As offices leave physical space and move into the cloud and digital ecosystems, the way we view our assets and technology also shifts. One of the big changes many industries have seen is the rise of bring-your-own-device (BYOD) policies, encouraging employees to use their personal devices—from smartphones to tablets to computers—while on the job.
At surface level, this is undoubtedly a smart move. Remote work is becoming increasingly common, and for companies with employees across the world it’s unfeasible to provide hardware individually. Additionally, even for local offices BYOD can significantly reduce operational costs, improve productivity, and result in happier employees.
Looking a bit deeper though, BYOD might mean you’re gaining some benefits at the expense of something far greater—your organisation’s security. BYOD is an inherently unsafe concept; you’re placing your company’s most sensitive data and security in the hands of stakeholders who are not as invested as its owners.
Indeed, even the most well-intentioned employees might have the poorest safety practices and be ignorant of standard security protocols. Moreover, security systems become increasingly less safe when there are too many endpoints for IT teams to manage. Especially in large organisations, instantly adding thousands of mobile endpoints along with laptops, IoT sensors, and more can result in a network that’s too spread out to effectively administer and secure.
With mobile technology becoming increasingly central, the question of allowing your employees access to your network is more important than ever. Even so, unsafe doesn’t mean unfeasible, and it’s not always in your best interest to dismiss a business concept out of hand. It’s therefore important to really consider if you can safely implement a BYOD strategy.
Great idea, frightening operational model
A study by Citrix systems in 2017 forecast that 50 per cent of the global workforce will be remote by 2020. Moreover, nearly 60 per cent already use smartphones for work, while 31 per cent want to. The result of this shift has been an increase in the number of firms which have a formal BYOD policy in place (roughly six in ten). The savings are also clear, with Cisco reporting that BYOD results in roughly $350 in savings per employee, along with an extra 58 minutes per day saved and a 34 per cent productivity boost.
It would seem as though BYOD is numerically inevitable, and the current tech climate reinforces that view. The risks can easily outweigh the benefits when companies simply allow users to bring in any device without a firm policy in place to regulate BYOD practices, however. Our current corporate landscape is full of threats that prey upon even the smallest vulnerability. This is especially true for devices that haven’t been put through the rigorous security compliance process company-owned devices have.
Malware can hack phone microphones and cameras, taking them over and using them to capture and broadcast private conversations. “Man in the middle” attacks are easier to deploy when communications between work and personal devices are not encrypted and secured, and IMSI catchers that pick up unsecure connections make it child’s play for a hacker.
Corporate espionage, ransomware, and other attack vectors have greater odds of success when the entry points to your corporate network are unguarded. It’s not even necessary to reach employees’ computers today—simply hacking a phone with an infected app could lead to massive gaps in security.
No matter how strong your own network is, a single employee with careless app store habits could cause millions of dollars in damage. An even bigger problem is that it never comes down to a single employee. Enterprise-level companies deal with this on a scale of hundreds or even thousands, and must make serious sacrifices to allow for BYOD to work.
This usually means affecting the user experience with heavy technology that removes many of BYOD’s benefits in the interest of safety. In the end, poor executions of these policies result in restrictive ecosystems that discourage users from actually taking advantage of them. The only real way to ensure BYOD doesn’t translate to guaranteed breaches is to block entry and exit points severely.
This is not to say all BYOD policies are bad, but rather that it’s important to consider every potential risk of implementing one for your organisation. Like any other smart IT process, giving your employees the ability to work from their own devices requires planning and consideration to help you mitigate risk without sacrificing efficiency.
The smart way to use BYOD
For many organisations, BYOD policy means installing productivity apps on their employees’ devices and giving them access to private networks. Although this is incredibly easy to do, it is equally unsafe. Instead, you need to find the right combination of technology and policy to create a BYOD infrastructure that is secure and easy to use.
Smartphones, for instance, should be protected with systems that require little or no input from users themselves, but that also don’t place a burden on their devices. Covering the network level offers a greater net to catch any risk. Encrypted communication tools should also be the norm to prevent anonymous third parties from snooping in.
Most importantly, however, is a clear understanding that when it comes to securing one hundred--or one thousand-- smartphones, having anti-malware and VPN software installed on every one of them becomes impractical and costly. Instead, a more reasonable policy is to focus on security for mobile connections and endpoints on a network level. Creating more secure mobile networks can help companies reduce the burden on already strained IT teams without sacrificing the security enterprise requires. More importantly, it allows users to take advantage of BYOD without giving up the many benefits it offers.
Connection protocols such as VPNs should also be used to ensure that entry and exit points are always as secure as possible. Your goal in building your technology infrastructure is to reduce the risk of your employees making a wrong decision. Removing the responsibility for security from their hands is not difficult, and results in a safer organisational network.
On the policy side, you should focus on two distinct aspects—practical and best use standards, and the education of staff. For the former you should have a clear set of rules, guidelines, and policies for BYOD responsible use. You should clearly delineate which devices are permitted and under which conditions, and the consequences for breaking responsible use rules.
On the other hand, having rules and technology in place is useless if your employees don’t understand the issues at hand, and how to best use the resources you give them. Your BYOD policy should always consider that your employees are human, and thus need to understand how to keep safe and behave responsibly online and when connecting to your network. Having guides available, an accessible IT team, and regular, periodic training sessions to help refresh security concepts are all great ways of keeping staff informed.
BYOD the right way
It’s not impossible to build a safe BYOD policy, but it takes thought and foresight. In an ecosystem that is increasingly mobile, which has exponentially scaled the number of endpoints on any network, simply installing an anti-virus and a VPN is no longer enough, but it doesn’t have to be. There are real solutions that can help, and make BYOD feasible. The model has shown a real positive impact on the workplace, and anything that improves your employees’ happiness should be a priority. Even so, you should always weigh the implementation of such a policy with its risks, and ensure that you take every step to mitigate the vulnerabilities as thoroughly as possible.
Prof. Dror Fixler, CEO and co-founder, FirstPoint