This blog was written by a third party author
What is bring your own device (BYOD)?
Bring your own device (BYOD) describes the practice of using a personal device such as a smartphone or tablet to conduct business on an organization's network or with its data. Organizations constantly walk a tightrope with their BYOD policies to balance employee productivity and satisfaction against the effective management of cybersecurity risks.
Early in the evolution of mobile devices, many enterprises were hesitant to officially sanction any personal device use on their networks due to numerous BYOD security concerns, including:
- Potential insecurity of devices and their threat as a malware vector on the network
- Amplification of insider threats from both malicious and negligent BYOD users
- Data breaches of personally identifiable information (PII) or intellectual property (IP) due to device loss or malware
This led to many draconian BYOD policy bans against personal devices on the network that often created a disconnect between employers and their workers. Employees were frustrated with having to carry around a work phone and a personal device on the road, with the limitations of outdated corporate devices, and with the inflexibility of not being able to use the tools they felt they needed to get their work done effectively.
In reaction to restrictive BYOD policies, many employees, managers, and even executives chose to find policy end-arounds, pushing a wave of shadow IT assets onto the network. These unmanaged devices often created more BYOD security problems than if an organization had found a way to develop more lenient BYOD polices and invested in the means to track and enforce how those devices were used to interact with network and applications.
How should an organization approach BYOD security?
Many organizations seeking to tackle shadow IT and enable digital transformation had already been working on transitioning to more flexible BYOD policies prior to 2020. With the world rocked by the radical shift to a suddenly remote workforce, business sustainability now mandates that nearly every organization accelerate the process of updating their BYOD security stance.
- COVID-19 closures pushed the incidence of U.S. full-time employees working from home from 33% to 61%
- From January to April 2020, access to the cloud by unmanaged, personal devices doubled
- 84% of organizations report they're likely to continue to support remote work flexibility long after stay-at-home orders are lifted
- 70% of large businesses believe remote work makes them more vulnerable to cyberattacks
These statistics indicate that the genie is now fully out of the bottle with regard to BYOD. Highly distributed workforces will not only be more prevalent moving forward, but the variety of personal endpoints that employees use to connect to corporate assets will also likely grow.
Security teams must contend with BYOD not just as a mobile phenomenon but also one that encompasses user-owned PCs, connected personal devices like smartwatches, and a full slate of other IoT devices.
As a result, BYOD security programs must be equipped to provide highly secure remote access to corporate data from any device, and any location. Similarly, effective BYOD security will require leveraging technology that can protect devices from malware and cyberattacks regardless of whether they're corporate-owned or BYOD.
Organizations should be also ready to enable secure browsing and enforce acceptable use policies, while maintaining employee privacy when using their own devices on their personal time.
Meantime, organizations should revisit their BYOD policies to ensure that they line up with business priorities and the organization's risk appetite. A BYOD policy should ideally cover:
- Which devices can or cannot connect to corporate assets?
- Rules of engagement for when and how devices can be used to transmit sensitive data, interact with corporate assets, or otherwise be used to conduct business
- Transparency and stipulations for how the company can make changes to the device or wipe its contents if it's lost or stolen
- Standards and requirements for installment of security, application management, and/or device management controls
Managing and securing BYOD
Unified endpoint management (UEM) plays a vital role in helping organizations establish a modern BYOD security stance. Effective UEM maintains user experience for employees regardless of device ownership, while enforcing BYOD policy.
The data protection capabilities of UEM enable organizations to institute Data Loss Prevention (DLP) features, while device management features provide visibility and controls over how the device is used to interact with the corporate network.
UEM can be used to patch vulnerable applications, update to the latest version of an operating system, and enforce the use of endpoint security software that actively protects BYOD devices from malware, vulnerability exploits, and network-based attacks.
Ultimately, UEM makes it possible for organizations to devise a more flexible and enforceable BYOD policy. But managing the devices is only part of securing these BYOD devices. Mobile devices are often overlooked when it comes to protecting against key threat vectors such as device, application, network, and social engineering attacks.
For example, according to a Lookout report, 56% of mobile device users have received and clicked a URL that bypassed existing layers of phishing defense. And this one may surprise you: on average, a user will click on approximately six phishing links from their mobile device during the course of a year.
Mobile Threat Defense (MTD) solutions are a necessary component of protecting against these types of potential attacks on BYOD devices. And, many of today’s UEM solutions integrate with managed threat detection services to provide automated remediation on the BYOD device if a threat occurs.