What is BYOD?
Bring Your Own Device (BYOD) refers to a business policy that allows employees to use personally owned devices for work purposes. BYOD was already common prior to COVID and is now the norm, even for enterprises that were formerly wary of the policy’s potential security risk. Common personal devices include smartphones, laptops, tablets, and flash drives.
BYOD comes in many flavors in the corporate environment, differing on who owns the device and how it can be used.
- Bring Your Own Device (BYOD) means the device is owned by an employee and used for both business and personal tasks.
- Choose Your Own Device (CYOD) is when the organization offers users a choice of devices from a limited list. These may be owned by the company or the employee, but either way, any customization has to go through the IT department.
- Corporate Owned Personally enabled (COPE) is when the device is owned by the business and issued to the employee, who is allowed to also use it for personal activities. The most restrictive category is
- Company Issues Business Owned (COBO) is the most restrictive category, which is when the company owns the device and the employee can only use it for business activities.
Why is BYOD Important?
Employees will access sensitive company data from their personal devices whether it is against the rules or whether they have another company-provided device for efficiency reasons or negligence. Organizations should take their time to consider implementing a BYOD policy for their own benefit and their employees. Main benefits include:
- Increased Productivity: Users have already selected devices that suit their way of interacting with technology and they’re comfortable with their devices. They don’t need to be trained, so they can get right to work without the need for instructional technology. They know the capabilities of their devices, so they can use them fluently to complete their tasks quickly. No one has to experience the frustration of using a device they don’t understand or don’t like, which improves morale and boosts performance.
- Cost Savings: According to Wired Magazine, most organizations report savings of around $300 per BYOD user per year, which is trivial for a small company but meaningful for a mid-sized business or enterprise with a workforce of hundreds or thousands.
- Upgraded Technology: Depending on the job, employees tend to have very up to date technology. This eliminates the need for the IT department to be replacing technology, spending extra money on hardware or software licenses, and updating devices.
What Are the Risks of BYOD?
While BYOD brings many benefits to the table, organizations should also consider the risks of employing a BYOD policy.
Increased Vulnerability Management Complexity
As all security professionals know, an organization’s greatest vulnerability is its users. Each device brings their own vulnerabilities. Allowing users to connect to the company network with personal devices that are not governed by the organization and that mingle employees’ personal data with company data is risky. In addition, there is no way to control an employee owned device if it is lost or stolen, and there is no way to know if a logged-on user is the credentialed employee or the credentialed employee’s friend or relative. Organizations need to create complex vulnerability management protocols to ensure each device is safe.
Increased Cybersecurity Risks
Having employee-owned devices be part of the organization’s network increases the risk of cyberattacks through:
- Open-Source Code: App is a great concern because IT cannot know what apps are installed on the BYOD device. Almost every app uses some open source code, which is not inherently dangerous — but if the app developer doesn’t pay attention to news about newly discovered vulnerabilities in the open source code and take appropriate steps to secure the app, there is a problem. And that is the norm. Developers usually incorporate the open source code once and never think about it again as they move on to adding other features.
- Granting Unnecessary Permissions: Many apps are also greedy in requesting unnecessary permissions. This may be because the developers are thinking ahead to a feature they expect to build in an upcoming quarter, or because the developers do not understand what they are asking for, or because they have malicious intent. There is no way to know, but the risk is the same in all cases: a potential breach of corporate data. Users need to understand the level of access they are providing to the apps they download, and they need to make sure others who borrow their personal devices understand access levels as well. If the user is lending their device to their children, there is really no way to trust that those children will deny inappropriate permission requests.
- Unprotected Networks: The networks on which the BYOD device is used can introduce risk. Home Wi-Fi networks do not have the same security controls as corporate networks. Neither do the public networks at coffee shops, stores and other places from which remote workers are likely to access the corporate network. Companies need to assume employees will access sensitive data through insecure home or public networks and take necessary steps to hunt for intrusions from a greater number of entry points.
- Stolen Devices: When a corporate device is reported lost or stolen, the IT department can brick it so it is unusable. When a personal device is lost or stolen, that isn’t possible. And while the IT department can block access to the corporate VPN or apps, that doesn’t guarantee a bad actor won’t be able to use vulnerabilities elsewhere in the device, such as an insecure app, as a means to gain information that can be leveraged to breach the corporate network. There is also no way to ensure that each user does install all operating system updates and does not store corporate files on the device, and if an employee is fired or resigns, there is no way to delete company data they have downloaded to the device.
Loss of Privacy
Both parties, the BYOD user and the organization, lose privacy when implementing a BYOD policy. All of the user’s personal information is readily available to view by the organization’s network. This includes social media credentials, messages, bank account information, etc. On the other hand, users have access to sensitive company information that can be negligently shared or purposely exploited.
While there are many strong business cases for the use of BYOD, one caveat is to be sure that BYOD does not hamper innovation. If a company avoids the chance to try a groundbreaking technology because it is not confident it can do so in a BYOD environment without losing data or degrading interoperability capabilities, it is missing an opportunity to evolve.
6 BYOD Policy Implementation Best Practices
There is no template for a BYOD policy that will work for all businesses. Each unique organization must forge its own path, but they can always follow the following best practices to ensure proper implementation.
1. Seek Input Across Departments
Start by seeking input from a range of departments to understand how different groups of users will perform work on their mobile devices, and from there extrapolate what the policy must cover. Expect to implement the policy in stages and to conduct a practice of continuous improvement that is guided by the need for flexibility, security and employee support.
2. Create an Endpoint-Independent Policy
A BYOD security policy must be endpoint-independent so it can serve new and emerging devices and platforms. Otherwise, the security team will be forced to constantly revise the policy, which in turn will make enforcement difficult. In most cases, there should be a different BYOD policy for FTEs, contractors and temps.
3. List Devices Allowed
Not all devices are suitable for a BYOD program, such as obsolete devices or those using outdated operating systems. Specify what is allowed, what will be maintained by the company, and what the user is responsible for maintaining.
4. Encourage Multi-Factor Authentication
Expressly encourage multi-factor authentication (MFA). Modern smartphones will require this security feature by default, but put it in the security policy so users who have turned off their lock screens or taken other steps to avoid MFA know that its use is a condition of BYOD.
5. Ensure Policy Clearly Defines Authorizations
The policy should be clear on who owns which data that is on the device and whose phone number the data is associated with. State what happens to data if the mobile device user leaves the company.
6. Employ a Privacy Policy
Lastly, be sure to have a thoughtful privacy policy that is compliant with local and U.S. data privacy regulations. This policy should not protect only the company, but the BYOD user as well.
BYOD & CrowdStrike
IT teams should prioritize employing the right tools and solutions to ensure their organizations stay as secure as possible when implementing a BYOD policy.
CrowdStrike offers a wide-array of solutions that will help your organization maintain visibility and hygiene on managed and unmanaged devices brought by your stakeholders.