Bring Your Own Device (BYOD) isn’t a new concept in the business world, but it is something you may have had to introduce in the scramble to remote work in 2020. In this guide, we outline the advantages of BYOD, how to avoid security pitfalls, and mitigate risk to maximize the success of your BYOD policy.

Historically, BYOD has been a tricky concept for IT teams due to the challenges of providing secure access to corporate resources. Without corporate supervision, it’s difficult to ensure that a device meets the desired security requirements like having the most up-to-date OS, not being jailbroken, or having a potentially risky app installed. Conversely, employees are unwilling to provide full administrative control over their personal devices.

It is also important to note that BYOD is no longer a challenge reserved for mobile. As part of Gartner’s Hype Cycle for Endpoint Security, BYOPC is a trend that is gaining traction and predicted to be part of mainstream adoption in line with SASE.

Before the pandemic, there wasn’t much hype around BYOPC. However, after COVID-19 hit, many had to resort to enabling their employees to work from home in any way they could. As a result, Gartner’s clients said their adoption of BYOPC was up from less than 5% in 2019. Endpoint security for BYOPC is still a very new challenge, companies need to find a way to manage threats across devices when full administrative control is not an option.

As companies need to support long-term work from home practices, there is a need for BYO protection and access controls to span device types.

BYOD Trends

Here are some of the recent trends with BYOD and BYOPC:

  • Mobileiron predicts BYOD market is expected to grow to almost $367 billion by 2022.
  • Gartner has said Bring Your Own PC Security will transform businesses over the next 5 years.
  • In 77% of organizations without a BYOD policy, employees still use their own devices.
  • 92% of FT 500 companies said they were worried that their growing mobile workforce represents a rising risk of security issues. While the majority of organizations have embraced bring your own device (BYOD) policies, the vast majority (94%) said BYOD has increased mobile security risks.

What is a BYOD Policy?

A BYOD policy is documentation that clearly stipulates the terms of use of personal devices for work. It should detail everything from sanctioned device types, level of support offered, acceptable usage, reimbursements as well as what happens if it is not adhered to.

Why do you need a BYOD Policy?

BYOD was less of an issue when all IT assets sat on-premises. All devices, systems, applications, and users were tightly controlled and managed. But with workloads moving to the cloud, companies have less control over how employees, particularly remote employees, access cloud-hosted services. Security professionals need to find alternate ways to enforce compliance, and one way is through employee self-governance using a BYOD policy.

What are the benefits of BYOD?

  • Lower business costs: BYOD has the scope to lower costs for businesses. In the Cybersecurity Workforce Study 2020, 51% of respondents reported their concerns about technology spending due to the impact of COVID-19. BYOD roughly costs $350 per employee annually, which is a significant reduction compared to hardware expenditure.
  • Employee productivity: Dell reported that 61% of Gen Y and 50% of 30+ workers find their mobile devices are more effective and productive than those which they use at work.
  • User flexibility: The ability for users to use personal devices, even as a temporary fix, salvages any potential lost employee productivity between purchasing and coordinating equipment to an employee’s home. Some users also don’t want to carry around multiple devices.
    What are the risks of BYOD?
  • Data Breach and Loss: Verizon found 4% of data breaches were down to lost or stolen devices in 2020, primarily occurring from personal vehicles and properties. Those who were predominantly targeted worked in the healthcare industry suffered 46 attacks, and public sectors 18 attacks. If a device is lost or stolen and unencrypted or unlocked and contains sensitive information like PII, PCI, or other financial data, you could incur huge compliance or data costs. Channel Futures reported 25% of organizations have fallen victim to malware employees have accidentally downloaded on their devices. This is easily done, the ransomware ‘WannaCry’ hit 250,000 victims in 99 countries in less than a day infecting major organizations like FedEx, hospitals, and governments. If a user’s device or application is lacking the correct security configuration, you may experience malicious exploitation of data. Wandera found the Cometdocs application failed to use encryption, which meant data was at risk to man-in-the-middle attacks.
  • Outdated OS: Last year, we reported on the Al Jazeera attack caused by a zero-click exploit on iOS 14 and below which enabled the government hacker to see the victim’s messages. Outdated OSs create unnecessary vulnerabilities in any environment, but it is particularly tricky in BYOD programs where administrators don’t have control of the device and force updates.
  • Greater device exposure to threats: say each user in your organization is using 2-3 devices for work, your threat surface is expanded. More devices, more problems, the more you need to protect.

byod policy

BYOD Policy Checklist

How employees use their personal devices for work needs to be clearly defined. You may already have something in place for company-owned devices, but this may not be directly transferable to BYOD due to differences in ownership. Employees need to understand exactly how they’re allowed to use their devices for work, this can include:

What is acceptable BYOD device health?

Device: Most employees will have Android and iPhone devices, however, you may want to exclude certain device models from your BYOD program. For instance, a lot of companies would have reservations about employees using Huawei given its recent controversies. Enforcing device standardization will also limit support costs and make it easier for admins to manage.

Software must be up-to-date to avoid vulnerabilities. When you consider that 29.1% of iOS devices are running a severely out-of-date OS, security teams can’t rely on employee diligence to ensure that their devices are compliant. From our Cloud Security Report for 2021, we know there is a lag time between new OS and application versions being released and being adopted.

Passcodes are the first line of defense, especially in the scenario of a lost or stolen device, ensuring your employees are fully protected is incremental here.

