The increase in hybrid work and the use of cloud technologies in recent years means that the modern corporate network is flexible and diverse, both in terms of location and composition. Employees are using laptops, tablets and cell phones to work from their now-established home offices, couches, and even coffee shops. And two thirds of these “teleworkers” use a personal computer to work from home, rather than a corporate-issued one.
This contemporary workplace encourages employees to have a better work-life balance, as well as enabling businesses to structure themselves in a more productive, flexible, and cost-effective way. And a bring-your-own-device or “BYOD” device fleet, often paired with hybrid work environments, allows businesses to reduce provisioning costs, while allowing employees to work on devices that they’re familiar with and are comfortable using. However, a BYOD device fleet also presents IT teams with a number of security challenges.
But what exactly are those challenges, and how can you increase our BYOD security so your business can reap the rewards that a BYOD network offers?
Why Do Businesses Choose BYOD?
BYOD device policies are usually instated when organizations have a number of remote employees, or employees that have to travel a lot as part of their role, and there are a few reasons why you might choose to allow your employees to use their own personal devices for work in these instances.
Firstly, a BYOD culture can reduce the strain on minor helpdesk tickets. Employees are familiar with their own devices. They spend a lot of time on them and know how they work, so are more likely to be able to troubleshoot any minor issues themselves, freeing up IT resources that might otherwise be spent helping employees work out how to reset a password, or changing a device’s peripheral settings.
Secondly, allowing employees to use their own devices for work can lead to an increase in productivity, as they’re more familiar with the devices they’re using. When working on a familiar device, an employee can achieve in a few seconds something that could take a few minutes on a device with a different operating system to the one they’re used to. Syncing a SharePoint drive with a Mac desktop, for example, can be a little complex; particularly if the person doing it is used to working with a Windows OS.
Finally, implementing BYOD increases flexibility when it comes to hardware. This one is fairly straightforward: your employees are able to work both on- and off-site without needing any extra hardware in order to do so. Not only does this enable employees to switch seamlessly between office- and home-based working, but it also makes it easier for them to travel to other company sites without you having to provision a device for them in the secondary location each time.
However, there are two sides to the BYOD coin; just as it can create positive impacts for your organization, it can also have serious consequences when not implemented properly.
What Are The Challenges Of A BYOD Culture?
Some organizations have reservations when it comes to allowing employees to use personal devices for work. There are a few reasons for this, some easier to address than others, but all of which can cause problems down the line when not properly planned for. Here are the main challenges and risks associated with BYOD:
The main concern when it comes to BYOD is security. It’s harder to create a security-first culture when employees are working remotely and using their own devices, simply due to the fact that they’re working in a comfortable environment. When you’re working in your living room, perhaps drinking a coffee while the children are asking for help with their maths homework, you’re much less likely to be concerned about data breaches than were you in a corporate office environment, surrounded by posters reminding you to lock your machine when you stand up. It’s crucial that organizations take steps to ensure that remote workers are actively aware of security risks, even though they aren’t in the office. However, despite this need, 73% of workers globally didn’t receive any security awareness training from their employer when they started working from home as a result of the coronavirus pandemic.
As well as the human risks, remote work and a BYOD culture also present a number of technical risks. The first of these refers to the devices themselves: organizations that haven’t invested in robust cloud-based cybersecurity tools for BYOD devices will find themselves at risk from credential theft attacks, such as social engineering and password cracking attempts. Despite this, only a third of organizations with BYOD policies provide antivirus software for personal devices.
The second technical risk is ascribed to the way in which employees must often connect personal devices to the corporate network. Because BYOD is usually implemented for remote workers or employees on-the-go, those employees are usually accessing corporate data via their home router or a free public Wi-Fi network, such as in a coffee shop, train station, or airport. These types of networks are relatively straightforward for bad actors to hack into and, if they do, they can easily install malware on devices that are connected to them without a VPN.
The culmination of the above challenges is this: personal consumer devices that haven’t been properly secured by the organization before being approved for workplace use are twice as likely to become infected with malware than their corporate counterparts.
Compliance And Liability
Data protection should always be at the forefront of any security team’s mind, but for some industries, such as healthcare, law and finance, it’s non-negotiable. This is because of very strict compliance standards that these industries have to meet in terms of how they access, use and distribute data. The HIPAA standard for example, requires that all mobile devices used in the workplace must implement and enforce a HIPAA mobile device policy to protect patients’ electronic protected healthcare information (ePHI), and prevent this information from being exposed. When it comes to compliance, the organization is responsible for employee devices, including BYOD devices. This is because, though not owned by the organization, the devices are still used to access and store corporate data.
