Bring-your-own-device (BYOD), the practice of allowing employees to use personal devices to access company networks, has grown significantly in recent years, mainly due to the impact of the COVID-19 pandemic.
While BYOD provides flexibility to employees and organisations, it also presents a number of risks. In this blog post, we discuss the issues created by the use of BYOD and outline the elements of an effective checklist.
The rise of BYOD
From employees using their own mobile phones to make company calls to business being conducted on personal laptops, BYOD has never been bigger. The global COVID-19 pandemic and the resulting surge in remote and hybrid working has led to a huge rise in the use of BYOD.
In the rush to respond effectively to the fast-changing commercial environment, organisations were put under pressure to relax their approach to device management. This happened for a number of reasons, including the fact that employees were not given the opportunity to take home company-owned equipment and the rollout of Software-as-a-Service (SaaS) options like Microsoft Teams making it easier for users to install applications on their own smartphones and laptops.
The risks of BYOD
BYOD has enabled many organisations to adapt in the face of changing commercial needs over the past two years. When managed correctly, through the use of remote access technologies, application containers and application wrapping, BYOD provides valuable benefits, such as increasing employee satisfaction and productivity. However, the ongoing normalisation of its use does present some risks. These include poor data security, device loss or theft and increased risks from malware.
What should a good BYOD checklist include?
Every organisation will have different needs and priorities around BYOD but the key aspects that should be covered are:
- A dedicated BYOD policy
A focused BYOD policy is an essential aspect of secure remote working and should be regularly updated. Key aspects include:
- The devices permitted by your organisation
- The ownership of phone numbers – failing to clarify this issue can create complications when a member of staff leaves the organisation
- The types of apps that are and aren’t permitted on devices
- Data ownership – which data belongs to the organisation and which belongs to the employee
- Data confidentiality – ensure that confidential data is never stored on the device
- Privacy – check that employees are up-to-date with the type of activity and data that your organisation can view and access on their devices
- Specific security requirements for devices
- Procedures for immediately reporting a lost or stolen device
- Controls for enforcing BYOD requirements
2. Secure data
When sensitive company data is accessed and shared via employees’ own devices, it is essential to ensure that data is secured at all times. This means making key security measures, such as encryption or multi-factor authentication, mandatory. Regular security audits will also help to confirm the safety of company data and highlight any potential risks.
3. Employee training
With BYOD in use among so many employees, dedicated training and awareness sessions are essential. They should cover subjects such as device onboarding, security policies, data ownership, responsibilities and other aspects.
4. Employee exit and onboarding plans
BYOD creates additional challenges around sensitive information when employees leave or join your organisation, such as the risk of key data being kept on personal devices instead of being wiped. Establish an employee exit and onboarding plan to enable your organisation to maintain clear parameters relating to the security of company information during these transition periods.
5. Knowledge of devices in use
Ensure that you have complete clarity about which devices your organisation is able to support – and share this information with your employees. Check which devices fully meet your security standards. This should also involve assessing the types of tools the devices have (e.g. native enterprise or third-party tools).
6. Regular device checks and audits
Undertake regular checks and audits on all devices to ensure that your security policy is followed. This will provide valuable insight into potential security flaws and also allow you to identify areas for improvement.
7. Minimum device requirements
To help secure sensitive company data, set clear criteria for accessing corporate resources. This should include establishing minimum mobile operating system versions.
How Kroll can help
While a comprehensive checklist can help reduce the risks associated with BYOD, a strategic and multi-layered approach will enable your organisation to avoid the many potential pitfalls. This can be supported by working with a cyber security partner.
A remote working security assessment from Kroll can provide better insight into the security of networks, systems, tools and applications used to support your remote workforce and ensure these are appropriately hardened.
Our CREST-certified experts are highly experienced at identifying and helping to address a wide range of security vulnerabilities and can help to ensure that data and assets are protected to the latest information security and compliance standards.