Cyber Security

The BYOD Policy Guide: Biggest Risks and Best Solutions for Security

As a user-generated movement, Bring Your Own Device (BYOD) is clearly unstoppable. Every study and poll out there show an inexorable, growing adoption curve that shows no sign of slowing down.

 

BYOD sure does offer cost savings to enterprises. However, it also poses important security risks if the right precautions aren’t taken. If you haven’t done so yet, the time has come to regulate this BYOD business in your, er, business.

In fact, in a recent poll, 50 percent of companies said devices needed to be registered for security purposes; however, only 32 percent required the right security software registration.

In the same survey, 17.7 percent of respondents admitted that they don’t tell their IT departments when they are using their personal devices for work purposes.

With these statistics in mind, it is important to establish a comprehensive BYOD policy so that employee satisfaction is maintained without compromising business data security.


BYOD Security: The 5 Biggest Risks and Best Solutions

5 biggest byod risks

1. Exposed Email or Other Employee Interactions

Employees who check work email on personal devices often fail to use basic security measures. If accessed, their email accounts or social media apps may provide easy information.

The Solution

Invest in robust penetration testing to limit what ne’er-do-wells access when they inevitably obtain mobile devices.

Conversations can be further protected via extensive data encryption. Employees should keep personal and work-related interactions separate, ideally using completely different apps for each type of contact.

2. Device Loss or Theft

BYOD workplaces benefit from the approach’s uniquely mobile nature. Unfortunately, on-the-go employees sometimes misplace devices, leaving company data at risk even if properly secured.

The Solution

BYOD businesses should develop extensive anti-loss initiatives. Effective security measures are especially critical for vehicle fleets or airport visits, which account for the majority of BYOD mobile device thefts. In worst-case scenarios, tracking systems can hasten device recovery.

Additionally, mobile data management solutions can remotely wipe compromised devices before the information becomes accessible.

3. Malicious Mobile Apps

Malware remains of concern for desktop and laptop users, but it’s even riskier for unassuming smartphone users. Many employees download problematic apps on their personal devices without bothering to check for authenticity.

Mobile malware may be more difficult to detect, in part because it mimics popular and legitimate apps. For example, many users fell prey to a malicious imitation of the beloved app Super Mario Run.

The malware attack targeted Android users before the legitimate version of the Nintendo app even made its official debut. Those desperate to access the game early suddenly found themselves dealing with the Marcher Trojan, best known for stealing bank information.

Often, an app’s malicious status is virtually undetectable for employees, even months after download.

These apps may use seemingly innocent features such as phone-based cameras or GPS for harmful purposes. Data gathered through integration with calendar apps or audio recorders may be sent to third parties.

Malicious apps are of even greater danger on jailbroken smartphones and tablets, which lack the beefed-up security of standard-issue devices.

The Solution

BYOD policy development must thoroughly prepare companies for the possibility of malware on mobile apps. Workplaces should train employees to recognize problematic apps and ban those already identified as risky.

Additionally, application readiness automation offers IT departments a wealth of information on app behavior.

Companies with an automated readiness solution can quickly identify risky apps to minimize malware damage. Emerging technology known as mobile application management allows IT the ability to modify security settings for each user or application.

4. Cloud-based Storage

Apps such as DropBox allow for easy storage of critical documents in the cloud. They also provide a treasure trove for hackers. Secure cloud storage policies are difficult to enforce in any workplace, but the BYOD approach allows ever-increasing amounts of sensitive data to reach insecure cloud storage systems.

The Solution

Some BYOD proponents recommend that employers allow workers to utilize their preferred cloud solution. This could reduce the potential for user error, which, with cloud storage apps, can prove particularly devastating.

Experts at the SANS Security Institute claim that user error accounts for a shocking one-third of data loss, falling just slightly behind hardware failure.

For companies using a single cloud solution, security is best achieved through robust encryption and authentication. An especially proactive solution: client-side encryption gateways, which prevent sensitive information from reaching an insecure cloud in the first place.

5. Different Versions of Corporate Network Security

From Android phones to iPads, employees use a variety of devices in the workplace. Unfortunately, this makes BYOD risk assessment uniquely difficult. Different network security options exist for each operating system, making it challenging to find a uniform security solution.

The Solution

An ever-increasing array of products allows information security managers to keep a diverse network of devices safe. These products aim to keep vulnerabilities out of the network and off devices, whether they are running Mac, Linux, or Windows software.

From unsecure cloud storage to malicious mobile apps, BYOD issues in the workplace abound. Businesses need not abandon this approach altogether; a robust BYOD security policy allows employees to use their own devices while sidestepping common risks.

BYOD Policy: The 10 Essential Guidelines

If you want to regain control over BYOD security in your organization, you need to have well-designed policies.

 

1. BYOD policies should be held long term

 

Your BYOD policy should be endpoint independent so you can make allowances for new or emerging devices and platforms.

Additionally, your policy should be built for long term use. If you are constantly revising your BYOD policies, you will have a hard time enforcing the established guidelines.

To further reduce confusion and security risks, you can establish different BYOD policies for contractors, temporary, part-time, and full-time employees.

 

2. Involve all parties in the process

 

All interested parties need to be involved in the policy creation process. This means everyone –from senior-level team members to the HR, IT, accounting, and legal departments– should be involved.

Including these team members will help you create a comprehensive policy that meets all your security, functionality, regulatory, legal, and technology requirements. What’s more: any red flags or controversies can be appropriately addressed before they cause any impact.

3. Don’t force policies, adjust instead

 

You wouldn’t force a round peg into a square peg, so don’t try to do the same thing with your BYOD policies.

What works for one company might not work for another. The goal is to create a policy that meets the needs of your employees without compromising data security.

