when they move on to adding other features.
- Grant unnecessary permissions: Many apps are also greedy by asking for unnecessary permissions. This could be because developers are thinking about a feature they plan to build in the next quarter, or because they don’t understand what they’re asking for, or because they have malicious intent. There’s no way to know, but the risk is the same either way: a potential breach of company data. Users should understand the level of access they are providing to apps they download, and they should ensure that others who borrow their personal devices also understand the access levels. If the user lends their device to their children, there is really no way to believe that those children will refuse inappropriate permission requests.
- Unprotected networks: The networks on which the BYOD device is used may be risky. Home Wi-Fi networks do not have the same security controls as corporate networks. Nor are public networks in cafes, stores, and other places from which remote workers are likely to access the corporate network. Organizations should assume that employees will access sensitive data through unsecured home or public networks and take steps to seek out intrusions from more entry points.
- Stolen devices: When a corporate device is reported as lost or stolen, IT can brick it to make it unusable. When a personal device is lost or stolen, this is not possible. And while IT can block access to the VPN or company apps, that doesn’t guarantee that a bad actor can’t use vulnerabilities elsewhere in the device, like an insecure app, as a means. to obtain information that can be used to breach the corporate network. There’s also no way to ensure that every user installs all OS updates and doesn’t store company files on the device, and if an employee is fired or quits, there is no way to delete the company data he has uploaded to the device.
Loss of privacy
Both parties, the BYOD user and the organization, lose their privacy when implementing a BYOD policy. All of the user’s personal information is readily available through the organization’s network. This includes social media credentials, messages, bank account information, etc. On the other hand, users have access to sensitive company information that can be carelessly shared or purposefully exploited.
Although there are many strong business cases for using BYOD, one caveat is to make sure BYOD doesn’t get in the way of innovation. If a business misses the opportunity to try breakthrough technology because it’s not sure it can do so in a BYOD environment without losing data or degrading interoperability capabilities, it’s missing an opportunity to scale.
6 BYOD Policy Implementation Best Practices
There is no BYOD policy model that will work for all businesses. Each unique organization must chart its own course, but can always follow the following best practices to ensure proper implementation.
1. Seek contributions from all departments
Start by seeking input from a range of departments to understand how different user groups will perform work on their mobile devices, and from there extrapolate what the policy should cover. Expect to implement the policy in stages and drive a practice of continuous improvement guided by the need for flexibility, security and employee support.
2. Create an endpoint-independent policy
A BYOD security policy should be endpoint-agnostic in order to serve new and emerging devices and platforms. Otherwise, the security team will be forced to constantly revise the policy, which will make enforcement difficult. In most cases, there should be a separate BYOD policy for FTEs, contractors, and temps.
3. List of authorized devices
Not all devices are suitable for a BYOD program, such as outdated devices or those using outdated operating systems. Specify what is allowed, what will be maintained by the company, and what the user is responsible for maintaining.
4. Encourage multi-factor authentication
Explicitly encourage multi-factor authentication (MFA). Modern smartphones will require this security feature by default, but put it in the security policy so users who have disabled their lock screen or taken other steps to avoid MFA know that using it is a condition of BYOD .
5. Make sure the policy clearly defines permissions
The policy should clearly state who owns what data is on the device and what phone number the data is associated with. Indicate what happens to the data if the mobile device user leaves the company.
IT teams should prioritize using the right tools and solutions to ensure their organizations remain as secure as possible when implementing a BYOD policy.
CrowdStrike offers a wide range of solutions that will help your organization maintain visibility and hygiene across managed and unmanaged devices contributed by your stakeholders.