Cyber Security

The BYOD Policy Guide: Biggest Risks and Best Solutions for Security

As a user-generated movement, Bring Your Own Device (BYOD) is clearly unstoppable. Every study and poll out there show an inexorable, growing adoption curve that shows no sign of slowing down.

Given the new world of remote work and a continued increase in cyberattacks, many companies have been blindsided by the need to create BYOD policies that emphasize company and employee security. 

Unfortunately, most companies have come to the battle of device security unarmed.

In fact, in a recent poll, 50 percent of companies said devices needed to be registered for security purposes; however, only 32 percent required the right security software registration.

In the same survey, 17.7 percent of respondents admitted that they don’t tell their IT departments when they are using their personal devices for work purposes.

With these statistics in mind, it is important to establish a comprehensive BYOD policy so that employee satisfaction is maintained without compromising business data security.

What is BYOD?

BYOD is an acronym for Bring Your Own Device. It generally refers to company policies that allow for employees to bring their own devices to work (and take them home) instead of having work-specific devices.

Why is BYOD Security Important?

BYOD can come with some major security risks (as you surely can imagine). We’ve taken some time to outline the biggest and most common risks we’ve seen.


5 Biggest BYOD Risks + How to Solve Them

5 biggest byod risks

1. Exposed Email or Other Employee Interactions

Employees who check work email on personal devices often fail to use basic security measures. If accessed, their email accounts or social media apps may provide easy information.

The Solution

Invest in robust penetration testing to limit what ne’er-do-wells access when they inevitably obtain mobile devices.

Conversations can be further protected via extensive data encryption. Employees should keep personal and work-related interactions separate, ideally using completely different apps for each type of contact.

2. Device Loss or Theft

BYOD workplaces benefit from the approach’s uniquely mobile nature. Unfortunately, on-the-go employees sometimes misplace devices, leaving company data at risk even if properly secured.

The Solution

BYOD businesses should develop extensive anti-loss initiatives. Effective security measures are especially critical for vehicle fleets or airport visits, which account for the majority of BYOD mobile device thefts. In worst-case scenarios, tracking systems can hasten device recovery.

Additionally, mobile data management solutions can remotely wipe compromised devices before the information becomes accessible.

3. Malicious Mobile Apps

Malware remains of concern for desktop and laptop users, but it’s even riskier for unassuming smartphone users. Many employees download problematic apps on their personal devices without bothering to check for authenticity.

Mobile malware may be more difficult to detect, in part because it mimics popular and legitimate apps. For example, many users fell prey to a malicious imitation of the beloved app Super Mario Run.

The malware attack targeted Android users before the legitimate version of the Nintendo app even made its official debut. Those desperate to access the game early suddenly found themselves dealing with the Marcher Trojan, best known for stealing bank information.

Often, an app’s malicious status is virtually undetectable for employees, even months after download.

These apps may use seemingly innocent features such as phone-based cameras or GPS for harmful purposes. Data gathered through integration with calendar apps or audio recorders may be sent to third parties.

Malicious apps are of even greater danger on jailbroken smartphones and tablets, which lack the beefed-up security of standard-issue devices.

The Solution

BYOD policy development must thoroughly prepare companies for the possibility of malware on mobile apps. Workplaces should train employees to recognize problematic apps and ban those already identified as risky.

Additionally, application readiness automation offers IT departments a wealth of information on app behavior.

Companies with an automated readiness solution can quickly identify risky apps to minimize malware damage. Emerging technology known as mobile application management allows IT the ability to modify security settings for each user or application.

4. Cloud-based Storage

Apps such as DropBox allow for easy storage of critical documents in the cloud. They also provide a treasure trove for hackers. Secure cloud storage policies are difficult to enforce in any workplace, but the BYOD approach allows ever-increasing amounts of sensitive data to reach insecure cloud storage systems.

The Solution

Some BYOD proponents recommend that employers allow workers to utilize their preferred cloud solution. This could reduce the potential for user error, which, with cloud storage apps, can prove particularly devastating.

