Bring your own device (BYOD) was a very hot topic a few years ago. While vendors had introduced a number of variants (see below) prior to COVID-19, interest among organizations seemed to have waned. However, when restrictions were put in place to combat the pandemic, many companies relied heavily on employees using their own devices to maintain operations. More than one in three (36%) organizations opened up access to corporate resources and systems to employees using personal devices—that’s on top of those that already allowed it.
Bring your own.
Mobile Security Index
Please provide the information below and then check your email for a link to view the online Verizon Mobile Security Index report.
You will soon receive an email with a link to confirm your access. When you click to confirm from your email, your document will be available for download.
If you do not receive an email within 2 hours, please check your spam folder.
You may now close this message and continue to your article.
Another factor driving increased interest in BYOD is the rise of the “gig economy.” This isn’t limited to delivery riders; roles like telesales and support can fit this model very well. Companies are increasingly using this approach to enable them to scale more quickly as demand ebbs and flows. Verizon’s 2020 The Future of Work report found that about half (49%) of respondents thought that the pandemic had increased the importance of participating more actively in the gig economy in order to gain quick access to part-time and temporary workers.12 Even if these workers don’t have direct access to key business systems and data, attackers can exploit the access that they do have and then “move laterally” to more sensitive assets.
The rise of the “Omniworker”
As we discussed earlier in this section, companies expected working from home to fall once restrictions were lifted, but to remain significantly higher than before—about 54% over pre-pandemic [BJ(1] [PTW2] levels. Numerous reports have suggested that the majority of employees want to keep working from home at least some of the time.
Of those organizations that had adopted BYOD or BYOPC during lockdown, many (39% and 42% respectively) said that they anticipated continuing with it after restrictions related to COVID-19 were lifted.
This brings to mind the words of computing pioneer Admiral Grace Hopper, “It’s easier to ask forgiveness than it is to get permission.” Just as with the concept of home working, the uptake of bring-your-own programs had been hampered by ensconced attitudes. But now that the tanker (or should that be aircraft carrier?) has turned, it seems that many are happy to stick with their new course.
We anticipate that bring-your-own policies will be firmly back on the agenda in 2021.
There was a 97% increase in
personal use of managed devices.13
Securing BYOD/BYOPC programs
Backed by industry standards
These recommendation sections are structured around the five functions in the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This is a widely recognized model based on international standards and input from public- and private- sector organizations and academia. It provides a helpful model for looking at all aspects of cybersecurity.
To find out more, visit nist.gov/cyberframework
- As with any security topic, understanding the risks is a crucial first step. You should develop a detailed BYOD policy that clearly lists responsibilities. This should tackle the tough questions, like does the organization have the right to remotely wipe (or seize) the device if a security threat is detected? But beware of being too draconian. A secure BYOD program relies on users feeling able to share concerns, not covering up potential issues. For the same reason, make sure that the policy is written in clear language and is easy to understand. This may involve translating it into local languages.
- Ensure that all your employees understand their responsibilities when using their own devices for business purposes. This matters because people behave differently when using a personal device than when using a company-owned one. Differences could include letting a friend or family member use it, giving the login password to a third-party support or repair person, or simply visiting inappropriate sites.
- Proofpoint found that the vast majority (90%) of people back up important files using a cloud-based storage service or an external drive.14 While this could be good news from the perspective of business continuity—and thwarting ransomware attacks—it could be worrying in terms of IT having little insight or control over where sensitive data is stored. You should educate users on the dangers of storing corporate information locally on devices, especially ones not controlled by the organization.
- Not all threats are malicious. Employees often increase risk unintentionally or even with the best of intentions. For example, a user might have their devices set up to automatically back up to the cloud. If that user then starts using a device for work purposes, this could not just pose an additional security risk but also contravene privacy regulations. Those who are new to remote working are likely to be less aware of such issues than experienced Omniworkers and Nomads.
- Educate users on the importance of managing the permissions granted to apps. Users often aren’t aware of how some permissions can be exploited for nefarious purposes.
