When the pandemic hit and companies swiftly adopted a remote work model, many IT teams allowed employees to use their own devices to work from home. A trend born out of necessity has now become the preferred way to work for most professionals. A recent survey found that 89% of respondents preferred their own technology so strongly that they would be willing to take a pay cut to choose their own devices.
Today, it’s estimated that over 50% of employees use their personal devices for some work activities. As more people use their personal smartphones or laptops to do their jobs, the security risks at an organization increase dramatically.
BYOD — whether instituted as a formal policy or as an adaptation to the pandemic — opens a company’s systems and platforms up to hacking, data loss, and insider threat. IT teams need to be aware of these critical BYOD security concerns, as well as implement best practices to mitigate the risks associated with shadow IT.
What is BYOD?
Before we get into some of the pitfalls of BYOD, it’s important to understand what is BYOD — and why a company might use it. BYOD stands for Bring Your Own Device. It’s a policy that allows employees to work on the device they choose, using their own laptop, mobile phone, or tablet to access their company email, work documents, and more.
BYOD often happens ad hoc or without formal implementation by the organization. An employee who adds their company email to their smartphone, for instance, is inadvertently practicing BYOD. Clearly, this can lead to a number of security risks and challenges. According to some research, 50% of companies that allowed BYOD experienced a data breach through a personal device.
BYOD and shadow IT risks
As the saying goes, you can’t protect what you can’t see: and BYOD policies often lead to the rise of shadow IT. Shadow IT refers to devices owned and managed outside of the IT team’s approval. When employees bring their own devices to work without oversight from the IT team, it can leave company data vulnerable.
Unsanctioned BYOD creates a massive security challenge for IT teams. A survey from Forbes Insight reported that more than 1 in 5 organizations have experienced a cyber event due to an unsanctioned IT resource. Shadow IT can also create compliance issues for healthcare, finance, and educational institutions that need to meet regulatory standards set by HIPAA and FERPA, for example.
Here are a few other security risks presented by both sanctioned and unsanctioned BYOD.
Lost or stolen devices
- Out of 70 million devices stolen each year, only 7% are ever recovered.
- Only 56% of BYOD companies use remote wipe and MDM to deal with security
- IT theft ranks almost as high as car and transportation theft
Lost devices are potentially the biggest threat to BYOD security. When the wrong person finds a device, it can easily be infiltrated and mined for personally-identifiable information. Luckily, there are some simple ways to protect your company data in the event of a misplaced or stolen personal device.
Few employees are aware that malware can infect a smartphone, not just a laptop. While they may have anti-malware programs installed on their personal computers, not many employees pay attention when it comes to reading the fine print of an app or downloading content on their phones. “Outdated mobile operating systems can be a major risk factor, with some of the most vicious forms of malware primarily affecting outdated OSs,” added one expert.
When an employee logs into work using a coffee shop’s free Wifi, they’re putting your company’s data at risk. Unsecure internet networks, such as those in public spaces like airports and cafes, are often targeted by attacks. Hackers can intercept traffic coming to and from your employee’s device and use it to infiltrate your company’s systems.
A strong BYOD policy and security approach can help mitigate the rise of shadow IT and protect company data used on personal devices. Here’s a deeper look into some of the key challenges to implementing BYOD security, and how organizations can address these challenges with the right tools.
6 BYOD security best practices
Fortunately, the liabilities outlined above can all be addressed with these BYOD security best practices.
Define your BYOD policy
Shadow IT is used for two reasons: it’s easier to use personal devices rather than company-approved tech, and because there’s little to no guidance on BYOD limitations. Your BYOD policy can help address the latter root cause of shadow IT.
Implement a BYOD policy that accomplishes the following objectives.
- Outlines what specific devices are permitted, including laptops, tablets, mobile phones, and any other connected devices. Be clear and detailed: can employees use both Apple and Android devices? Will you support devices that were released in 2015 or earlier?
- Outlines what apps are permitted, including social media platforms, email applications, VPNs, and other cloud programs. For any devices that will connect to your organization’s network, decide whether employees can install and use applications that may present a security or legal risk on the same device.
- Creates an acceptable use policy to help employees understand what actions are risky on company-connected devices. For instance: CIO suggests answering questions such as, “If you set up a VPN tunnel on an iPhone and then your employees post to Facebook, is this a violation?”
