While Bring Your Own Device (BYOD) isn’t a new concept, you may have had to introduce it in the remote work scramble of 2020. 

Historically, BYOD has been a dirty word for IT teams, as it is challenging to provide personal devices with secure access to company services. Without corporate supervision, it’s difficult to ensure that a device meets the desired security requirements like having the most up to date OS, not being jailbroken, or having a potentially risky app installed. Mobile continues to be an under-protected device type; Verizon reported that 87% of enterprises are seeing mobile threats grow rapidly. The BYOD industry is taking off at a compound annual growth rate (CAGR) of 15% annually from 2020 to 2025, reaching $430.45 billion in 2025, demonstrating the need for more attention on security policies. 

Whether you have a BYOD policy or not, employees are probably using their personal devices for work purposes: 

While BYOD is commonly associated with mobile devices, it can also be expanded to tablets and laptops. Despite little interest pre-pandemic, Gartner predicts that technology leaders will need to start supporting Bring Your Own PC strategies (BYOPC) for long term work from home strategies, and that includes how these devices are secured. 

Without having a policy for BYOD in place, employees won’t know the dos and don’ts around personal devices highlighting the need for one in every organization. For example, enabling BYOD is becoming more of a necessity in today’s environment, where employees aren’t onsite and can’t just take their malfunctioning device to the IT department. If their device breaks down, they could be days without a suitable substitute. Moreover, they may end up exposing your organization to unnecessary risk through a lack of knowledge over secure practices.

Benefits of a Bring Your Own Device Policy 

Lower Business Costs

Bring Your Own Device has scope to lower costs for businesses. In the Cybersecurity Workforce Study 2020, 51% of respondents reported their concerns about technology spending due to the impact of COVID-19. In TechRepublic’s recent survey they found that 62% of survey respondents will tighten their 2021 IT budgets due to COVID-19 with budget strategies predominantly focused on enabling work from home (26%), security (17%), cloud technologies (18%) and postponing other major projects (17%). So with 2021 budgets under pressure, a BYOD model could be a way to reduce spend. 

BYOD is an attractive option for many costing around $350 per employee annually, which is a significant reduction in the hardware expenditure a company would normally make when providing equipment. 

Productivity

The consumer trend of always having the latest smartphone model plays into Bring Your Own Device initiatives. When provisioning company-owned devices, it’s financially attractive to opt for older device models, however, there is a tradeoff. As we know, older devices struggle in today’s environment with newer operating and app versions, in turn, this can hamper productivity and lead to a frustrating user experience, perhaps even leading to users turning to their personal devices anyway, just to get the job done.

The model has also demonstrated incremental value to productivity in this period, a Dell found in their study found employees are able to do their jobs with ease on familiar devices. They reported that 61% of Gen Y and 50% of 30+ workers find their personal devices are more effective and productive than those which they use at work.  

User Flexibility

Bring Your Own Device made it easier for businesses to rapidly enable working from home when the needed inventory wasn’t available. The ability for users to use personal devices, even as a temporary fix, salvages any potential lost productivity between purchasing and coordinating equipment to employees’ homes. Some users also don’t want to carry around multiple devices. BYOD aligns with the modern business practice of Work From Anywhere (WFA) as well as the underlying goals of digital transformation. 

Bring Your Own Device Policy

What to consider when creating a Bring Your Own Device policy 

Forbes reported that 32% of IT tech budgets are heavily geared towards cloud technology in 2021. Alongside this, effective adoption, the consumerization of smartphones, access to the cloud, and remote work are priorities for IT teams. 

The corporate perimeter is now stretched and digital transformation is outpacing security strategies, creating gaps that IT teams are having to plug. The new IT challenge is to bridge this gap between adoption and security best practices. 

When developing a Bring Your Own Device policy you should first consider is your environment equipped enough to manage remote devices? You may have adopted some cloud-based applications, but you also may have some custom ones on-premises. If you extend the BYOD concept to laptops, is your system ready to accommodate BYOD in a hybrid environment? If you think if this fits with your IT infrastructure, then read on for our further recommendations. 

Stakeholder Considerations 

Is your organization ready for Bring Your Own Device? From an IT perspective, you may be raring to go, but you need to get stakeholders from the rest of the business aligned. There are a few factors to consider here. 

Are your employees happy to use their personal devices for business use? There may be some resistance, not everyone is comfortable adding their work email and applications to their personal device, they may want a clear separation between work and personal. 

You will need to consult various teams in your organization about the practicalities of rolling out BYOD:

  • Legal team: can advise on compliance and liability best practices, but also what happens if your users don’t follow procedures? 
  • Financial team: will be able to clarify the compensation your users will receive for using their own devices. As employees may be eating into their own data plans, you’ll need to consider whether they will be reimbursed for doing so. NCSC has some great advice in these areas if you’re looking to find out more.
  • Human Resources: will be able to get a pulse on the end-user views. They can administer a survey as to whether employees would be comfortable adopting a BYOD strategy as well as their expectations.

Once you’ve got the green light, a good first step would be to educate your users and establish clear guidelines. 73% of businesses have invested in cybersecurity education programs for their workforce to offer that first line of defense. 

Your BYOD policy needs to be clearly articulated and communicated and can’t be just a couple of paragraphs sitting in your employee handbook. Prior to being allowed access from personal devices, employees should undergo some training ensuring there is a mutual understanding between both parties. 

Practical considerations

When should you use a UEM?

Whilst UEM offers a lot of benefits for a BYOD policy, it’s not always needed and can actually be intrusive, so may not be suitable for some organizations. 60% of devices containing or accessing enterprise data are mobile, so for your security to be effective you need to maintain a level of control over the device but there are a few options here. 

