Skip to content

Why is BYOD a secuirty risk?A new year may see companies reassessing various aspects of their operations, but beware; those who mean you harm and intend to fill their pockets with ill-gotten gains by all means fair or foul – except fair won’t be involved – will have some ideas of their own.

No company can exclude security considerations from any plans, especially when technology is involved, be it software or hardware, because cybercriminals will be looking for new ways to exploit weaknesses to steal money, identities, and data or extort cash using ransomware.

However, while developments in technology mean the cyber crooks are constantly seeking new avenues for lucrative criminal activity, some of the issues remain just what they were in 2023 and for some years before, especially the choice between having a BYOD policy in place for your business or choosing an enterprise mobility solution.

BYOD: Popular, But Risky

BYOD, or bring your own device, has been common in the workplace, allowing staff to utilize their laptops, mobiles, tablets, and other items to carry out work functions.

It has held obvious appeal for employers, as they theoretically save money by not having to purchase mobile devices for employees to use on the job. It also saves time and money on training, as staff will be comfortable and familiar with the devices and will already know how to use them.

However, this comes with some significant potential downsides. First, the private use of these devices in their own time by staff can mean they log on to various sites (some that may have poor security), give out personal details, use passwords that may be the same as those used for work and download files that may compromise security.

All of these activities may give cybercriminals access to those devices, including data stored on them. This risk is higher because these devices can operate outside the stricter security measures of a company and may not have in-built security features in the same way devices supplied by the business solely for work use will have. Needless to say, the crooks know this and will be ready to exploit any vulnerabilities that are opened up by BYOD policies.

Additionally, the simple ability to bring a device at the end of the work day home that might contain sensitive business information allows for a more increased possibility of these attractive consumer devices being stolen or lost. And the question of the cost to maintain, repair, and replace devices becomes ambiguous when the phone is owned by the employee but used to perform work functions.

Plus, if a staff member’s personal device breaks or runs out of battery charge while on the job, it is not as easy to give them a device to use to complete their shift, affecting their work output and ability to communicate. Unlike enterprise devices, most consumer devices do not have separately chargeable batteries, and this is a factor to consider.

Is The Answer Just Making BYOD Safer?

This raises some key questions for companies about whether BYOD is worth the risk. The savings made on investment in devices may be only a fraction of the cost of a major security breach. Quite apart from the initial losses incurred directly, there are further problems such as reputational damage that can lead to customers taking their business elsewhere.

One way of trying to tackle the issue is through having enterprise-driven mobile policies. Another is by employing a series of security steps to make BYOD safer.

These could include commitments by staff to install certain security applications on their phones, such as multi-layer password protection, bi-annual re-authentication (limiting the use of a device that is stolen), or requiring that any device can only connect to your systems via a VPN.

Further steps might include restricting offline use of a phone (except for calls, of course), training your staff in BYOD security and improving your firewalls to protect against any incursions made via devices.

Most of these could equally apply to company-provided devices. However, some applications and policies may be invaluable for a firm with a BYOD policy. This would include having mobile device management (MDM) software to help wipe data and block access if a phone is stolen, as well as when an employee leaves the firm.

Why the Enterprise-Driven Approach Is Better

These steps could certainly make BYOD safer. However, the enterprise-driven mobile policy approach can be much more effective and efficient.

Different possibilities exist. One is to provide devices such as smartphones that staff can still use for personal purposes but are provided by the company and are equipped with their own security applications, such as MDM or Enterprise Mobility Management (EMM). Similarly, these company-provided devices can be designated for work-use only, while staff are required to keep personal business on their personal devices, helping to maintain that extra level of security and discouraging the possibility that a personal device might accidentally be used to share protected business information. This is particularly critical in healthcare environments, where HIPAA violations are very serious.

Similarly, a phone could be chosen by the staff member from an approved list compatible with these systems. This provides security barriers against risky use of devices and means data can be wiped or access denied if needed. This still poses the risk of staff using multiple different devices while on shift, requiring IT teams to know how to troubleshoot and operate multiple device types and adding the extra layer of needing to ensure that all critical workflow applications work the same on each device. Additionally, consumer devices routinely roll out automatic updates that are often outside the control of the business, and IT/Telecomm staff would need to monitor for all of these to make sure these operating system updates do not compromise the critical business applications on the device.