- There are a range of technical services, such as MDM, that can help remotely secure, manage and support personally owned devices. Some of these have a “container mode,” which enables administrators to create an isolated area of the device to run corporate applications in. As well as giving increased control, this can also get around the potentially thorny issue of permission to wipe an employee-owned device.
- Strong authentication is important on every device, but BYOD presents particular challenges. With personally owned devices, IT will have less control and visibility, so malware can be more of an issue. The compromise of credentials could lead to sensitive business applications and data being exposed. Consider using different credentials and giving devices not controlled by the company restricted access.
- Ensure that participants—especially former Commuters and others new to using personal devices for work—understand the importance of keeping both the operating system (OS) and apps up to date. And educate them on the dangers of malware and how to reduce the risks. Malware could obviate protections like containerization.
- A zero trust approach is ideal for a BYOD program. It can reduce the reliance on end users making informed and security-conscious decisions. And it can improve user satisfaction and productivity as it automates many aspects of security protections, reducing the number of intrusions to the user’s activities. See page PAGENO for more about zero trust.
- BYOD devices should have all the standard security measures—such as mobile threat detection (MTD)—that you’d put on a company-owned and controlled device. An MDM solution can make managing a diverse fleet of devices much easier, including deploying applications, checking that patches have been installed and enabling remote wipe if a device is lost, stolen or compromised.
- Endpoint detection and response (EDR) uses behavioral-based analysis to provide threat protection. A typical EDR solution consists of an app that sits on the device and gathers thousands of data points. These data points are automatically analyzed to detect threats and mitigate them. These solutions can also provide much greater visibility into the mobile fleet, providing valuable insight.
- Consider implementing data loss prevention (DLP) to detect and block the exfiltration of information. But give users an authorized—and easy-to-use—means to share files outside the company to avoid putting them in a corner.
- Many traditional security controls relied upon having a relatively homogeneous fleet of devices—the “bad old days” of everybody having the same brick phone and laptop. Most BYOD programs increase the variety of devices being used—in fact, many programs were introduced to answer demand for specific devices. This is likely to place increased demand on support, as there will be more operating systems to understand, more operating systems and app variants to patch, and more device-specific vulnerabilities to worry about. Make sure that your team is prepared for this, or you could be creating a security nightmare.
- Ensure that staff members know what to do if a device is lost or stolen, or they spot something suspicious—which should be part of your general security policy, but it’s worth reiterating here. Make sure that your employees feel comfortable reporting potential issues, as this can help identify attacks faster. Early detection can drastically reduce the damage caused, but, as anybody that’s read the Verizon DBIR will know, it often doesn’t happen. Make it easy—it shouldn’t be something people have to look up—and remember, the employee might not be able to access company systems when reporting an issue. Create a memorable external-facing email alias like firstname.lastname@example.org
- Remember that employees may not have the cash to replace an expensive device and an insurance policy may take time to pay out. Make sure that you have some spare devices to loan to users to keep them productive while loss/theft issues are resolved.
- Unlike devices bought by the company, the IT department may never get their hands on new devices under BYOD programs. Consider the time it may take to build a new device over a typical home broadband connection—apps like Microsoft 365 (formerly Microsoft Office 365) are a multiple gigabyte download. Provide users with advice on prioritizing the build process and how to use web-based options (such as Microsoft 365 Online) in the meantime.
- MTD combined with unified endpoint management (UEM) can help bring devices that are out of compliance back into line through self-remediation.
Performing digital forensics on an employee-owned device can present many problems. Develop a clear policy in consultation with the legal department. Make sure that you have the processes and capability in place to carry out an investigation in line with the policy.
13Netskope, Cloud and Threat Report, August 2020. Research was performed on anonymized usage data collected from a subset of Netskope Security Cloud platform customers (primarily North American) that had given permission for this use.
14Proofpoint, State of the Phish, January 2020. A global survey of 3,500+ working adults and 600+ IT security professionals.
Let's get started.
Choose your country to view contact details.
- Select Country...
- United States
- Costa Rica
- Hong Kong
- New Zealand
- United Kingdom
- United States
Call for Sales.
Or we'll call you.