Experts at the SANS Security Institute claim that user error accounts for a shocking one-third of data loss, falling just slightly behind hardware failure.

For companies using a single cloud solution, security is best achieved through robust encryption and authentication. An especially proactive solution: client-side encryption gateways, which prevent sensitive information from reaching an insecure cloud in the first place.

5. Different Versions of Corporate Network Security

From Android phones to iPads, employees use a variety of devices in the workplace. Unfortunately, this makes BYOD risk assessment uniquely difficult. Different network security options exist for each operating system, making it challenging to find a uniform security solution.

The Solution

An ever-increasing array of products allows information security managers to keep a diverse network of devices safe. These products aim to keep vulnerabilities out of the network and off devices, whether they are running Mac, Linux, or Windows software.

From unsecure cloud storage to malicious mobile apps, BYOD issues in the workplace abound. Businesses need not abandon this approach altogether; a robust BYOD security policy allows employees to use their own devices while sidestepping common risks.

BYOD Policy Essentials

If you want to regain control over BYOD security in your organization, you need to have well-designed policies.

BYOD Policies Should Be Held Long Term

Your BYOD policy should be endpoint independent so you can make allowances for new or emerging devices and platforms. Endpoint independent means that the policy can be applied to all future devices.

Additionally, your policy should be built for long-term use. If you are constantly revising your BYOD policies, you will have a hard time enforcing the established guidelines.
To further reduce confusion and security risks, you can establish different BYOD policies for contractors, temporary, part-time, and full-time employees.

Involve All Parties in the Process

 All interested parties need to be involved in the policy creation process. This means everyone –from senior-level team members to the HR, IT, accounting, and legal departments– should be involved.

Including these team members will help you create a comprehensive policy that meets all your security, functionality, regulatory, legal, and technology requirements. What’s more: any red flags or controversies can be appropriately addressed before they cause any impact.

Don’t Force Policies, Adjust Instead

You wouldn’t force a round peg into a square peg, so don’t try to do the same thing with your BYOD policies.

What works for one company might not work for another. The goal is to create a policy that meets the needs of your employees without compromising data security.

By adopting a mentality of continuous improvement, you can create a policy that can be implemented in stages to achieve flexibility, security, and –of course– support from employees.

Create a List of Permissible Devices

Some devices are not suitable for BYOD, although that list gets shorter and shorter as remote work emerges. With this in mind, it is far better to draft a list of the exact devices and the security requirements they need to meet, in the earliest stages of your BYOD policy implementation.

Additionally, it would help if you insisted that employees take all of the maximum precautions when selecting passwords, using screen locks, and accessing your business network.

Effective Communication

These policies only serve a purpose if the people using them understand the requirements, and are aware of the process.

Whether holding an informational session, creating a guidebook, or sitting each employee down with your IT department, one thing is sure –if you fail to communicate your BYOD policies properly, then each user could pose a potential threat.

Finally, make sure that your explanation materials are adequately tailored to each audience, including your support staff, managers, end-users, and various departments. Once again, transparency is KEY.

Create Policies That Benefit Both Employee and Business

A BYOD policy is only useful if it is mutually beneficial to the employees and the business. As such, you will need to define policies that employees will use.

For example, depending on your business’s sensitive nature, you might not need to access your employee’s apps or disable the screenshot feature. Instead, you should focus on policies that maintain enterprise security data without infringing on your employees’ privacy and devices.

Embrace the Freedom of Choice BYOD Offers

 At its core, BYOD is a consumer-led revolution. Simply put, it is about freedom of choice. By embracing this concept, you can create a comprehensive BYOD policy without opening the door to security risks.

In this spirit, be sure to offer employees a few options about what types of apps they can use courtesy of your enterprise app store.

Separate Between Work and Personal Use

 A BYOD policy needs to draw a clear line between employees’ work and personal lives. This means that work apps can never be used for personal matters (and vice versa).

Additionally, you should make sure that there is a clear separation between personal and work lives when it comes to using calendar apps, creating contact lists, and sending emails.

