Cyber Security

Common and preventable flaws with BYOD policies

Whilst you may not be familiar with the acronym BYOD, there’s a good chance that you’re aware of the practice that spawned it: employees bringing their personal devices to work and using them to carry out various tasks in their roles. A custom christened ‘bring your own device’.

Such practices are, in many respects, beneficial to employers: they reduce outgoings, indirectly generate a more skilled workforce and, surprisingly, BYOD workplaces are 34% more productive than their ‘our-device-only’ counterparts.1 They also greatly benefit employees, with a 2016 study conducted by Cisco having revealed that employees at BYOD organisations report improved work-life balance.2

BYOD, then, lowers operational costs, brings about greater efficiencies and keeps employees happy. For all the benefits it yields, though, it can generate considerable gaps in an organisation’s cyber security solutions if it is not teamed with a robust policy and endpoint management software.

Share On:

Author:

Chris Flynn
Chris Flynn Product Manager

Implementing a BYOD policy

Draconian as it may seem, employees that wish to use their own smartphones, laptops etc. at work must be willing to provide their employers with some degree of control or monitoring over relevant devices. They must also be made aware of the type of access and the additional responsibilities that come with using a personal device at work.

Accordingly, any company that allows staff to use their own devices must develop and implement a policy governing BYOD practice. The document in question should state how each new endpoint will be managed as well as clearly and unambiguously describe reasonable steps the employee must undertake to maintain the security of their device.

We see many organisations implementing policies that demand certain security levels, including complex passwords as part of the policy, but also manage and monitor it's access to various parts of the network. Some devices may only need Wi-Fi access and certain file server information, and this can be managed granularly through most industry-leading mobile device management platforms.

Typically, a BYOD policy will stipulate that administrators can remotely update security settings by patching bugs updating spam filters etc. It should also – we would strongly advise – state what overseers will not do; employees, understandably, will still expect privacy and allaying any concerns they may have within official company policy will put their minds at ease.

Additionally, it is advisable that the policy states practicable ways employees can protect both their devices – and the company as a whole – from cyber crime. This would include taking no action on and reporting suspicious emails, visiting only secure websites (those using HTTPS protocols) and not saving company credentials to the device’s temporary or permanent memory. It would be prudent to provide all employees with some cyber security training to complement your policy, also. 

The importance of managing endpoints

Every time a new device is added to a network, vulnerabilities are generated. When the device in question is one that an employee also uses outside of work, these risks are amplified. Operating systems are less likely to be updated and anti-virus software and spam filters – if present – are certain to be inferior to industry-level solutions. With various forms of malware, trojans and other types of virus becoming ever more prominent, it would even be wise to presume devices are already compromised and analysing them before allowing them to join your network, lest you risk all devices present becoming infected.

Imagine your business’s network as a building and a new endpoint as an additional window or door being constructed. Each time an endpoint is added, a potential entry point, that must be secured, is simultaneously created. Each device must be scanned and cleansed before being added to a network in order to ensure it does not generate an exploitable gap – such as a window that does not close – as a result. As cyber criminals will find new and previously unidentified avenues to exploit, all devices must also be monitored and updated as necessary moving forward.

To ease the considerable administrative burden of maintaining endpoint security within BYOD environments, specialist software can be used to manage and update all networked endpoints from one single location.

Protect your business’s data

The data that organisations create is often integral to their day-to-day practices and ensuring that it is regularly backed up as part of a continuity plan is essential. Following the introduction of GDPR, it’s also vital that any data that leaves business premises is adequately protected. Whilst both of these factors should inform BYOD policies, however, both are regularly overlooked.

In the era of big data, even what appears to be the most innocuous piece of information can contain valuable insight. Furthermore, as discussed previously, all salient data must be backed up and, as all digital information must be analysed before an organisation can determine what can be purged, all data generated by all devices – including those that employees also use for personal reasons – must be backed up in accordance with company procedures.

GDPR legislation, which came into force on the 25th May 2018, also clearly states that company data that is taken off business premises must be encrypted. Failing to adhere to these requirements not only places the security of your organisation at risk, but also your reputation and financial stability: flouting GDPR can result in fines of up to €20 million or 4% of annual global turnover, with whichever generates the larger fine being the option the relevant authorities will select.

In short, the need to backup any data created on personal devices – as well as encryption requirements – must be addressed within a BYOD policy.

Address your greatest vulnerability

Studies have revealed that 80% of cyber breaches can be attributed to human error.3 To put it another way, allowing BYOD provides the greatest risk to your organisation’s cyber security with round-the-clock access to endpoints associated with your network.

This, of course, is partially addressed by remote patching/updating that will be enabled by employees having consented to your BYOD policy. It’s important to add, though, that providing employees with cyber security training – and complementing this with device management – is the most effective means of addressing your biggest security concern.

Conclusion

Whilst the BYOD trend can bring about numerous benefits, it can quickly generate gaps in an organisation’s cybersecurity if the various endpoints are not managed correctly.

Any business that allows its employees to use their personal devices for work purposes must team this with a robust and well-thought-out BYOD policy that clearly communicates what your organisation will do to maintain the security of employee’s devices, that provides employees with guidelines relating to their own responsibilities and addresses data concerns in terms of backup and encryption. We also steer our clients towards supplementing the introduction of such a policy with cyber security training for your staff.

Primarily, control and management of multiple fleet devices is time consuming and can be a significant administrative burden. With industry leading consultancy and software on offer, ROCK can assist any company that is concerned about device fleet management.

References:
  1. Insights (2016) Employees Say Smartphones Boost Productivity by 34 Percent: Frost & Sullivan Research. Available at https://insights.samsung.com/2016/08/03/employees-say-smartphones-boost-productivity-by-34-percent-frost-sullivan-research/ [accessed on 28/11/19]
  2. Cisco (2015) Why aren’t you investing in BYOD? Available at https://www.cisco.com/c/dam/en/us/solutions/collateral/byod-smart-solution/byod-aag-c45-737567.pdf [accessed on 04/12/19]
  3. Kaspersky (2020) Kaspersky Security Awareness. Available at https://www.kaspersky.co.uk/enterprise-security/security-awareness [accessed on 07/12/19]

More Insights

security remote working thumbnail.jpg
Cyber Security

How to shore up cyber security with employees working remotely

09/04/2020

View more
data set amal thumbnail.jpg
Digital Transformation

Why data set amalgamation is key to superior decision making

05/11/2019

View more
Jane Onboarding Thumbnail 700x500.jpg
Performance Improvement

IT onboarding at ROCK

19/11/2019

View more
best place to work IT thumbnail.jpg
Culture

How we built the best place to work in IT

03/12/2019

View more

Hello, welcome to the ROCK live chat.

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×