Bring your own device (BYOD) policy

Bring Your Own Device (BYOD) policies: combatting security challenges

Sarah Beldon Blog, Mobile

Bring Your Own Device (BYOD) policies very rapidly became a hit amongst smaller businesses and enterprises over the last few years. Where flexible working policies and remote working is increasing in popularity, BYOD gives employees an added layer of convenience as they switch between their work and personal life.

Employees bringing their personally owned devices (laptops, tablets, and smartphones) can bring about many benefits including flexibility, productivity and increased motivation in the workplace. It also saves businesses huge amounts of money on hardware and software every year. It is unlikely that employers are going to stop staff using their own devices for work purposes any time soon.

That being said, there are also a number of security challenges companies face when adopting a BYOD policy. Rather than respond in a way that tightens restrictions and takes away from the benefits, IT managers can embrace BYOD with the right solutions to get the right balance and reduce security risks.

BYOD device: What are the risks?

The main concern for companies embarking on a BYOD policy is IT security and data protection (GDPR) privacy. Predominantly, it is the protection of company and customer data that strikes a chord with most businesses.

Data loss or leaks

One of the main concerns when it comes to BYOD is their business sensitive data. When employees are taking devices off-site on a regular basis, there is a higher risk of loss or theft. If a personal device that has work-related information stored on it, it can have massive ramifications for a business.

If someone comes along and finds that device, sensitive data it could be shared, sold or leaked out into public domains, sparking a data breach. Not to mention, employee and customer data too which is becoming increasingly a worry, especially with regards to the recent launch of GDPR.

Public exposure

Personal devices that link to Wi-Fi hotspots or even Bluetooth can pose a security risk for companies. They are more at risk of attacks as well as individuals or businesses accessing information and publishing it out in the open.

Unsecured usage

Some personal devices are used by more than one member of a family. It can be hard to track who is viewing what from a device that is used at home as well as at work.

Privacy issues

From an employee perspective, a company’s BYOD security policy may interfere with an employee’s personal privacy. For example, if they had remote access to the device and were required to wipe data, it could mean that personal data such as videos or photos would be removed too (or vice versa).

Loss of control

When an employee uses their own personal device for work purposes, it takes away the control that the company would have if it were to provide devices to the employee solely for business use. Applications on a personal device have different levels of security on them such as push notifications or GPS tracking. These apps pose a higher level of risk for malware and hacking.

What can companies do to overcome BYOD security risks?

With BYOD being so prevalent in the workforce, companies need to think about the types of policies they want to have in place and how they can address some of the security challenges and reduce risk.

Company BYOD policy

A comprehensive strategy and company policy can help to mitigate some of the security concerns companies may have. Managers can start with risk profiling to understand what those risks can mean to the company. For instance, an international company or company holding sensitive customer data will pose a much higher risk when it comes to security.

Once companies have an understanding of what that might look like and where those risks are coming from a policy can start to take shape. This can include guidelines for acceptable use of devices in and out the workplace, password updates, encryptions, application use, monitoring and rules covering the possibility of device and/or data loss and what happens when an employee leaves the company.

Anti-virus protection and malware prevention

When devices are used for personal use, they are more prone to malware as there are more sites and applications likely to be visited or downloaded. Companies can purchase a volume license and install anti-virus and anti-malware software onto personal devices so that they are more secure.

Alternatively, employees could be asked to install their own protection if they are using the device for work purposes. There may be a policy in place to verify this with IT and companies may recommend a certain piece of software so that they are happy with the level of security.

Encryption

As data on personal devices are outside the control of the company, it is important to encrypt sensitive data that is stored and shared. Encrypting files can help to protect them if the device was to be lost or stolen. It can also prevent data being intercepted in an unsecured network.

It is important that companies provide encryption for the entire duration of the data lifecycle, so not just when it is being shared but also when it is held in a device too. Encryption keys can be held with IT authorities and activated or changed remotely for further levels of protection.

Invest in the right technology

Investing in technology and IT support can help to reduce security. Secure set-set up, ongoing maintenance and updates can provide a further layer of protection.

There may be different solutions for different devices or even people working in different departments. For example, an administrative executive may only need to access emails, calendars and calls from a device, whereas a sales manager may have more sensitive data stored on a mobile, tablet and/or laptop that they take out on the road with them.

By having the IT support there, risk can be reduced across the whole company and tailored for specific users.

Mobile device management (MDM)

Mobile device management may be a new term to some businesses, but it is essentially what it says on the tin. MDM systems give businesses a platform to work with, from which they can manage a device and its capabilities.

Advancements in mobile device management have helped companies gain more control of personal devices being used in the work environment. But companies need to be careful when they are working with a personal device and not taking away the freedom and flexibility from employees.

It’s more about getting the balance right between protecting both employer and employee sensitive data without appearing too controlling.

Features and application protection

With an MDM platform, IT managers can pick and choose which features they want to give their users access to. These systems can do some very clever things when it comes to GPS tracking, blocking applications and providing password authentications. All of which can create a safer space for workers to use their personal devices at work.

Controlling applications isn’t always a practical solution for personal devices. But, MDM systems allow for changes to take place based on the individuals’ location. For example, companies can control what applications can be used in a ‘work space’ compared to a ‘home or personal space’. This then can give employees limited access at work but more freedom when they leave.

Leavers

MDM management systems also help to provide higher levels of control when an employee leaves the company. The individual leaves with their device, but the company has control over access to company data. This can also include blocking the ability to transfer data via a USB.

They can also wipe certain data on their devices after leaving a company. With more complex MDM systems, these can be broken down so employees are able to keep their own personal files, whilst the business-sensitive files can be wiped from the device.

Providing regular updates

MDM devices allow IT departments to keep control over updating devices. They can ensure that the latest applications and security software are always up to date. This platform allows IT to update devices remotely, so employees out on the road aren’t subject to new malware or security threats.

Company applications or cloud-based systems

For some, MDM systems may be too controlling and can remove some of the benefits for employees. In this instance, there are other ways companies can protect their business data.

Mobile Application Management (MAM)

MAM provides a platform to manage applications on a device rather than the entire system. It creates less work for IT as they now only need to manage and control applications, rather than personal content. It also allows the employee to feel that their own files are private rather than be controlled. After all, it is their own device.

Utilising the cloud

Cloud-based systems are secured with passwords and encryption. They allow employees to access company documents but only if they are signed in or connected via a Virtual Private Network (VPN). It’s a safer type of connection that allows the individual to access work documents over a private network. It also allows them to keep their own personal files separate.

Company mobile applications

If you have the IT infrastructure and resources, it is possible to issue your own mobile app. A company app can be created that uses an encrypted connection to communicate with your company servers. It’s a cloud solution that is unique to you. That way, you can benefit from the security but also have a flexible solution designed for your specific needs.

Employee education

BYOD offers many benefits for both the employer and the employee. People can feel more comfortable working on their own devices which can allow better access to communication channels. Ongoing employee education can help to increase the security of these sorts of policies.

Communicating with your employees about the benefits and risks can help them to provide them with an understanding. The business can layout acceptable use of devices in the workplace and drive security awareness through training and policy guidance.

When a BYOD policy is put in place, managers can see improved productivity, cost savings, and faster communications. Not only that, but they can provide a flexible environment for greater employee satisfaction. A multi-faceted approach should be considered, depending on the nature of your company. This helps to address potential risks as well as avoid an invasion of employee privacy and usability.