Bring your own device (BYOD) is a mixed blessing. On the one hand, it can save the company’s money and improve morale. On the other, it brings with it a whole host of potential problems.
According to one study by Cybersecurity Insiders, 82% of organizations allow BYOD to some extent. However, in the rush to adapt to this new era, companies have overlooked many critical factors. We’ll lay out the challenges of BYOD to help you brace yourself for the hurdles ahead.
What’s the history of BYOD?
Everything was so easy a decade back. Employees used company-issued computers, spoke on company-owned cell phones, and played by the IT department’s rules. People usually weren’t allowed to use their own laptops or mobile devices for work, which enabled IT teams to keep everything locked down.
But then, the mobile revolution happened. No longer content to use archaic computers and ancient communication devices, employees wanted to do both personal and business tasks on the same machines. So many companies began implementing BYOD policies, allowing workers to use whatever computer or phone they wanted.
11 challenges facing bring your own device (BYOD) policies
The most glaring negative of a BYOD policy is that when employees bring their own devices to work, the IT department loses almost all control over the hardware. Your sysadmins can’t dictate what apps or programs employees install, how they secure their devices, or what files they download.
And make no mistake: Employees download things to their personal devices that they’d never dream of keeping on a work computer. From questionable game apps to suspicious PDFs, you just don’t know what might be on there. Malware or viruses hidden in an employee’s files could spell disaster for your business when an infected device connects to the company network.
Lack of uniformity
Your employees may have either Apple or Android devices, and they may run on different operating systems or different versions of the same platform. This inconsistency can complicate collaboration and management.
Difficulty enforcing compliance
Certain industries, such as healthcare, have incredibly strict regulations about using and distributing information. Companies must comply with these policies and safeguard data appropriately, even if that data resides on an employee-owned device. Failure to do so can destroy customer trust and result in costly penalties.
Allowing employees to load confidential data onto their personal devices greatly increases the likelihood of compliance failure. The risks are numerous:
Employees may fail to appropriately secure confidential data outside the confines of the office.
Employees may accidentally share private data with those who do not have the right to see it.
If data isn’t secured properly and a device is lost or stolen, the company must take significant steps to ensure the data isn’t inappropriately accessed.
There are ways to enforce compliance on employee devices, but they are infinitely more complex than the methods for securing company-owned devices.
Corporate data is a valuable target for hackers, and they know that employee-owned devices are an easy opportunity.
Personal applications that your employees use may have less stringent security, giving cybercriminals an inroad to your data. Some employees may also be more reckless with their personal devices, managing them poorly and/or connecting to unsecured Wi-Fi.
Adding to the risk, around 10% of users have their smartphones stolen, and 68% never recover their devices. Should you fail to establish a strong policy, whoever gets their hands on your employee’s phone may have access to valuable data.
Loss of data when an employee quits or is fired
It’s a company’s worst nightmare. A problem employee quits or is fired, taking with them thousands of valuable or even confidential files. Suddenly, the company must scramble to retrieve the data and hope that the rogue former employee doesn’t do something rash.
While that employee most likely signed an agreement regarding using company data, there’s no guarantee that they’ll keep their end of the bargain in their disgruntled state. To prevent such events, companies must have plans in place to deal with these situations.
Potential legal issues
At some point, you may feel you need to search an employee’s device to find company data. The first problem is that without authorization, searching an employee-owned device could constitute trespass. What happens if, during that search, the IT department stumbles upon evidence that the employee has also been working on a project for a competitor?
This raises a host of hugely complex legal questions the company must navigate. Did the IT department have permission to search the device? Would the discovered data hold up in an arbitration case?
There are also other potential legal concerns:
If the employee is fired and the company wipes their iPad, is the company liable if it accidentally erases personal data in the process?
What if the company finds evidence of a crime on an employee’s personal device? Would that evidence hold up in court?
What if law enforcement seizes an employee’s personal device as part of an investigation? What happens to company data?
Moreover, customers or business partners may bring lawsuits if a data breach occurs.
To avoid these legal nightmares, companies must have crystal clear BYOD policies in place to protect them, their employees, and their customers. Failure to implement these policies can lead to massive legal headaches and significant expenses.
It’s not unusual for tech-savvy individuals to customize their devices — sometimes to the extreme. Jailbroken iPhones have been around for almost as long as the phone itself, and the process allows users to install apps unavailable to normal users. While Macs have a reputation for being secure, they are not immune to threats.
These rogue devices also present problems for companies. Are they covered under BYOD policies? What if a user accidentally downloads malware onto a customized phone, which then compromises company data? How do you handle that?
BYOD advocates have argued that using personal devices increases employee productivity. In some cases, that might be true. But allowing employees to bring their own devices could also significantly hurt productivity.
Yes, that brand new iPhone has some excellent business apps, but it also has TikTok, Snapchat, Instagram, Facebook, YouTube, and a thousand other distractions. It’s incredibly easy for employees to get sucked into the endless black hole of texting, scrolling through their FYPs, and drooling over the latest viral recipes.
Lack of employee training
An estimated 82% of data breaches involve a human element. Regardless of your BYOD policy, your employees are likely your business’s most significant cybersecurity threat. That said, allowing them to use personal devices at work inherently amplifies the risk. Comprehensive and regular cybersecurity training is essential. You should equip your staff with the skills they need to recognize the signs of an attack and react appropriately. If they use personal devices for work purposes, training should also establish what policies and procedures carry over across company- and employee-owned devices.
Shadow IT operates outside the company’s designated IT department. It occurs when employees use unauthorized hardware or software. The IT team could even be oblivious to the issue. Employees may purchase consumer products, inadvertently opening the company up to greater risk. They might bring in an unapproved USB drive, download consumer-grade software, or engage in other behaviors that jeopardize system security.
Poor mobile management
Applying effective mobile management is infinitely more complicated in a BYOD environment, but your IT team needs at least some level of control. If an employee loses their device or leaves the company, your IT team should be able to reset passwords and wipe company data. You should also be able to determine which device is responsible should a security incident occur. Mobile device management (MDM) solutions are the easiest way to update and monitor devices. However, some organizations prefer to use mobile application management (MAM) software for BYOD devices to focus exclusively on corporate data and applications.
With the surge in hybrid work models, BYOD is increasingly difficult to avoid. Like it or not, many employees use their personal devices for work regardless of whether you officially approve it. Establish clear, responsible, and easily understandable BYOD policies and implement an effective MDM solution to protect your business. With great power comes great responsibility, and companies must ensure their employees use their power wisely.
Part writer, part sysadmin fangirl, Meredith gets her kicks diving into the depths of IT lore. When she's not spending quality time behind a computer screen, she's probably curled up under a blanket, silently contemplating the efficacy of napping.