“Bring your own device”, or BYOD, is a situation where a company's employees use personal devices to access corporate network resources or applications. These devices typically include mobile phones, tablets, and laptops. The BYOD approach can occur intermittently, meaning that some employees enter corporate resources from time to time, without notifying their system administrators. In such cases, ”bring your own device” can be a serious security issue for the company.
On the other hand, BYOD can be a developed and implemented policy that outlines the rules of using personal devices for end users when they access corporate resources. This is a modern-day, flexible approach to personal device management.
In this article, we will define the main BYOD problems, outline a basic BYOD policy so you can enable it for your company fast and securely, and discuss the cases when you should prohibit the use of personal devices completely.
“Bring Your Own Device” Is Here to Stay
Let's face it, everyone nowadays uses personal devices to access corporate resources, or to copy some documents to personal file-sharing accounts in order to continue working while not sitting at the company computer, or to participate in an urgent web conference while on vacation. So there are numerous ways for BYOD to break through corporate IT security policies.
A study by Frost and Sullivan says that the productivity of employees using BYOD is increased by up to 34%. This, coupled with the fact that 85% of companies have shifted to BYOD policies as a result of the pandemic, means that “bring your own device” is here to stay. Hence, you should not fight with the BYOD approach, but flexibly define the policies and their strictness in order to make maximum use of it.
Further reading Mobile Device Management Guide for MSPs
Corporate BYOD Policy
A BYOD policy is a document that sets out the terms and rules for using personal devices in a given organization. It should be reviewed every time significant infrastructural changes happen in the company (such as, for example, adopting work from home due to pandemics).
Here are the examples of BYOD problems and a structure for a “bring your own device” policy that can cover these issues and can be used by small and medium-sized businesses and managed IT providers for their clientele:
1. Means of access should be secured. First of all, you should define all possible means of accessing the corporate network with personal devices. These should be narrowed down to only secured ones. Make sure that, when signing in to the company's applications or network, your users are doing it through VPNs and using multi-factor authentication.
2. Devices should be secured. If your users openly use BYOD, then you should employ all means of security on those devices, including antiviruses, regular malware scans, and encryption of the corporate data that might be stored on those devices.
Further reading Guide to Endpoint Security Monitoring
3. Data access should be restricted. Even if your company manages sensitive data, some users might still download and share it through the Internet, neglecting the obvious dangers. Thus, you should first classify your data to identify mission-critical data or data with restricted access patterns. Next, using a least-privilege security model, give access to the resources to the authorized personnel only.
4. Users should agree to mobile device management tool usage. BYOD policy management will be difficult without using the appropriate MDM tools. Make your users sign a form that they understand and acknowledge that their personal devices will be loaded with corporate applications.
5. No control over personal user data. At no point should you store or share personal data located on the BYOD devices under your management. You should restrict MDM usage to only the containers and applications that gather corporate data.
6. End-user training and support. Your users should understand how to sign into applications and the network in a secure manner, and how they can call for help if they have any problems.
When Not to Employ BYOD
There are several strict governmental regulations affecting data management within various businesses in different countries. If your company fails to comply with them, it will be sued and then most probably fined, and the quickest route to that is through lost or compromised data. What kind of data exactly?
It is safe to say that any company working in legal, financial, and healthcare areas should be extremely careful with the ways they deal with data sharing, storage, and management. Moreover, if you work with the personal data of EU residents, you fall under European GDPR compliance, which implies huge fines for data breaches.
With all that in mind, you should either restrict BYOD usage or even forbid the use of personal unmanaged devices if your company works with sensitive data.
For some system administrators and IT professionals, a “bring your own device” policy sounds like an eventual security breach or data loss. Indeed, the modern user can lose data or break things in many ways. But, whether you like it or not, the BYOD approach is more popular than ever nowadays and its popularity will only grow. So, instead of trying to stop end users using applications and downloading data via unsecured gateways, you should rather develop a flexible, easy-to-use BYOD environment to both boost your users’ productivity and secure your infrastructure.