Without clear insight into how employees are storing and sharing corporate data on their personal devices, it can be difficult for security teams to ensure compliance.
When it comes to general network maintenance, BYOD can give IT technicians a real headache. Installing and updating software across such a diverse fleet of device types and operating systems is a mammoth task when attempted manually, and relies on the cooperation of each employee to keep their device up-to-date and patched.
On top of this, some devices might not be compatible with all of the software that needs to be installed on them in order for employees to be able to do their jobs. An example of this would be an employee using an outdated mobile operating system, or an older machine that isn’t powerful enough to carry out the tasks they need to do.
If an employee leaves the company, it can be difficult to retrieve or remove corporate data from their personal device without totally wiping it or searching though all saved data – something which a lot of employees may not be happy with, as the process could infringe on their privacy. To prevent this, it’s important that all employees using BYOD devices sign an agreement that the organization can wipe the device of any corporate data in the event that they leave.
However, though it’s important that you are aware of these risks, they shouldn’t put you off of setting up a BYOD policy for your business. As with any area in cybersecurity, there will always be challenges: you just need to find the right solution to combat them. And that brings us onto the final section of this article…
How Can You Increase BYOD Security?
Considering the secured risks we discussed above, it’s no wonder that 67% of IT professionals believe that using BYOD devices during the pandemic has decreased their company’s security posture, or that 71% of them are concerned that remote workers are putting their business at risk of falling victim to a data breach. But it doesn’t have to be that way!
There are a number of solutions out there that can help you to secure your BYOD device fleet. Here are the three best means by which you can protect your employees’ personal devices against cyberattacks:
Unified Endpoint Management (UEM)
Unified endpoint management, or UEM, solutions enable organizations to remotely monitor and manage all of the devices connected to their network via one single interface. They help IT teams to secure PCs, mobile devices, and IoT devices against potential cyber threats. To do this, UEM solutions combine a range of specialist features, including:
- Detailed administrative reporting into who is connecting to the network via which device, from which location, and at what time
- Advanced user authentication and access management
- Application isolation, which enables employees to use both work and personal apps securely on one device
- Automated software patching
As well as helping to secure BYOD networks, UEM solutions help organizations to create a unified digital environment across all devices and all locations – from corporate offices to an employee’s kitchen table.
Endpoint security solutions combine powerful firewalls, anti-malware features and device management tools to secure each of the endpoints connected to a network against malicious attacks. Because admins can manage endpoint security solutions centrally, they can easily monitor the health of BYOD devices and assess the level of risk presented by each device at once.
Like UEM, endpoint security solutions come with a wide range of features that enable them to secure your network against potential threats. These include:
- Endpoint Detection and Response (EDR) that scans devices for existing vulnerabilities and reports them to you for actioning before a hacker can exploit them
- Automated incident response that utilizes workflows and processes such as blacklisting and sandboxing to mitigate certain malware threats and free up IT resources to deal with more advanced threats
- Anti-malware and antivirus software, powered by artificial intelligence and machine learning technologies which ensure that you’re secured against even the most recent zero-day threats
- Remote management and reporting tools, which enable you to generate reports into device health at an individual and organizational level
Virtual private networks, or VPNs, create a private network across a public internet connection, hiding the user’s IP address to give them anonymity and privacy, and encrypting the connection to ensure that nobody but the user can see their internet activity. They basically act as a tunnel between the device and the internet; nobody but the user and the recipient of their activities can see what that user is doing within the tunnel.
Using a VPN, employees can send a receive data to and from the corporate network from a public Wi-Fi connection as securely as were they directly connected to a private network. VPNs are recommended especially for SMB users looking for a cost-effective way to secure access to corporate applications. For larger enterprises looking to secure access to a more complex network environment, we would recommend researching Zero Trust Network solutions.
When it comes to BYOD, you need to make sure that you’re not sacrificing your company’s security in order to increase productivity. The key to achieving this is in planning your implementation of a BYOD policy carefully and investing in the right solutions to ensure that your networks – and your employees – remain secure.
If you feel ready to start exploring your security options further, take a look at our guides to the top UEM solutions, the top endpoint security solutions, and the top enterprise VPNs and remember: your data is only as secure at the architecture you build to protect it.