By adopting a mentality of continuous improvement, you can create a policy that can be implemented in stages to achieve flexibility, security, and –of course– support from employees.

4. Create a list of permissible devices

 

Some devices are not suitable for BYOD. With this in mind, it is far better to draft a list of the exact devices and the security requirements they need to meet, in the earliest stages of your BYOD policy implementation.

Additionally, it would help if you insisted that employees take all of the maximum precautions when selecting passwords, using screen locks, and accessing your business network.

 

5. Effective communication

 

These policies only serve a purpose if the people using them understand the requirements, and are aware of the process.

Whether holding an informational session, creating a guidebook, or sitting each employee down with your IT department, one thing is sure –if you fail to communicate your BYOD policies properly, then each user could pose a potential threat.

Finally, make sure that your explanation materials are adequately tailored to each audience, including your support staff, managers, end-users, and various departments. Once again, transparency is KEY.

6. Create policies that benefit both employee and business

 

A BYOD policy is only useful if it is mutually beneficial to the employees and the business. As such, you will need to define policies that employees will use.

For example, depending on your business’s sensitive nature, you might not need to access your employee’s apps or disable the screenshot feature. Instead, you should focus on policies that maintain enterprise security data without infringing on your employees’ privacy and devices.

 

7. Embrace the freedom of choice BYOD offers

 

At its core, BYOD is a consumer-led revolution. Simply put, it is about freedom of choice. By embracing this concept, you can create a comprehensive BYOD policy without opening the door to security risks.

In this spirit, be sure to offer employees a few options about what types of apps they can use courtesy of your enterprise app store.

 

8. Separate between work and personal use

 

A BYOD policy needs to draw a clear line between employees’ work and personal lives. This means that work apps can never be used for personal matters (and vice versa).

Additionally, you should make sure that there is a clear separation between personal and work lives when it comes to using calendar apps, creating contact lists, and sending emails.

 

9. Don’t leave data locally on the device

 

If you want to avoid heightened security risks, then you need to create a BYOD policy that doesn’t leave data on the device.

This means making sure that employees aren’t using apps that store data on their devices. You should also have a strategy to handle transferring data back to a company should an employee quit or be let go.

As a fail-safe, you can use a cross-platform security solution like Prey to track, recover, or –if it comes to that– remotely wipe all data from a device.

 

10. Protect your business from liability

 

When you create a BYOD policy, you must protect your company from the liabilities associated with employees who engage in inappropriate or illegal behavior on their BYOD devices.

From driving and texting to the inappropriate use of certain websites, many behaviors could expose your company to claims of negligence or harm.

Fortunately, a good BYOD policy will not only ban these types of behaviors, but it will also protect your company from their potentially harmful impact.

Are Employees a Bigger Threat Than Cybercrime? What the Research Says

Unfortunately, it seems that many of today’s CTOs, as well as business owners themselves, do in fact feel far warier of the risky behaviors—and sometimes flat out bad intentions—within their organization than they feel regarding anonymous hackers and other cyber-criminals when it comes to mobile security.

Almost 30% of participants in Verizon’s 2018 Mobile Security Index stated employees are the actors they are more concerned about, followed by hacktivists, criminals, state-sponsored attacks, and partners.

Additionally, 39% of respondents whose organizations use employee-owned devices ranked them as their #1 concern. 76% ranked them in their top three.

employee security risk

However, the report states that, “despite broad agreement that the potential risks are serious and growing, most companies are not well prepared”.

Most respondents thought their company’s mobile security measures were somewhat effective, but only one in seven were ready to go as far as saying they were very effective.

With a lax attitude toward mobile security measures or even a dose of malfeasance, an employee can leave a business open to the same risks that result in potentially devastating malware and ransomware attacks from professional hackers on the outside.

Employees Often Compromise a Perfectly Good System of Mobile Security Measures

PWC shares that, while data breach incidents attributed to outside hackers have reduced, internal threats—including suppliers, consultants, and contractors—have stayed about the same, or they have increased.

The number now stands at about 30% when it comes to current employees who are the source of security incidents.

The Reasons That Employees Pose a Security Risk Vary

It is difficult to understand why an employee would leave their company exposed to risks when their relationship is intended to be founded on a certain mutual trust.

A few possible reasons to consider include, per Advisen:

  • Low company morale.
  • Ignorance of mobile security measures.
  • A moment of haste that leads to missed steps.
  • Lack of full understanding of technology policies, whether due to inattention, carelessness or incomplete training.
  • Disgruntlement over any number of possible slights, real or imagined.
  • Sometimes it all boils down to simple greed—if an employee comes across an ethically questionable opportunity, and lacks the moral character to deny it, trouble may come calling.

BYOD Blurs the Lines Between Ownership and Control

It is an attractive proposition for CTOs –as well as CFOs and CEOs– to skip the step and cost of purchasing mobile devices for employees. But, as is the case with most things that seem too good to be true, there is a downside to the BYOD revolution.

When the employee controls the device, it is simply more difficult for the CTO to enforce crucial mobile security measures, such as ensuring anti-virus protection and data encryption or making sure that necessary patches and updates are applied in a timely manner.

Additional risky or concerning behaviors that employees engage in when it comes to BYOD—or even on company-owned devices that employees keep with them 24/7— include:

  • Downloading mobile apps
  • Visiting questionable websites; at least in terms of company policy
  • Using the company’s networks in improper contexts

Conclusion

Creating a secure BYOD policy for your company is about protecting vital business data and, at the same time– taking precautions that make it possible to give employees the freedom to use their personal devices in the workplace, for work-related purposes.

This guide shows that it is possible to create a comprehensive BYOD policy your employees will appreciate and protect valuable business data and assets.

laptop loss theft tracking
About the author

Nicolas Poggi

Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.