Featured Article – Bring Your Own Device (BYOD)
In this article, we look at why bring your own device (BYOD) is still popular and we look at some of the risks businesses face by allowing BYOD.
BYOD has been around since 2004 and essentially allows employees to bring in their personally owned laptops, tablets, and smartphones to work and use them to access company information and applications and solve work problems. There are other variants of BYOD whereby the business or organisation owns the device or the app container that the devices apps work in, and these are outlined later in this article.
How Popular is BYOD?
The BYOD and enterprise mobility market size has been estimated to reach USD $73.30 Billion by 2021 (marketsandmarkets.com). A 2018 survey (Statista) found that 45 per cent of UK businesses have BYOD, but this figure is much higher in certain businesses and industries e.g. 60 per cent of finance or insurance firms.
There are many benefits to be gained by allowing staff to use their own devices for work purposes. These include:
– Productivity. Employees often work faster (with less training needed) using their own devices and, therefore, becoming more productive.
– Costs savings. For example, a much-quoted Cisco report from 2016 estimated that with a BYOD policy in place, companies save an average of $350 per year.
– Speed. It has been estimated that using portable devices for work can save employees 58 minutes per day (Samsung + Frost and Sullivan).
– Convenience. Most people now bring at least their own smartphone to work and, for example, LaptopsDirect research found that 84 per cent of British employees use their smartphones at work. The same research showed that those in the marketing, information and communications, creative and photographic industries and in professional services are the top smartphone users.
– Harnessing the skills of tech-savvy employees.
– Innovation by finding new, better, and faster ways of getting work done.
– Improved morale and employee satisfaction, and productivity gains.
– Reduced IT Dependence. BYOD typically means fewer IT-related issues for the business to deal with, therefore saving on IT resources.
– Reliance over time. Many businesses, particularly smaller businesses, have come to rely on the fact that employees own devices are available for work use.
Risks and Threats
There are, of course, a number of security risks and threats associated with introducing BYOD. These include:
– The likelihood of more security incidents. For example, a Paymentsense study, involving more than 500 UK SMEs found a direct correlation between the introduction of a BYOD policy and cyber-security incidents. 61 per cent of the SME’s said that they had experienced a cyber-security incident since introducing a BYOD policy. The kinds of security risks related to BYOD include:
– The loss or theft of personal devices. This can also impact upon productivity.
– Not keeping personal devices, programs and patches up to date, thereby risking the exploitation of known security vulnerabilities.
– Not having adequate security on personal devices.
– A lack of monitoring of personal devices, thereby risking a spread of malware to company systems and networks.
– Straying into areas of stealth/shadow IT that may be risky and outside of approved guidelines. ‘Stealth IT’ refers to where employees go outside of the company’s central IT control and set up their own infrastructure, without organisational approval or oversight, often motivated by the need to work around the shortcomings of central IT systems. The lack of oversight and therefore, management of stealth IT infrastructures can put corporate data, service continuity, and businesses at risk of cyber-attacks, breaches, data theft, fines and more.
– Malicious exfiltration of data. This can happen when users accidentally consent to access by malicious applications and allow the leaking of potentially sensitive company data.
Types of BYOD
There are variations in BYOD modes that companies can adopt with different levels of control. These include:
– Corporately owned/managed, personally enabled (COPE). This is where the business takes full management control of the device and allows personal use in approved situations. This mode can work with Android and iOS (wiped beforehand).
– Choose your own device (CYOD). With this idea, employees can choose from a range of equipment purchased by the company, but any private use is subject to the strict conditions of the company’s policy.
– Personally owned, partially enterprise managed. This mode allows the enforcement of some policies for device-wide configuration and corporate data protection, although users can still change the security settings of the device, thereby injecting some risk.
– Personally owned, with managed container application. With this mode, employees work on their own device, but all within one or several container applications provided by a third party. Management can take place using Mobile Application Management (MAM) i.e. software and services that can provide controls at the application level. MAM, therefore, manages the provisioning and controlling access to mobile apps used in business settings for BYOD. The container apps help to isolate corporate data from the user’s personal applications and allow for some monitoring of the device.
Training and Devices
Introducing BYOD with certain devices provided by the company may mean that there is a need for training of employees in the use of the devices, either in-house or via a third-party training supplier.
It is also important for businesses to choose mobile devices for BYOD that are compatible with (and are easily able to support) the work that they are required for. For example, companies may choose/favour a specific device e.g. the latest Apple iPhone, because it offers security, flexibility, and capacity, and has features similar to a laptop or tablet.
Important ways in which companies manage the introduction and running of BYOD include:
– Assess and understand the risks of BYOD (many of which are listed above).
– Develop a clear BYOD policy that works for both the business and the employee.
A BYOD policy typically covers areas like:
– Permitted and not permitted tasks with personal devices e.g. submitting expenses but not sending emails.
– Services/business areas that can be accessed by personal devices e.g. booking holidays.
– Control limits over devices e.g. whether they can be accessed and wiped remotely by managers.
– Enforcement measures. Part of this may involve the technical spec controls for devices. These controls could specify the type of access allowed (apps and browsers), minimum hardware and software standards, what policies can be enforced, security specifications e.g. multi-factor authentication, where the boundaries of restricted access are, and where enforcement will take place e.g. at an authentication service, the network firewall, or on specific services.
There are many online resources providing guidance and help with BOYD. For example, both Microsoft and Google have provided online guidance for BYOD:
Also, there is the UK National Cyber Security Centre guide.
Solutions and Software
There are also many different solutions and software options to enable the management of BYOD. These include CrowdStrike Falcon for mobile, SolarWinds RMM, ManageEngine Mobile Device Manager Plus, AirWatch Workspace One, and more.
BYOD is often a balance or trade-off between improved productivity and security risks. Companies need to fully assess the risks, challenges, and cost implications before considering embarking on BYOD and having a clear, detailed policy that is widely communicated and supported by appropriate and effective enforcement is a vital element.
The pandemic (forcing staff to work from home) has reminded those businesses allowing BYOD how important effective management of the policy is and has made many other businesses take a closer look at the potential areas of risk when employees work off-site, and added new challenges, but has also demonstrated that other ways of working with IT can still bring productivity and results.