A bring your own device (BYOD) policy enables companies big and small to equip their employees with the tools they need to be more productive, efficient and flexible.
However, allowing staff to use their personal devices for work purposes also carries some inherent security risks that could potentially compromise sensitive company data. The challenges for both enterprises and SMBs lie in identifying and mitigating these risks in a way that protects company assets without infringing on employee privacy.
In today’s blog post, we’ll highlight the main security concerns associated with BYOD and what SMBs need to do to resolve them.
What is BYOD?
As the name suggests, BYOD is the practice of allowing employees to use their own devices for work purposes. In years gone by, many businesses only allowed staff to use company-issued devices, but the rapid adoption of smartphones and tablets in the consumer market means that – whether companies like it or not – just about every employee is now bringing a device (or two, or three…) with them to work. And it’s almost inevitable that, at some point, these personal devices are used for work-related purposes or connected to the company’s network.
Today, BYOD isn’t just tolerated in the workplace – it’s welcomed with open arms. Indeed, for many companies, employee-owned devices are critical for day-to-day operations. In fact, almost 9 in 10 (87 percent) companies depend on their employees’ ability to access mobile business apps from their personal smartphones, according to research from Syntonic. What’s more, the trend shows little signs of slowing, with Global Market Insights predicting the BYOD market could hit $366.95 billion by 2022, up from just $94.15 billion in 2014.
A big part of BYOD’s success is the fact that all parties stand to benefit. By allowing staff to bring their own devices, companies are able to reduce IT expenditure and boost employee engagement outside the office. Meanwhile, employees are free to do their work on the device of their choosing, which can boost worker satisfaction and enhance productivity. It’s a win-win situation for all involved – except, perhaps, for whoever’s in charge of IT security.
BYOD and data security risks
BYOD offers a range of benefits, but it is not without its flaws. For many SMBs, the biggest risks revolve around losing control of their data. Companies are less able to enforce security policies on BYOD devices, which introduces all sorts of challenges from a security perspective.
For example, many organizations have strictly enforced policies in place regarding the use of passwords, VPNs, and security and recovery software. With BYOD, however, it’s challenging from both a logistical and technical point of view to ensure that every single device that’s brought into the workplace is adhering to these rules. As you might imagine, this can greatly increase the risk of a data breach or malware infection.
Here are some of the key BYOD security risks to be aware of:
- Loss or theft of device: Whereas company-issued devices are most likely to be used in the office (or some other workspace), personal devices often accompany the employee wherever they go. This means there’s a higher chance of the device being lost or stolen, and a greater risk of the company data that’s stored or accessed on the device being compromised.
- Communicating on unsecured devices: Almost 1 in 3 (28 percent) smartphone owners in the United States do not use a screen lock or other security feature, according to figures collated by Pew Research Center (link opens a PDF file). If one of your employees is a part of this statistic, there’s a high risk of a data leak if the device falls into the wrong hands.
- Data loss: In the event that the device is lost, stolen or damaged, any locally stored data may be lost if it is not backed up in real time.
- Man in the middle attacks: Public Wi-Fi spots are great for getting some work done, but they’re also popular hunting grounds for criminals, who commonly use man-in-the-middle attacks to intercept data being transmitted over public networks. More than half of online adults use potentially unsecured public Wi-Fi networks, and 1 in 5 of these users admit to using these networks to send sensitive information, according to the Pew Research Center study mentioned above.
- Jailbroken devices: Popular among power users, jailbreaking is the process of removing the restrictions imposed by the manufacturer of a device, typically to allow the installation of unauthorized software. This increases the risk of an employee inadvertently installing malicious software on a personal device. In 2015, KeyRaider stole the login credentials of more 225,000 people using a jailbroken iOS device.
- Software security vulnerabilities: Traditionally, most businesses operated within a single software ecosystem (typically a Microsoft/Windows framework). Now, it’s not uncommon to see a mix of Windows, iOS, Android, MacOS, and Linux being used in the workplace. Every operating system (and the software that runs on it) has its own unique set of security flaws and vulnerabilities, which means that allowing staff to use any device and operating system increases the risk of a data breach or malware infection.
- Malware: How diligent are your employees when it comes to malware protection? A personal device that has been infected with malware can result in data loss, downtime, ransomware or the spread of malware to other devices that connect to the company network.
What could a BYOD security policy include?
To mitigate the risks described above, it’s important to take the time to devise a BYOD security policy that works for the needs of your business as well as the needs of your employees. The details of the policy will vary from business to business, but might include:
1. Making passwords compulsory on all BYOD devices
Prevent unauthorized access to company data by enforcing the use of passwords on all BYOD devices. Passwords should be long, unique and random. For more information, please see our blog post on how to securely create and store passwords.