You’ll want to consider banning rooted or jailbroken devices because of the security implications. Your employees may root or jailbreak devices so they can download apps from third-party app stores which aren’t available to normal users. As a result, your users may end up downloading malware-infected apps onto their personal devices, which could put your enterprise network at risk.

Sideloading is where an app is hosted on a store, like Play or App stores, but isn’t approved by the developer of the device’s operating system. Sideloading enables end-users to gain access to apps that haven’t been vetted and could therefore be a threat. Therefore, it should be forbidden in your BYOD policy.

Apps: all apps come with a level of risk, as a security professional, you need to understand the risk associated with each app and how to best manage it. Some apps may be intentionally malicious or malware-ridden, some may be poorly developed, either way, having knowledge of how apps behave is important to managing your risk posture. We found that Android users took significantly longer to update their apps after a major vulnerability was discovered on an older version of WhatsApp, around 85% of the remaining devices impacted by vulnerable versions of WhatsApp had updated – only 50% of Android devices which were vulnerable updated at this time.

ZDNet reported that seemingly non-malicious gaming apps downloaded by seven million people actually had adware coded which would bombard the user with ads. In a Corporate-Owned, Business-Only (COBO) environment where administrators have complete control of a device, this type of threat is easier to manage using application white and blacklisting. In BYOD environments, the admin can’t exercise such militant control over the device, it is a personal device and so preventing malicious applications from getting onto a device is harder to manage.

Content: it is very easy for a user to stumble into a bad internet neighborhood, unwittingly or not. Certain provisions need to be put in place to make sure that devices aren’t compromised by watering hole attacks or malvertising. Again, without control of the device, it is difficult to administer and employees will likely feel uncomfortable if their employer were able to inspect all connections and traffic on the device.

Network: if your employees are trying to access corporate resources from an unsecured network on their personal devices, this has the propensity to compromise that device. An unencrypted connection or spoofed access point could manifest issues such as data leaks or alterations in a Man-in-the-Middle attack.

Read more about ‘What is device risk posture and why does it matter?

What can BYOD users access?

Restricting what services BYOD users can access can help. For instance, your CRM will contain customer or partner PII, banking information, or financial data, therefore limiting access to this on a BYOD device will reduce this risk if the device is compromised. However, other apps may not pose such a risk, for example, an expenses app.

What level of authentication will you be offering?

Consistent policy enforcement is key here and is a core tenet for Zero Trust. On your employee’s personal devices, you’ll want to ensure authentication is covered across all corporate resources they’re accessing. Adopting an identity-centric security model will enable you to provide employees with secure access anywhere from any device. In BYOD, your user’s personal devices are outside the network perimeter, so you need to assume you don’t trust this device because you don’t have control over it. Maintaining a level of risk-based control instead will be a more secure way of protecting your corporate assets. Risk-based authentication will allow you to make if-then-based decisions if users’ meta-identity expectations are met, such as device, location, and resource request requirements.

Read more: Is Multi-Factor Authentication (MFA) enough?

  • How are you going to monitor access? UEBA helps you identify ‘normal’ patterns of behavior within the service edge. You can build an informed approach as to what constitutes ‘normal’, and then react accordingly to flagged anomalies like unusual source IP addresses, failed authentication (e.g. geo-location, multiple password failures), resource requests. Overall, this helps you detect risky behavior better.
  • How are you going to manage expectations with your users? You don’t want your help desk to turn into a drop-in clinic, only for work-related issues. Also, you need to orchestrate a plan to educate your users on your BYOD policy.

How to manage BYO devices

Managing BYOD and BYOPC can be a headache for IT professionals because of the complexities of balancing security and privacy. Here, you want to be able to manage enterprise data without interfering with your user’s personal data or privacy. BYOD devices do belong to the user, so an overly intrusive policy may cause rejection or stall your project. However, you also need to consider how risk-averse your organization is, you need to assess appropriate levels of security on BYOD devices to mitigate the risk of threats on personal devices. For instance, if you work in healthcare, you may want more control and restrictions because of the higher number of breaches to this industry for patient records.

This may be a matter of working with HR to gauge end-user sentiment around BYOD access and security controls, and working out what people are and aren’t happy with this will determine how you need to proceed as well as what technologies you may require. BYOD is largely about enablement, but it has to be done in a secure manner. Over communicating and making sure that end users are clear on the purpose of an endpoint agent and what information it is collecting will be important for overcoming privacy concerns.

Zero Trust for BYOD

A favorable solution for BYOD is Zero Trust Network Access (ZTNA), as it balances both security and privacy. You can securely allow employees to access corporate resources from anywhere, on any device whilst offering an enhanced user experience relative to traditional access technologies.

Zero Trust uses adaptive access controls to incorporate risk factors such as device health, geo-location, user identity into a decision-making engine that determines whether or not to allow an access request from an endpoint to an application.

A Zero Trust architecture determines access requests based on the user’s identity, so MFA or SSO, and device health, such as an updated OS or malware-free device. This way it limits any access to the corporate network unless both factors meet satisfactory requirements, mitigating any risk to your environment. You can also use this with a Threat Defense solution to monitor employees’ personal devices for vulnerabilities, such as outdated OSs or escalated privileges, and this enables you to perform a continuous app risk assessment for detecting malware and other risks.

The Zero Trust architecture is built in the cloud, when integrated into an endpoint’s access layer you can enable users connectivity to any workplace public application, both publicly or privately hosted. An advantage for delivering functionality from the cloud means faster connections and an overall better user experience Admins also gain a simpler, more secure management of BYOD.

Find out more about Wandera’s Security Suite to enable your BYOD policy here.