Consumer trust in organizational data handling is at an all-time low. Breaches at Facebook, Equifax, and others, have left users increasingly wary of where their data goes, how it’s being used, and who can access it. Although Facebook’s data privacy policies may be dominating the current headlines, data protection is quickly becoming the global hot-button issue for companies of all sizes. As regulations tighten, organizations with a BYOD model should be extremely wary.

According to the General Data Protection Regulation (GDPR), the data controller must be in control of the data at all times, which is near impossible when the controller does not own the device where the data is being accessed or stored (i.e. in a BYOD model). With the majority of internet usage now taking place on mobile, IT teams should be concerned about how the mobile devices handling corporate data are secured and the level of visibility they have into that traffic. While the BYOD model is perceived as a cost-savings solution by IT admins, it comes with serious limitations; including compliance and security risk and questionable savings.

BYOD Model

Where are the control gaps in a BYOD model?

Lack of visibility

GDPR is all about visibility; where the data is, where it’s going, and who has access. Network-level visibility is fundamental to understanding these questions, but in a BYOD environment, any visibility is lost the second the device walks out the door and outside your network.
Many firms attempt to rectify this issue by making use of Enterprise Mobility Management (EMM) tools for application control and some device-level management, but neglect network level control. And for a personal device, this makes sense. It’s totally understandable that employees would refuse to install a solution that can see even just a scrap of their online activity. Device-level monitoring of an EMM is about as intrusive as most would allow and indicators of risk go overlooked as a result.
Corporate-owned and issued devices, on the other hand, have a greater degree of control and the script is pretty simple to communicate to employees – “we issue you the device, you use it in-line with corporate acceptable use policy and we monitor activity (the same as we would on your desktop) in order to keep our data safe from hackers”. It’s less simple when the device is owned by the employee.

Uncontrolled access & Shadow IT

As we’ve established, mobile devices are a black hole for IT visibility when they’re not connected to the office network, in a BYOD environment. With free rein over the app store and open browser access, employees with BYOD devices often use unsanctioned cloud storage services like DropBox and Box to store corporate data. Shadow IT practices aren’t necessarily out of malicious intent. Employees use these services simply out of convenience. These third-party services are completely out of the IT department’s control in a BYOD environment. Sure, an EMM could block access to these apps, but employees are crafty and will simply navigate to the browser to access these solutions. Another consideration is that the approved storage services mandated by IT, may not even be supported on certain BYOD device platforms, forcing employees to look for other less secure options.
This introduces a tremendous amount of breach risk should a malicious actor get access to this information, either through phishing the employees credentials, through a breach of the service itself or simply from an employee with malicious intent. Each incident would leave the organization incapable of identifying the breach, remediating the threat, and notifying the proper authorities and under GDPR, the corporation can be held liable, even in the event of employee negligence or malicious intent.

Risky connections

BYOD or not, an employee’s mobile device will likely travel everywhere the employee does, accessing various home and personal Wi-Fi networks and public Wi-Fi. Network-level risks will be encountered. Wandera’s Wi-Fi security research revealed that 4% of corporate devices will be subjected to a man-in-the-middle attack each month. With the introduction of “probing” technology, the average corporate-owned mobile device now connects to 12 different Wi-Fi networks a day, meaning any mobile device will have an extensive history of connecting to dangerous hotspots that the device will automatically reach out to when in range. Every cafe, shop, gym, restaurant, etc., presents a real risk to the organization. Employees concerned over data cost and in search of a Wi-Fi connection will almost always choose savings over security.

Platform fragmentation

Platform fragmentation and version control in a BYOD model, present a tremendous security and support headache for any organization. Not standardizing on platforms can complicate security patches and testing of new configurations and services. It can also cause internal-built applications to break, requiring greater development and maintenance costs and ballooning support/help desk request.
Outside of this, the Android platform is particularly susceptible to malware. With access to a world of unapproved app stores that don’t enforce thorough security vetting of the apps they sell, devices can very easily become infected, and in some cases, the end user will have no idea it’s happened. If employees are buying their own work devices they might opt for low-cost models from manufacturers like ZTE, who was previously sanctioned for shipping devices with pre-installed malware.

Lifecycle management

Retiring devices once an employee has left the organization can be difficult to manage in a BYOD model since the device isn’t physically handed back to the IT department. Employees may leave your organization without de-provisioning devices or they may swap their SIM with a family member for example.

End-user error

Perhaps the largest issue with a BYOD environment is also the oldest in the book. Human beings make mistakes and, fair or not, GDPR guidelines mean the corporation can be held liable for those mistakes. Handing control to the employee means entrusting employees to remain entirely vigilant, to self-educate, and make corporate security their priority, even over personal convenience or preference. Without visibility and control mechanisms in place to enforce security functions at the data level, the business is exposing itself to the tremendous risk of a data breach. With 90% of data breaches beginning with a phishing attack and phishing presenting the number one threat to mobile users today, corporations need to consider the implications of moving their fleet to a BYOD model.


With the new GDPR regulations now in place, enterprises will be held accountable for any device that is able to retrieve any customer data. Whether it be an internally configured laptop or a BYOD mobile device. The only way to prevent an attack on a mobile device is to invest in a security solution that affords full network-level visibility, ensuring that if an employee does install a piece of malicious software, the organization is aware that this installation took place and can block traffic to any malicious third parties. However, deploying these solutions can be difficult in a BYOD situation since the end user can refuse to have any kind of corporate controls on their personal device.

If you, do choose to adopt a BYOD model, here are our recommendations:

  • Fold a mobile device policy into your end-user IT policy and have this reviewed by your security team. Have all employees read, sign, and understand the policy and keep it updated on your intranet or applicable document store
  • Gate access to corporate email and assets only to those devices with appropriate mobile security controls
  • Where possible, use corporate-owned devices and the Apple DEP to avoid costly staging and provisioning processes
  • Plan for device retirement by ensuring your EMM supports remote wipe
  • Record asset inventory and track spare and loaned devices where applicable
  • Require minimum level hardware and OS version to limit vulnerability exposure
  • If a BYOD model is preferred, consider enforcing a list of device options that can support access to corporate resources