2. Creating a blacklist of prohibited applications
Blacklisting is the act of prohibiting the installation of certain applications on BYOD devices that are used for work purposes. This most commonly includes applications that are deemed to be high-security risks, such as file sharing and social networking apps. According to Appthority, the top three apps blacklisted by enterprises are Facebook Messenger, WickR Me and WhatsApp Messenger on Android; and Facebook Messenger, WhatsApp Messenger and Tinder on iOS.
The simplest way of blacklisting applications is to use a mobile device management platform such as VMware or AirWatch, which enable IT Administrators to easily secure and enforce policies on enrolled devices. However, a blacklist can be seen as infringing on the owner’s use of their own device, so you’ll need to consider where you draw the line in regard to privacy before incorporating this into your BYOD security policy.
3. Restricting data access
One of the most effective ways of managing IT security risks is to adopt the principle of least privilege on both BYOD and company devices. This principle essentially means that a user is able to access only the data and software required to do their job. For example, a member of your customer services team should probably not have the power to install new software on their computer. Restricting access can reduce the effects of certain types of malware and limit the fallout in the event of a data breach.
4. Investing in reliable antivirus software for PCs and mobile devices
As we have discussed in the past, malware authors love to target SMBs. Given that malware cost SMBs an average of $68,000 in 2017, it’s essential that businesses of all sizes ensure that BYOD devices are protected with reputable antivirus software. Having a solution in place that can identify and stop malware threats before they can make changes to the device is vital for protecting mission-critical data and avoiding downtime. If you’re in the market for a proven antivirus solution and a customer service team that’s committed to providing the best support around, feel free to try out Emsisoft Anti-Malware or Emsisoft Mobile Security.
5. Backing up device data
A well thought-out BYOD policy can go a long way toward minimizing the risk of a security breach, but in the event that something manages to slip past your defenses you need to have a process in place for restoring your data to its former state. A comprehensive backup strategy ensures that any data stored locally on a BYOD device can be quickly recovered – even if the device is stolen or lost, or the data is corrupted.
6. Keeping all software up to date
As noted, many attacks rely on exploiting security vulnerabilities in a piece of software. To mitigate this risk, SMBs need to ensure that the operating system and applications installed on their employees’ devices are kept up to date. Always install the latest patch when alerted and enable automatic updates wherever possible.
7. Enforcing the use of remote wipe application
As the name implies, a remote wipe is a security feature that enables an authorized person to remotely delete data from a device. Depending on the software used, a remote wipe can return the device to factory settings, remove all data and/or repeatedly overwrite all stored data to prevent forensic recovery. Enforcing the use of remote wipe applications on BYOD devices gives you a last-resort solution for preventing data theft if an employee’s personal device is lost or stolen.
8. Monitoring BYOD devices
Many companies choose to implement monitoring as part of their BYOD security policy. This involves installing applications that allow administrators to keep tabs on the GPS location and/or Internet traffic of BYOD devices. These systems can be very useful for identifying suspicious activity, but they definitely have the potential to be overly intrusive. It’s important to find the balance here between maintaining security and respecting your employees’ privacy.
9. Forbidding transmitting sensitive data over unsecured networks
Your BYOD security policy might also set out expectations regarding the use of unsecured networks such as public Wi-Fi spots. Employees should only be connecting devices to trusted networks for work purposes and, ideally, would be using a VPN to encrypt transmitted data and prevent data leaks. Be cautious about using free VPNs; a CSIRO study found that 38 percent of free Android VPNs contain some form of malware!
10. Requiring device encryption
Last but not least, consider enforcing device encryption. With device encryption, anything that is stored locally on the device is encrypted so that the data cannot be easily extracted by unauthorized persons. Modern iOS and Android devices are encrypted by default, while Windows devices can be encrypted with Microsoft’s BitLocker (available on Windows 10 Pro, Enterprise and Education, but NOT Windows 10 Home) or third-party software such as the free, open source VeraCrypt.
Finding the balance between flexibility, privacy, and security
BYOD security is a bit of a balancing game. On the one hand, SMBs need to have a strategy in place that manages the potential risks associated with allowing staff to use their personal devices for work purposes. At the same time, however, SMBs also need to be mindful of the privacy of their employees and ensure their BYOD security policy doesn’t cross the line and become intrusive.
For many companies, the best way forward is a semi-collaborative approach. Talk to employees about their needs, try to offer support for a range of the most commonly used devices and remember that it’s difficult to revoke BYOD once employees get a taste. Take the time to develop a solid BYOD policy and make adjustments as you learn more about your organization’s unique needs and uses of BYOD devices.
Want to give your staff the freedom to bring their devices to work without compromising IT security? Protect all your Windows and Android BYOD devices by investing in Emsisoft Anti-Malware.
Have a great (malware-free) day!