These options provide one major advantage for businesses and those responsible for IT security. In a standard BYOD scenario, employees may collectively have many models. This presents the problem of finding MDM or EMM systems that work equally effectively for many different devices, an onerous and technically difficult task.

Bringing everything under one umbrella of standardized equipment and software makes it far easier to apply the same systems to all devices. It means, for example, that you can be more sure that MDM, with the capability to wipe a mobile remotely, will work with all the devices on which data and access to your systems is kept.

A further factor is that those standardized devices can be selected for their capacity to host the best security measures, which may include biometric authentication and encryption and the crucial device wiping capability. Knowing you have this can be a great relief while establishing the security apparatus, which will be less costly and time-consuming.

BYOD may be regarded highly by some because it gives staff a sense that they are trusted and retain a sense of autonomy. However, the alternative of centralization is of far greater practical use.

Centralization means devices can have their health monitored in a way that is impossible with BYOD (since some devices may not be equipped for this), while updates can also be rolled out easily across all phones in the business when each device receives them in the same way.

Beware The Inside Threat

Monitoring is another area where centralization and the use of standardized devices issued by the business offer a clear advantage over BYOD. In the latter case, staff may naturally resist having their personal devices monitored as they will fear intrusion into their private affairs or agree to the policy that their device be remotely wiped should a security threat be suspected by the business. But a company device just for work use helps to eliminate this issue.

This can be particularly useful for dealing with inside threats. While it is true that the biggest danger may come from external hackers looking to extort money or steal data from companies, no firm should ignore the potential for insiders to do damage.

Whether these are disgruntled employees acting alone or individuals in cahoots with crooks from outside the company, the potential of those who may have access to leak information and bypass security is a huge danger. It has been realized for some time that this risk is heightened by BYOD, which is one of its major downsides.

For instance, a staff member using their own device can easily load data onto a personal cloud storage system, meaning a copy of this information will then exist outside your company’s reach. Without effective monitoring, this can go on without your firm knowing about it until it is far too late when lost money or data cannot be recovered.

At the same time, so many insider threats are anything but malicious. This brings us back to the greatest risk of BYOD: the fact that personal use can mean device owners visiting insecure websites, downloading documents carelessly, and accidentally responding to phishing emails. Innocent errors can open the door to far-from-innocent actors.

When Regulations Raise The Bar On Security

All the above deals with how it makes sense for firms to take control of their mobile policies and systems. But there are extra considerations for particular firms.

For example, data protection laws and financial regulations mean that companies operating in sectors like finance, healthcare, and the legal profession are subject to particularly stringent regulations.

In the case of finance, there is an obvious reason for crooks to try to hack accounts or try to get people to part with crucial financial information that can enable fraud or criminal activities like money laundering to take place.

For medical or legal issues, the key factor is that of personal privacy, which is protected by law in the first place and is also crucial in the second in enabling the client of a legal firm to conduct their affairs or have their case represented without compromising information leaking out.

Failure to comply with these regulations can lead to sanctions from regulators, such as big fines and reputational damage. It might also lead to legal action from customers, patients, or clients.

Conclusion

Put together, there is a range of potentially huge financial calamities that lurk as a result of data security breaches. Whether these are ransoms, embezzlement and fraud, legal action from clients, lost earnings from denial-of-service attacks, fines from regulators, or the loss of customers after any of these things has damaged your reputation, the list is long and costly.

Putting all that together, it should be clear enough that BYOD, while representing an upfront cost saving on mobile equipment and other devices, risks being a false economy.

By investing in a centralized set of devices of the same (or similar and compatible) models, then applying to it a security regime that works well with all of them and can provide solid authentication, reliable monitoring, and the crucial capacity to wipe devices clear of company information when necessary, you can give your firm the security it needs to stay safe.