Bring your Own Device (BYOD) is the set of policies in a business that allows employees to use their own devices – phone, laptop, tablet or whatever – to access business applications and data, rather than forcing employees to use company-provided devices for that purpose.
BYOD also refers to the ability to bring one’s own mobile phone to a new carrier, but this article will focus only on the first definition as it applies to IT organizations.
BYOD has made a huge impact in organizations, and research indicates that nearly 80 percent of all organizations support BYOD personal devices today, while another survey found that about 95 percent of employees state they use at least one BYOD device for work functions.
There are a number of modes of BYOD operation. First, the organization should establish security policies for every device since weak passwords and unsecured devices can lead to data loss. BYOD polices should establish:
A business’ level of security procedures will depend on the type of organization; for example finance or healthcare organizations require higher levels of security than a small start-up web design firm.
Once security policies are established, organizations should define acceptable usage guidelines to determine how BYOD devices may be used during the course of business activities. This will help prevent malware or viruses from gaining access through unsecured websites and applications. These policies should cover
Polices should be enforced through the use of BYOD MDM software, which enables monitoring, managing, and configuring BYOD and employer-owned devices from a single central dashboard. Typical MDM functionality for BYOD includes
Once BYOD policies are established, they must be communicated to employees and sufficient training provided to make adoption simple and widespread. A training manual for new hires that outlines the policies and why they were chosen can help alleviate fears of the organization ‘spying’ on employees and help increase their comfort level with polices and MDM software alike. This should conclude with every BYOD employee agreeing that they have read and understood these policies to protect the organization from any liability caused by illegal or inappropriate use of their devices.
Finally, BYOD plans should include an exit plan for employees who leave, regardless of their reason for departure. This should include HR and network directory exit plan and should have a BYOD exit checklist that includes disabling of company email accounts, remotely wiping employer information from devices and entirely wiping company issued devices and changing any shared password to company accounts.
Additionally, BYOD policies could include defining a stipend from the company to help pay for BYOD data plans or home broadband connectivity, and whether employees who check email or answer business calls after hours are entitled to overcome compensation.
The consumerization of IT has had far-reaching impact. Employees increasingly desire to utilize their favored devices – whether Mac, PC laptop, iPhone, Android, or whatever else may come. As a result, enterprises have created mobile applications which often enable simple and better-to-manage solutions in many instances for business owners. There are a number of reasons why BYOD is important, including:
Some of the many BYOD benefits include
Although the benefits of BYOD are many, there are significant risks to the organization. Businesses must define and deploy security policies and measures to prevent or repair security holes to prevent the exfiltration of intellectual property or protected information. An IDG survey found that over half of all senior IT security and technology professionals reported that serious violations of personal mobile device use occurred in their organizations.
Since BYOD devices connect both to sensitive corporate applications and potentially risky networks and services, the risk of malware infection or data exfiltration is high. Loss of a BYOD device could lead to third parties accessing unsecured data or applications, and even an employee who leaves the company can put enterprise data at risk if the sensitive information is not deleted or applications wiped from the BYOD device. Other risks include devices that are shared by family members, devices that are sold while still retaining sensitive information, or devices compromised by an employee visit to an infected website. Even the use of public hotspots presents a security risk.
Organizations must ensure that all applications and OS versions on BYOD devices are up-to-date since malware threats often target recently uncovered vulnerabilities. Businesses must have the agility to support a broad range of devices, which can put a large burden on the IT organization, which can be addressed by outsourcing MDM to an organization focused on ensuring BYOD security. Some of these challenges can be addressed by containerization and app virtualization, which packages enterprise applications and streams them to BYOD devices, ensuring that every employee has the most current version of a given application.
Another risk often overlooked is the simple determination of who ‘owns’ a phone number. This is a particular issue for salespeople or others in key customer-facing roles who may have become accustomed to reaching the business via an employee’s personal mobile number. If a key salesperson leaves the organization for another job, those customers may potentially be calling a competitor when they think they are calling the organization.
Although there are many considerations for effective BYOD deployment, here are three key factors to help bring a plan into focus.
First, assess the current business and technology requirements for user devices. Gain an understanding of the mobile application requirements that will help employees do their jobs and determine what data need be accessed from mobile devices. Determine which applications are critical, which can currently provide secure information access, and which might be considered for replacement with newer, cloud-based or SaaS applications.
Next, decide if BYOD and MDM software will be delivered from on-premises servers, from a third-party service, or from the cloud.
Finally, draft a BYOD policy that business leaders and employees can agree to, as outlined at the beginning of this article. Adopting a policy and having employees sign-on to the terms of that policy will help keep the organization’s applications and data safe while offering the employees the convenience of using their own devices for both business and personal access.
Remote Work Security