Don’t Leave Data Locally on the Device

 If you want to avoid heightened security risks, then you need to create a BYOD policy that doesn’t leave data on the device.

This means making sure that employees aren’t using apps that store data on their devices. You should also have a strategy to handle transferring data back to a company should an employee quit or be let go.

As a fail-safe, you can use a cross-platform security solution like Prey to track, recover, or –if it comes to that– remotely wipe all data from a device.

Protect Your Business From Liability

When you create a BYOD policy, you must protect your company from the liabilities associated with employees who engage in inappropriate or illegal behavior on their BYOD devices.

From driving and texting to the inappropriate use of certain websites, many behaviors could expose your company to claims of negligence or harm.

Fortunately, a good BYOD policy will not only ban these types of behaviors, but it will also protect your company from their potentially harmful impact.

Are Employees a Bigger Threat Than Cybercrime? What the Research Says

Unfortunately, it seems that many of today’s CTOs, as well as business owners themselves, do in fact feel far warier of the risky behaviors—and sometimes flat-out bad intentions—within their organization than they feel regarding anonymous hackers and other cyber-criminals when it comes to mobile security.

Verizon’s most recent 2020 Data Breach Investigations Report showed that actually, 70% of attacks are external. 

However, they also found that casual events caused 22% of attacks surveyed, and 67% of attacks were initiated by malicious emails. This puts companies at a particularly vulnerable place with so many mobile devices at risk of opening malicious emails. They also found that “credential theft, errors and social attacks are the

three most common culprits in breaches.” This puts remote workers at particular risk.  

With a lax attitude toward mobile security measures or even a dose of malfeasance, an employee can leave a business open to the same risks that result in potentially devastating malware and ransomware attacks from professional hackers on the outside.

employee security risk

With a lax attitude toward mobile security measures or even a dose of malfeasance, an employee can leave a business open to the same risks that result in potentially devastating malware and ransomware attacks from professional hackers on the outside.

Employees Often Compromise a Perfectly Good System of Mobile Security Measures

PWC shares that, while data breach incidents attributed to outside hackers have reduced, internal threats—including suppliers, consultants, and contractors—have stayed about the same, or they have increased.

The number now stands at about 30% when it comes to current employees who are the source of security incidents.

The Reasons That Employees Pose a Security Risk Vary

It is difficult to understand why an employee would leave their company exposed to risks when their relationship is intended to be founded on a certain mutual trust.

A few possible reasons to consider include, per Advisen:

  • Low company morale.
  • Ignorance of mobile security measures.
  • A moment of haste that leads to missed steps.
  • Lack of full understanding of technology policies, whether due to inattention, carelessness or incomplete training.
  • Disgruntlement over any number of possible slights, real or imagined.
  • Sometimes it all boils down to simple greed—if an employee comes across an ethically questionable opportunity, and lacks the moral character to deny it, trouble may come calling.

BYOD Blurs the Lines Between Ownership and Control

It is an attractive proposition for CTOs –as well as CFOs and CEOs– to skip the step and cost of purchasing mobile devices for employees. But, as is the case with most things that seem too good to be true, there is a downside to the BYOD revolution.

When the employee controls the device, it is simply more difficult for the CTO to enforce crucial mobile security measures, such as ensuring anti-virus protection and data encryption or making sure that necessary patches and updates are applied in a timely manner.

Additional risky or concerning behaviors that employees engage in when it comes to BYOD—or even on company-owned devices that employees keep with them 24/7— include:

  • Downloading mobile apps
  • Visiting questionable websites; at least in terms of company policy
  • Using the company’s networks in improper contexts

Conclusion

Creating a secure BYOD policy for your company is about protecting vital business data and, at the same time– taking precautions that make it possible to give employees the freedom to use their personal devices in the workplace, for work-related purposes.

However, it is possible to create a comprehensive BYOD policy your employees will appreciate and protect valuable business data and assets. If you’d like to learn more about Preyproject’s role in securing your company’s assets, check out our buyer’s guide.

laptop loss theft tracking
About the author

Nicolas Poggi

Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.