Sign up to receive updates for the latest tech thought leadership insights, videos, and podcasts.
Whilst you may not be familiar with the acronym BYOD, there’s a good chance that you’re aware of the practice that spawned it: employees bringing their personal devices to work and using them to carry out various tasks in their roles. A custom christened ‘bring your own device’.
Such practices are, in many respects, beneficial to employers: they reduce outgoings, indirectly generate a more skilled workforce and, surprisingly, BYOD workplaces are 34% more productive than their ‘our-device-only’ counterparts.1 They also greatly benefit employees, with a 2016 study conducted by Cisco having revealed that employees at BYOD organisations report improved work-life balance.2
BYOD, then, lowers operational costs, brings about greater efficiencies and keeps employees happy. For all the benefits it yields, though, it can generate considerable gaps in an organisation’s cyber security solutions if it is not teamed with a robust policy and endpoint management software.
Draconian as it may seem, employees that wish to use their own smartphones, laptops etc. at work must be willing to provide their employers with some degree of control or monitoring over relevant devices. They must also be made aware of the type of access and the additional responsibilities that come with using a personal device at work.
Accordingly, any company that allows staff to use their own devices must develop and implement a policy governing BYOD practice. The document in question should state how each new endpoint will be managed as well as clearly and unambiguously describe reasonable steps the employee must undertake to maintain the security of their device.
We see many organisations implementing policies that demand certain security levels, including complex passwords as part of the policy, but also manage and monitor it's access to various parts of the network. Some devices may only need Wi-Fi access and certain file server information, and this can be managed granularly through most industry-leading mobile device management platforms.
Typically, a BYOD policy will stipulate that administrators can remotely update security settings by patching bugs updating spam filters etc. It should also – we would strongly advise – state what overseers will not do; employees, understandably, will still expect privacy and allaying any concerns they may have within official company policy will put their minds at ease.
Additionally, it is advisable that the policy states practicable ways employees can protect both their devices – and the company as a whole – from cyber crime. This would include taking no action on and reporting suspicious emails, visiting only secure websites (those using HTTPS protocols) and not saving company credentials to the device’s temporary or permanent memory. It would be prudent to provide all employees with some cyber security training to complement your policy, also.
Every time a new device is added to a network, vulnerabilities are generated. When the device in question is one that an employee also uses outside of work, these risks are amplified. Operating systems are less likely to be updated and anti-virus software and spam filters – if present – are certain to be inferior to industry-level solutions. With various forms of malware, trojans and other types of virus becoming ever more prominent, it would even be wise to presume devices are already compromised and analysing them before allowing them to join your network, lest you risk all devices present becoming infected.
Imagine your business’s network as a building and a new endpoint as an additional window or door being constructed. Each time an endpoint is added, a potential entry point, that must be secured, is simultaneously created. Each device must be scanned and cleansed before being added to a network in order to ensure it does not generate an exploitable gap – such as a window that does not close – as a result. As cyber criminals will find new and previously unidentified avenues to exploit, all devices must also be monitored and updated as necessary moving forward.
To ease the considerable administrative burden of maintaining endpoint security within BYOD environments, specialist software can be used to manage and update all networked endpoints from one single location.
The data that organisations create is often integral to their day-to-day practices and ensuring that it is regularly backed up as part of a continuity plan is essential. Following the introduction of GDPR, it’s also vital that any data that leaves business premises is adequately protected. Whilst both of these factors should inform BYOD policies, however, both are regularly overlooked.
In the era of big data, even what appears to be the most innocuous piece of information can contain valuable insight. Furthermore, as discussed previously, all salient data must be backed up and, as all digital information must be analysed before an organisation can determine what can be purged, all data generated by all devices – including those that employees also use for personal reasons – must be backed up in accordance with company procedures.
GDPR legislation, which came into force on the 25th May 2018, also clearly states that company data that is taken off business premises must be encrypted. Failing to adhere to these requirements not only places the security of your organisation at risk, but also your reputation and financial stability: flouting GDPR can result in fines of up to €20 million or 4% of annual global turnover, with whichever generates the larger fine being the option the relevant authorities will select.
In short, the need to backup any data created on personal devices – as well as encryption requirements – must be addressed within a BYOD policy.
Studies have revealed that 80% of cyber breaches can be attributed to human error.3 To put it another way, allowing BYOD provides the greatest risk to your organisation’s cyber security with round-the-clock access to endpoints associated with your network.
This, of course, is partially addressed by remote patching/updating that will be enabled by employees having consented to your BYOD policy. It’s important to add, though, that providing employees with cyber security training – and complementing this with device management – is the most effective means of addressing your biggest security concern.
Whilst the BYOD trend can bring about numerous benefits, it can quickly generate gaps in an organisation’s cybersecurity if the various endpoints are not managed correctly.
Any business that allows its employees to use their personal devices for work purposes must team this with a robust and well-thought-out BYOD policy that clearly communicates what your organisation will do to maintain the security of employee’s devices, that provides employees with guidelines relating to their own responsibilities and addresses data concerns in terms of backup and encryption. We also steer our clients towards supplementing the introduction of such a policy with cyber security training for your staff.
Primarily, control and management of multiple fleet devices is time consuming and can be a significant administrative burden. With industry leading consultancy and software on offer, ROCK can assist any company that is concerned about device fleet management.