How IT departments can make BYOD safer: Five top tips

Bring your own device (BYOD) is nothing new - employees have been using their personal IT in the workplace, or at home for work purposes, since the last millennium.

Nor is it something most IT departments can prevent - even if personal devices are barred from the corporate network, there’s not much IT can do about the use of personal devices, personal mobile apps or software, and personal cloud services, while employees are working.

Instead, corporate IT organisation should look at BYOD for what it is - an employee reaction to being able to use whatever they need to use to get their work done. Some might say it’s employees filling the void left by IT, as personal technology has advanced more quickly than its corporate counterpart.

But it doesn’t matter what the cause is, IT departments need to do whatever they can to manage and mitigate BYOD risks and the associated business-level exposure.

What exactly is BYOD?

BYOD can mean different things to different people. For some it’s the sanctioned use of personal devices on the corporate network; for others it encompasses any use of personal IT (including software) for business use. An IT department’s BYOD strategy, policies, and management tools will depend on their perspective.

There are alternatives approaches to BYOD. One is to have an “open season” approach where the corporate IT team provides and supports all types of devices to all employees – but this is rare. Another is to “ban” BYOD. This is generally disliked by employees who feel like they have to “take a step back in time” when they compare their new shiny lightweight consumer laptop to their old corporate laptop, for example.

And of course you just know that the shiny personal laptop will be used, and will thus contain corporate data (probably insecurely), whenever possible. A third approach is CYOD - choose your own device - where the corporate IT department allows employees to choose the latest consumer technology but from a limited selection of devices.

Whatever the flavour of BYOD, there’s no doubt that employees think that the newer devices and apps help them to reduce the friction between themselves and their enterprise IT systems, or to avoid the enterprise software entirely. Thus, correctly done, BYOD can improve end-user satisfaction, increase their productivity, and potentially reduce IT costs.

However, there are significant risks associated with BYOD, no matter the strategy and policies, which might relate to: the introduction of untrusted devices into the corporate environment, data security, or other possibilities such as the use of unlicensed software.

Thankfully IT can mitigate these risks by applying suitable user, network, and application controls.

The Risks of BYOD

The risks introduced by BYOD include, but are not limited to, the following:

  1. Network scanning tools that search any attached network
  2. Spamming tools that use the corporate bandwidth to send spam emails
  3. Keyloggers that watch for, and steal, corporate logins
  4. Accessing websites that are against corporate policy
  5. Over-running IT with support calls for untrusted, and potentially unsupported, devices
  6. Loss of data or loss of devices and the data on them

The corporate IT department should thus take the security-stance that any employee network used for web and email access is untrusted, as are the devices connected to them.

There are five things that can limit your organisation’s BYOD exposure.

  1. Make BYOD the exception to the rule

This is a limitation program that only lets specific end-user roles use personal devices on the corporate network, for example, 100 per cent-mobile users or senior executives.

It doesn’t make BYOD safe but it can reduce the scope and attack surface. This of course doesn’t stop any given employee from using their personal device for business work, or even their business device for personal use.

  1. Leverage community self-support

To mitigate the risk, and impact, of overwhelming the IT service desk with the need to support an impossible number of personal devices, provide a wiki community where BYOD’ers can help each other.

This can be a successful strategy when employees are using the same, popular consumer-grade devices such as Android phones, as they tend to have the same initial and then usability issues. Corporate IT can also provide FAQs and other self-service knowledge articles for things like how to set up corporate email on Android, iOS, and Windows devices where appropriate.

  1. Zero-trust network

This is the abovementioned approach where IT adopts the policy of not trusting any device or “open” corporate network, such as those connecting to the Internet. For example, many corporate systems are now software-as-a-service and thus accessed via a browser or mobile application over the corporate network and then the Internet.

Additionally, access to sensitive systems, such as HR systems, can be restricted to trusted devices (i.e. not BYOD) via secure identification mechanisms and network controls.

  1. Trusted end-point on untrusted device

While mobile device management (MDM) tools are already popular, there’s also a management approach that separates out the device, applications, and data. For mobile devices, such as laptops, the end user can self-install a virtual desktop to represent a trusted end-point on an untrusted device.

There are very mature solutions on the market, even for smartphones, such that IT can support the trusted end-point but leave the end user to manage the rest of the device.

  1. Identity and access management

Identity systems from vendors such as Microsoft, VMware, and Okta can uniquely identify an end user, link them to a device and location, and then use ticketing systems to allow them to single sign-on to multiple corporate systems.

These are self-service and therefore require minimal end-user IT support. Plus, they offer detailed logs of who accessed which systems, when, and from where, to provide a suitable audit log for compliance purposes and random security checks.

Remember, “banning” BYOD isn’t a real BYOD strategy or policy - you might as well not have one.

Sarah Lahav, CEO of SysAid Technologies

Image Credit: Shutterstock/Pixsooz