In an ideal world, Bring Your Own Device (BYOD) is a good idea; letting staff use their personal devices for work can save businesses a fortune in device hardware costs of mobile phones and laptops.
The problem we are now facing is that BYOD presents serious security challenges. With phishing, malware, and ransomware on the rise, managing many devices from multiple vendors with different operating systems and versions is simply adding fuel to the fire.
What Is BYOD?
The term BYOD refers to the use of an individual’s personal communication device for work purposes. For example, many professionals receive email or attend virtual meetings through their personal mobile phones, laptops or desktops.
Although companies often issue corporate devices, employees can also use their personal computers, laptops, and tablets for work if a BYOD policy is in place. It’s convenient for employees to use BYODs because they don’t need to carry and maintain multiple devices that perform the same function.
Convenience aside, security for BYODs is an issue as keeping up with troubleshooting, security patches, and other software updates on multiple devices types is difficult. The company’s IT department doesn’t monitor personal devices as closely as they are not always part of the corporate network. Here is where personal devices become a liability concerning business security.
Does BYOD Help Businesses?
There are clearly some cost savings to be had if employees who use their personal devices for work through a BYOD policy do not additionally need to be issued with a corporate supplied device.
BYOD also became essential for some businesses to navigate through the COVID-19 pandemic. Employees could make the abrupt shift to working from home, primarily because they had personal devices that could access their employers’ networks. Most mobile devices were equipped to download and support video conferencing tools like Zoom and Microsoft Teams.
While BYOD certainly has some benefits, in our opinion, the negatives outweigh those positives. The downside to all this is that BYOD policies create a heavy burden on a company’s security resources. With cybercrimes and ransomware attacks on the rise, IT teams worldwide are faced with the challenge of mitigating the security vulnerabilities created by unprotected BYOD devices that have access to corporate networks.
7 Reasons BYOD Is a Bad Idea
While many organisations have embraced the concept of remote working, we encourage those that allow BYODs to re-evaluate their policy. BYODs create dangerous security gaps that can threaten entire networks and compromise the organisation’s sensitive data.
1. A Challenge for Your IT Team to Support
BYODs challenge IT teams in several ways. Allowing personal devices means that the type, quality, models, and software are too numerous to inventory and update efficiently. It is almost impossible to keep up with software versions and builds.
Software licenses for specialised programs are often issued to company-owned devices only. So, employees may find they have to switch to company devices for specific tasks and business processes.
The use of personal mobile devices means that the hardware comes from different manufacturers and different operating systems. If your organisation’s business applications aren’t supported by all available operating systems, groups of employees may experience a productivity hit.
When users require assistance, it may be difficult for IT personnel to troubleshoot or access the employee’s machine from a remote location. IT may not have mobile Device Management (MDM) or administrator access to personal devices and are therefore limited in the support they can provide.
Perhaps IT’s biggest challenge is securing a network that includes the use of BYODs, which is discussed in the next section.
2. Difficulty Enforcing a Standard Security Policy
Just as IT departments are challenged with maintaining a network with BYOD devices and the multiple makes, models, software versions, and builds that entail, IT is equally challenged with securing the company’s networks and sensitive data.
Personal devices often fall out of date because the typical end-user may not be aware of current updates or the importance of installing them. This creates gaps in security that act as open doors for malware and other cyber attacks. Companies are refining their security policies to include BYOD and protocols to maintain them, though far too many have not yet taken this critical course of action.
3. Insecure Mobile Apps Being Downloaded
Most professionals take care to use their company-issued devices for work only. In addition, most end-users do not have permission to download and install apps. With BYOD, however, the device owner may use their device for personal and professional use. This means that corporate data is being accessed on the device that may have malicious apps installed.
Malicious apps may contain viruses or malware that can potentially take over the user’s device, putting corporate data at risk. Sometimes the user downloads an app intentionally but has no idea that it’s actually malware. Other times, users download these apps inadvertently when clicking on email attachments or web page links.
4. Outdated Operating Systems and Security Patches
One of the greatest threats to network security is a lapse in device software revisions and falling behind with firmware updates. Criminals pay attention to when updates and security patches roll out. They know where the security vulnerabilities are and plan their attacks before their targets have a chance to perform critical updates.
Remember, ransomware and other forms of malware enter the corporate network through a single device, usually via a malicious email or a rogue app. If a BYOD infected with ransomware connects to the corporate network, that may be all it takes for that malicious program to affect the entire organisation and compromise all sensitive data, including client information and banking information.
5. Some Devices Are Inherently Insecure
Mobile phones present serious security issues because most users with infected smartphones don’t know they are infected. They use their phones for personal and professional use, which can spread the infection to other machines and networks.
Furthermore, many users have what’s commonly referred to as “app fatigue”, which results from overexposure to mobile content. Users must click so many terms of service that they may not read the details carefully enough with each download. In some cases, they may grant the app more permissions than they should.
That, combined with the typical user’s tendency to put off Operating System (OS) updates, creates a hefty risk factor. While IT departments who maintain a regular monitoring and maintenances schedule can force updates before a BYOD is allowed on the corporate network, it is often overlooked.
6. Infected Personal Files on A BYOD
Often, a user picks up a virus while surfing the net, either from home or when using public WiFi. Most likely, this occurs during off time and when using the device recreationally rather than from work. Initially, the virus attaches itself to personal files. However, it can spread through to any work program and folder. Depending on the type of malware, it can also make its way to shared network drives, even those accessed through a secure cloud service.
As with any form of malware, all it needs is an entry point. From there, it makes its way to personal files and applications. Whenever the user connects to the corporate network, it can then spreads to corporate services with relative ease.
7. Corporate Data Residing on a Personal Device
Currently, most work is performed and stored on shared drives using cloud technology. However, many professionals still use their laptops and desktops as off-net storage devices. Consequently, corporate data ends up stored on BYODs.
Should a company-issued work device be lost or stolen, IT can secure it remotely to ensure no critical data gets into the wrong hands. They can track and lock the device or even erase all the data on the hard drive to protect sensitive information. However, they do not always have that capability for BYODs. Should an employee’s personal device be stolen, IT must ensure they can secure still it.
Is BYOD Dead?
IT can employ MDM to mitigate some of the risks we have discussed that come with BYODs. However, attempting to manage the myriad of devices and OSs places a burden on the IT department. As companies adjust to their new remote workforce, our recommendation is for you to take the time to re-evaluate your use of BYOD and allow only company-issued devices on the corporate networks. Please get in touch if you would like us to review your current BYOD solution.