Each organization’s BYOD policy will be different according to the regulations governing your industry and business operations. Bottom line: use this policy to make it clear to employees which devices are OK to use, how to use them appropriately, and what steps they need to take to make sure their devices are secure and compliant. For good measure, make sure to enable employees by educating them about policies whenever possible.
Create an MDM action plan
Organizations that allow BYOD need to implement a strong mobile device management (MDM) strategy and action plan. An MDM puts into practice the rules outlined in your BYOD policy. This plan includes the use of tools like data or device encryption, remote wiping capabilities, geofencing, and geolocation, as well as IT support for addressing issues along the way.
Your MDM plan should define both support options and recovery in the event a device is compromised. “It’s important for employees to understand the boundaries when questions or problems creep up with personal devices,” wrote CIO.
Let employees know what their service options are if a device isn’t functioning properly or needs updating. Does your IT team support broken devices, or do you have a preferred third-party who can fix them? Will your help desk provide guidance for updating software? Does your organization offer a loaner device when a personal device used for professional work needs to be fixed?
In addition, your MDM should outline the security requirements for keeping information secure. Require employees to use some biometric authentication methods (like a thumbprint) and a strong password to unlock their devices. When a device is stolen, make sure your employee immediately lets your IT team know so they can wipe or lock down the device.
Improve device visibility
IT teams need a way to track BYOD usage and reduce the risk of shadow IT. Implement tools and platforms that enable the organization to track how users and apps are accessing business information, as well as using and transferring data on personal devices. Real-time monitoring is an important part of data visibility—which, in turn, benefits both the productivity and the security of the organization.
Regularly update software and operating systems
Make sure your employees are keeping their software up-to-date. Limit what apps an employee can download if they’re using their main device for work. Malicious apps are one of the easiest ways hackers and malware compromise your system. “TechCrunch reports that some of the confirmed malicious apps included titles such as ‘Pokémon Go Ultimate,’ ‘Guide & Cheats for Pokémon GO,’ and ‘Install Pokémongo,’ in order to appeal to fans of the game.”
Secure each device’s connection
Ask employees to download and use a VPN on all their devices. You can also offer a data package that allows employees to tether, or hotspot, their laptop’s internet connection to a mobile device. These options offer a more secure way to get connected. In addition, encrypt every device’s emails, messages, and photos.
Implement the right tools
Without the right tools, a BYOD program can easily become too labor-intensive to manage manually. IT teams need automated monitoring and management solutions to help enroll, secure, and monitor devices on an ongoing basis. Consider options that:
- Automatically enroll devices: look for tools that configure new devices and provide real-time troubleshooting without the need for a service desk team member to get involved.
- Automatically vets apps: automate the request and approval process for team members who need to download new apps and software by pre-vetting certain tools.
- Implement real-time cloud data loss prevention: use a DLP solution that monitors cloud programs on personal devices to flag instances where data is shared insecurely.
There are dozens of tools out there that can help IT create a layered approach to device security. Read more: How To Integrate Endpoint DLP Into Your Company’s Security Policy.
Meeting BYOD security risks
Hacking, malware, and data leakage are the biggest BYOD security risks. Bad actors take advantage of unsecured devices, networks, and malicious apps to mine personal devices for company information. A robust MDM approach — or a more modern unified endpoint management approach — is critical to minimizing the risks associated with BYOD.
The pandemic has dramatically increased the number of devices (entry points) through which a hacker could infiltrate a company’s systems. As users add apps like Zoom and Slack to their personal devices, it’s becoming easier to target valuable customer and organizational data stored on cloud platforms. Endpoint security can help — but it’s just one piece of the holistic cybersecurity picture. Endpoint security solutions lack visibility into cloud applications such as Slack and Google Workspace.
Cloud data loss protection layers with endpoint security to help reduce the risk of a BYOD policy. Nightfall is the industry’s first cloud-native DLP platform focused on discovering, classifying, and protecting data in the cloud. Our tool integrates directly with Slack, Jira, and other cloud service providers on the API level. Then, a machine learning function scans structured and unstructured data and its surrounding context. We can identify when data is at risk and alert your IT team to keep private, valuable data out of reach from hackers and malware.
Learn more about cloud DLP and setting up your organization for secure remote work in our complete 2021 Security Playbook for Remote-first Organizations.
Learn more about Nightfall by scheduling a demo at the link below.