What does BYOD mean, and what security risks does it involve?
Bring your own device – commonly known as BYOD – is an increasingly popular policy, particularly for smaller businesses. With many people already owning laptops and tablets as a matter of convenience or personal preference, it makes less sense for businesses to equip their employees with new ones. What many people don’t realise is that this comes with risks to the business in the form of cross-contamination.
When personal devices are used for work or connected to office networks, they bring the potential for malware that would have been caught on a business device. While personal devices aren’t necessarily inherently unsafe, it is worth thinking about security when adopting a BYOD policy – and making these personal devices as close to work devices as possible from a security standpoint.
What is a bring your own device (BYOD) policy?
A bring your own device (BYOD) policy is the formalisation of something that already happens casually at many companies: employees using their personal devices for work purposes. This may include using a home computer for remote working, but may also include bringing devices such as laptops, tablets and phones to the workplace, with the intention of doing work or accessing work resources on them.
In the past, many individuals have carried two phones or two laptops with them for work and personal activities. This can not only be seen as wasteful from a monetary perspective, but also from an environmental one. With most people now owning powerful personal devices, and the ability to easily segment work in specific work software or browser profiles, it makes sense for businesses to use this to their advantage.
What a BYOD policy does is acknowledge and build a framework for the use of personal devices at work. While many people casually use their phones to access work emails or files, this usually isn’t considered by the businesses themselves, or even known about. A BYOD policy is a way to formally recognise the use of personal devices, and figure out a framework that allows them to operate safely in parallel with business software and systems.
What are the benefits of a BYOD policy?
A BYOD policy can be extremely cost-effective, especially if the company is on the smaller side. The cost of IT equipment can be high, and never more so than at the present moment, where the pandemic and resource shortages have made components more expensive. If you need to perform tasks which require powerful hardware, such as video editing or rendering, equipping all of your employees with new computers may be unrealistic. The same may be true of business phones, with some modern phones retailing for a similar amount to high-end computers.
It can also boost your green credentials. Employees may be happy to receive new hardware, but that doesn’t mean they need it. Owning two laptops or two phones simply so one of them is isolated to work-related files and apps is wasteful, and contradicts the broad move towards more sustainable business practices. It also means using more energy, which aside from being unnecessary, is also another substantial expense in the present day.
The reliance on business hardware is also becoming less necessary, particularly traditional desktop computers. The growth of cloud applications and the advent of remote working mean that files and software are no longer tied to specific workstations, or even local networks. Employees can easily use their personal laptop or phone to access the same files from any location, with the flexibility to bring their laptop to the office, take it home, or work from elsewhere.
What are the problems with a BYOD policy?
While this may all sound great in theory, there are some important issues to consider. Chief amongst them is the matter of how you secure these devices, and the potential threats they pose to your business. The way we use personal devices often differs from how we use business ones, as does the protection they have against threats. Dodgy downloads and websites can be a vector for malware, which can unknowingly infect our personal computers, and compromise our data.
Many people may not have any form of virus or malware protection installed, particularly on MacOS computers and mobile phones, which are erroneously thought to be immune to viruses. If they do have protection, it is unlikely to be as stringent as the enterprise solutions used by businesses. The same can be said of firewalls and secure connections, which can be seen as a hassle on home computers (blocking useful websites by accident), but are often a critical part of a business’ cybersecurity protocols.
If malware does infect a BYOD device, it runs the risk of spreading to other work devices, networks or servers. Users may unwittingly send infected files via email, or have their login credentials for work servers and software stolen, and used by malicious actors. This can lead to files being compromised, or even entire systems being held to ransom by ransomware attacks, where attackers encrypt your files and seek payment to unlock them.
How to protect personal devices at work
If you’re considering implementing a BYOD policy, it’s a good idea to look at the pros and cons before making a decision. Under a bring your own device policy, the IT support team will have less control over devices, thus placing more responsibility into the hands of users. Keeping these devices safe will require a joint effort between the business, its employees and its IT team, utilising both software and safe working practices.
You’ll need to make sure to secure your company’s confidential information before an employee agrees to use their equipment for work. Make sure that it is stated, from the start, what you will do with classified information on the device, or you will likely encounter issues when an employee leaves. Careful user management and account controls should also be considered; if an employee doesn’t need access to every sensitive file, then they probably shouldn’t have it.
Without the proper upkeep, devices can easily fall behind in important security updates, allowing them to become infected with malware. Devices should be set to receive automatic updates as soon as they are available, and these updates should not be endlessly delayed and put off just because it interrupts people’s work. If multiple employees are using older devices that take longer to update and boot up – making such updates more annoying – it may be worth reconsidering the BYOD policy.
Here are some guidelines for employees to ensure a safe BYOD policy:
- Install the latest system and software updates as soon as is reasonably possible.
- Install approved anti-virus software and keep it up-to-date.
- Avoid browsing or downloading anything from suspicious or illegal websites.
- Don’t click links or attachments in unexpected emails.
- Remove any software that you no longer use.
- Keep your passwords secure.
- Be mindful who can see your screen when using workstations.
- Inform the correct point of contact regarding BYOD if they leave employment.
- Be aware of your responsibility for costs.
- Carefully manage account permissions.
- Store files in the right and approved locations.
If you are ever in doubt about your BYOD policy, cybersecurity or other aspects of your IT policy, don’t hesitate to get in touch with the team at Sota – we’re always here to help.