Bring your own device (BYOD) is a mixed blessing. On the one hand, it can save the company’s money and improve morale. On the other, it brings with it a whole host of potential problems. Knowing what challenges of BYOD you may face can help you tackle them head-on and increase the effectiveness of your BYOD program.
According to one study by Cybersecurity Insiders, 82% of organizations allow BYOD to some extent. However, in the rush to adapt to this new era, companies often overlook critical factors. We’ll lay out the common BYOD risks to help you prepare.
A brief history of bring your own device
Everything was so easy a decade back. Employees used company-issued computers, spoke on company-owned cell phones, and played by the IT department’s rules. People usually weren’t allowed to use their own laptops or mobile devices for work, which enabled IT teams to keep everything locked down.
But then, the mobile revolution happened. No longer content to use archaic computers and ancient communication devices, employees wanted to do both personal and business tasks on the same machines. So many companies began implementing BYOD policies, allowing workers to use whatever personal phone or computer they wanted.
The most glaring negative of a BYOD policy is that the IT department loses almost all control over the hardware. Your sysadmins can’t fully dictate what apps or programs employees install, how they secure their devices, or what files they download.
And make no mistake: Employees download things to their personal devices that they’d never dream of keeping on a work computer. From questionable game apps to suspicious PDFs, you just don’t know what might be on there. Malware or viruses hidden in an employee’s files could spell disaster for your business when an infected BYOD device connects to the company network.
Lack of uniformity
Your employees may have either Apple or Android devices, and each may run on a different operating system or a different version of the same OS. This inconsistency can complicate collaboration and management.
Certain industries, such as healthcare, have incredibly strict regulations about using and distributing information. Companies must comply with these policies and safeguard sensitive data appropriately, even if that data resides on an employee-owned device. Failure to do so can destroy customer trust and result in costly penalties.
Allowing an employee to load confidential data onto their personal device greatly increases the likelihood of compliance failure. The risks are numerous:
Employees may fail to appropriately secure confidential data outside the confines of the office.
Employees may accidentally share private data with those who do not have the right to see it.
If data isn’t secured properly and a device is lost or stolen, the organization must take significant steps to ensure the data isn’t inappropriately accessed.
There are ways to enforce compliance on employee devices, but they are infinitely more complex than the methods for securing corporate devices.
Corporate data is a valuable target for hackers, and they know that employee-owned devices are an easy opportunity for a mobile security breach.
Personal applications that your employees use may have less stringent security, giving cybercriminals an inroad to your data. Some employees may also be more reckless with their personal devices, managing them poorly and/or connecting to unsecured Wi-Fi. Any lax personal use increases the information security risk.
Adding to the risk, around 10% of users have their smartphones stolen, and 68% never recover their devices. Should you fail to establish a strong BYOD security policy, whoever gets their hands on your employee’s phone may have access to valuable data.
Loss of data when an employee leaves
It’s a company’s worst nightmare. A problem employee quits or is fired, taking with them thousands of valuable or even confidential files. Suddenly, the company must scramble to retrieve the data and hope that the rogue former employee doesn’t do something rash.
While that employee most likely signed an agreement regarding using company data, there’s no guarantee that they’ll keep their end of the bargain in their disgruntled state. To prevent such events, companies must have plans in place to deal with these situations.
Potential legal issues
At some point, you may feel you need to search an employee device to find company data. The first problem is that without authorization, searching an employee-owned device could constitute trespass. And what happens if, during that search, the IT department stumbles upon evidence that the employee has also been working on a project for a competitor?
This raises a host of hugely complex legal questions the company must navigate. Did the IT department have permission to search the device? Would the discovered data hold up in an arbitration case?
There are also other potential legal concerns:
What are your legal responsibilities with regards to employee privacy?
If the employee is fired and the company wipes their iPad, is the company liable if it accidentally erases personal data in the process?
What if the company finds evidence of a crime on an employee’s personal device? Would that evidence hold up in court?
What if law enforcement seizes an employee’s personal device as part of an investigation? What happens to company data?
Moreover, customers or business partners may bring lawsuits if a data breach occurs.
To avoid these legal nightmares, companies must have crystal clear BYOD policies in place to protect them, their employees, and their customers. Failure to implement these policies can lead to massive legal headaches and significant expenses.
It’s not unusual for tech-savvy individuals to customize their devices — sometimes to the extreme. Jailbroken iPhones have been around for almost as long as the phone itself, and the process allows users to install apps unavailable to normal users. While Macs have a reputation for being secure, they are not immune to threats.
These rogue devices also present BYOD security challenges. Are they covered under BYOD policies? What if a user accidentally downloads malware onto a customized phone, which then compromises company data? How do you handle that?
BYOD advocates have argued that using personal devices increases employee productivity. In some cases, that might be true. But allowing employees to bring their own devices could also significantly hurt productivity.
Yes, that brand new iPhone has some excellent business apps, but it also has TikTok, Snapchat, Instagram, Facebook, YouTube, and a thousand other distractions. It’s incredibly easy for employees to get sucked into the endless black hole of texting, scrolling through their FYPs, and drooling over the latest viral recipes. And while employees enjoy some me time on the corporate network, they’re misusing valuable bandwidth in addition to company time and jeopardizing network security.
Lack of employee training
Comprehensive and regular BYOD security training is essential. You should equip your staff with the skills they need to recognize the signs of an attack and react appropriately. If they use personal devices for a work purpose, training should also establish what policies and procedures carry over across company- and employee-owned devices.
Shadow IT operates outside the company’s designated IT department. It occurs when employees use unauthorized hardware or software. The IT team could even be oblivious to the issue. Employees may purchase consumer products, inadvertently opening the company up to greater risk. They might bring in an unapproved USB drive, download consumer-grade software, or engage in other behaviors that jeopardize system security.
Poor mobile management
Applying effective mobile management is infinitely more complicated in a BYOD environment, but your IT team needs at least some level of control. If an employee loses their mobile device or leaves the company, your IT team should be able to reset passwords and wipe company data. You should also be able to determine which personally owned device is responsible should a BYOD security incident occur.
Mobile device management (MDM) solutions are the easiest way to update and monitor devices. However, some organizations prefer to use mobile application management (MAM) software for BYOD devices to focus exclusively on corporate data and applications.
Fun fact: Most employees have no interest in damaging their devices or your company. Cluelessness is the root of many problems. Implementing a detailed bring your own device policy can clear up much of the confusion and set up employees for BYOD success. Don’t get us wrong: Some BYOD users still mess up even if you hold their hand, gently guide them, and offer them an ice cream for good behavior. But you should at least give your more diligent employees every opportunity to excel.
In case you didn’t notice the common theme here, device security is the paramount BYOD challenge. BYOD security risks include most of the same dangers you’ll find in any enterprise mobility management scenario. That’s why a BYOD program should include appropriate security measures, including a BYOD risk assessment, a mobile device security policy, appropriate endpoint security solutions, and security awareness training.
With the surge in hybrid work models, BYOD is increasingly difficult to avoid. Like it or not, many employees use their personal devices for work regardless of whether you officially approve it. Establish clear, responsible, and easy-to-understand BYOD best practices and implement an effective MDM solution to protect your business. With great power comes great responsibility, and companies must ensure their employees wield their power wisely.