Common and preventable flaws with BYOD policies

Whilst you may not be familiar with the acronym BYOD, there’s a good chance that you’re aware of the practice that spawned it: employees bringing their personal devices to work and using them to carry out various tasks in their roles. A custom christened ‘bring your own device’.

Such practices are, in many respects, beneficial to employers: they reduce outgoings, indirectly generate a more skilled workforce and, surprisingly, BYOD workplaces are 34% more productive than their ‘our-device-only’ counterparts.1 They also greatly benefit employees, with a 2016 study conducted by Cisco having revealed that employees at BYOD organisations report improved work-life balance.2

BYOD, then, lowers operational costs, brings about greater efficiencies and keeps employees happy. For all the benefits it yields, though, it can generate considerable gaps in an organisation’s cyber security solutions if it is not teamed with a robust data security policy and endpoint management software.

Implementing a BYOD policy

Draconian as it may seem, employees that wish to use their own smartphones, laptops etc. at work must be willing to provide their employers with some degree of control or monitoring over relevant devices. They must also be made aware of the type of access controls and the additional responsibilities that come with using a personal device at work.

Accordingly, any company that allows staff to use their own devices must develop and implement a policy governing BYOD practice. The document in question should state how each new endpoint will be managed and unambiguously describe reasonable steps the employee must undertake to maintain the security of their device.

Typically, a BYOD policy will stipulate that administrators can remotely update security measures by patching bugs and updating spam filters etc. It should also, we would strongly advise, state what overseers will not do; employees, understandably, will still expect privacy and allaying any concerns they may have within official company policy will put their minds at ease.

Additionally, it is advisable that the policy states practicable ways employees can protect both their devices – and the company as a whole – from cybercrime. This would include taking no action on and reporting suspicious emails, visiting only secure websites (those using HTTPS protocols) and not saving company credentials to the device’s temporary or permanent memory. It would be prudent to provide all employees with some cyber security strategy training to complement your policy, also.

The importance of managing endpoint security

Every time a new device is added to a network, vulnerabilities are generated. When the device in question is one that an employee also uses outside of work, the risks of cyber-attacks are amplified. Operating systems are less likely to be updated and anti-virus software and spam filters – if present – are certain to be inferior to industry-level solutions.

With various forms of malicious software, trojans and other types of viruses becoming ever more prominent, it would even be wise to presume devices are already compromised and analyse them before allowing them to join your network, lest you risk all devices present becoming infected.

Imagine your system network as a building and a new endpoint as an additional window or door being constructed. Each time an endpoint is added, a potential entry point, that must be secured, is simultaneously created.

Each device must be scanned and cleansed before being added to a network in order to ensure it does not generate an exploitable gap – such as a window that does not close – as a result. As cybercriminals will find new and previously unidentified avenues to exploit, all devices must also be monitored and updated as necessary moving forward.

To ease the considerable administrative burden of maintaining endpoint security within BYOD environments, specialist software can be used to manage and update all networked endpoints from one single location.

Protect your business’s data

The data that organisations create is often integral to their day-to-day practices and ensuring that it is regularly backed up as part of a continuity plan is essential. Following the introduction of GDPR, it’s also vital that any data that leaves business premises are adequately protected. Whilst both of these factors should inform BYOD policies, however, both are regularly overlooked.

In the era of big data, even what appears to be the most innocuous piece of information can contain valuable insight. Furthermore, as discussed previously, all salient data must be backed up and as all digital information must be analysed before an organisation can determine what can be purged, all data generated by all devices – including those that employees also use for personal reasons – must be backed up in accordance with company procedures.

GDPR legislation, which came into force on the 25th of May 2018, also clearly states that company data that is taken off business premises must be encrypted. Failing to adhere to these requirements not only places the security of your organisation at risk but also your reputation and financial stability: flouting GDPR can result in fines of up to €20 million or 4% of annual global turnover, with whichever generates the larger fine being the option the relevant authorities will select.

In short, the need to backup any data created on personal devices – as well as encryption requirements – must be addressed within a BYOD policy.

Address your greatest vulnerability

Studies have revealed that 80% of cyber breaches can be attributed to human error.3 To put it another way, allowing BYOD provides the greatest risk to your organisation’s cyber security with round-the-clock access to endpoints associated with your network.

This, of course, is partially addressed by remote patching/updating that will be enabled by employees having consented to your BYOD policy. It’s important to add, though, that providing employees with cyber security training – and complementing this with device management – is the most effective means of addressing your biggest security concern.

Conclusion

Whilst the BYOD trend can bring about numerous benefits, it can quickly generate gaps in an organisation’s cybersecurity if the various endpoints are not managed correctly.

Any business that allows its employees to use their personal devices for work purposes must team this with a robust and well-thought-out BYOD policy that clearly communicates what your organisation will do to maintain the security of employee’s devices, that provides employees with guidelines relating to their own responsibilities and addresses data concerns in terms of backup and encryption. We also steer our clients towards supplementing the introduction of such a policy with cyber security training for your staff.

Primarily, control and management of multiple fleet devices is time-consuming and can be a significant administrative burden. With industry-leading consultancy and software on offer, ROCK can assist any company that is concerned about device fleet management.

References
  1. Insights (2016) Employees Say Smartphones Boost Productivity by 34 Percent: Frost & Sullivan Research
  2. Cisco (2015) Why aren’t you investing in BYOD?
  3. Kaspersky (2020) Kaspersky Security Awareness​​​​

Next

ROCK: our history, journey and future

© 2022 ROCK. All rights reserved.

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×