With a BYOD strategy, Unified Endpoint Management (UEM) can be an option to secure your environments, devices, and servers. The model enhances the scope of data administration and security, providing IT admins with further visibility over the corporate network. 

It also helps to tackle the thorny issue of platform fragmentation. In a BYOD environment, your users have different devices, such as Android, iPhone, etc. which makes standardizing the individual security patches, testing new configurations, and updating operating systems complex. Using a UEM, your IT team can see what devices are being used, and therefore helps to build a plan for issuing vital communications to ensure devices are secured, for example, updating the latest iOS versions or WhatsApp updates. 

Deploying a UEM can also give you additional protection in the event of a theft or loss, the tool has capabilities to wipe the device if it ends up in the wrong hands. Moreover, if you’re really risk-averse you could blacklist devices and apps in your policy that you fear will be detrimental to your environment. For instance, a lot of companies would have reservations about employees using Huawei given the controversies related to that brand. Moreover, if your employees are using rooted or jailbroken devices, you’ll want to consider banning these too because of the security flaws here. 

Should I use a UEM in a Bring Your Own Device Policy? 

One of the main drawbacks of using a UEM is your user privacy. A consideration here is how are you going to separate your company and personal data? If the device is missing, you should consider the next steps to ensure that data is retrieved or the device wiped. But, how are you going to protect your users’ privacy? You’ll find full tunnel solutions won’t maintain privacy if employees want to access corporate resources. These are all considerations when managing expectations in your BYOD policy. 

If you’ve built a lot of custom apps, BYOD becomes less of an issue because it’s unlikely you would’ve brought this online and it lives in your VPN network. The problem UEM has is managing data in cloud-based applications. For example, it’s easy for your users to log in to Google Analytics from a personal device, however, you don’t have any contextual assessment of the device’s hygiene. When developing your policy, you’ll want to dig deeper into how this works with your cloud infrastructure. 

Why you should use MAM-WE instead of UEM

Based on these considerations, if a UEM isn’t suitable, a favorable option here is to use ‘MAM-WE’ meaning Mobile Application Management Without Enrolment. It still offers some of the benefits with UEM, such as protecting data within the app, but your users also retain levels of privacy. You can use it across a few platforms: Android, iOS, and Windows. Here, you only want to push applications and connect to the company environment, this still enables you to manage business applications, but doesn’t impact the device. 

Bring Your Own Device Policy

Endpoint Security

“The need for protection for unmanaged devices is growing, with BYOD and concerns around user experience and privacy making it impractical to manage devices. Many organizations are deploying the Microsoft Outlook app on unmanaged devices.”Gartner, Market Guide for Mobile Threat Defense

With 87% of organizations now using cloud-based applications on smartphones, a common fear for IT teams are the lack of visibility of BYOD users in their environment. What’s especially jarring is the little insight into data management and apps on the devices – whether dormant or active. For ethical reasons, you can’t see what’s on an employee’s personal device, so how do you tackle this issue? As a result, 94% who have adopted a BYOD model now have increased mobile security risks. A Mobile Threat Defense solution is key here for protecting you against phishing, malware, or cyber threat attacks. 

Your users are only human and mobile device adversaries are advancing from strength-to-strength every day. For example, recent iOS exposure to the then-latest generation, iPhone 11, gave attackers full exposure and remote access to iMessage with no visibility to the user. Similarly, third-party app stores have been known to host dodgy apps and your users could end up downloading malware. As a result, you’ll need to consider a Mobile Threat Defense solution to protect both your organization and your users. 

IT Help Desk Considerations

You need to consider the role of your IT support and what level of support they’ll be providing for BYOD users. You don’t want your help desk to become inundated with inquiries around non-business related problems such as ‘why they can’t connect to Facebook on their phone’.

In your BYOD policy, you’ll need to manage expectations of where IT support starts and finishes. For example, IT can help with the connectivity issues associated with business applications of the device, but won’t be a drop-in clinic for all device issues. 

Similarly, you’ll need to consider the setup and configuration process of personal devices, is this something which your IT team can do remotely or will they need physical access? For example, ensuring lockscreens meet with security standards or installing a client so employees can access certain resources. 

Lifecycle management is another consideration – how are you going to unenroll users once they’ve left the business or their permissions have changed. For example, your user isn’t handing their personal device back into the IT department, so you need to think about ways to ensure you’ve disabled any connections particularly in the case of SaaS. Moreover, in some cases, this user could leave your organization without de-provisioning devices or potentially swapping the device or its counterparts with another person, who could then potentially access corporate data.

Password Protection, SSO & MFA

Although there is scope here for IT teams to administer apps, they do not have granular controls, such as issuing clear passcodes, activation locks, or optimal system settings. 

In the event of a lost or stolen device, your company is liable for the corporate data that is missing with it. With a BYOD strategy, you’d ideally want an Identity & Access Management (IAM) solution, which normally comes as part of a UEM. This aids password management, enforcing security policies, provisioning software, reporting and monitoring apps, and identity repositories. 

 Your IAM solution is likely to initiate SSO or MFA on your user’s personal devices, not only does this have simpler sign-on functionality, but also issue higher-level security over cloud-based applications. This provides further protection against attackers gaining access to confidential data via SaaS applications like Teams, Slack, or email which is likely to be hosted on the user’s device. 

User Experience, Shadow IT & BYOD

An effective, modern workplace and positive user experience go hand-in-hand. In 2020, IT teams were tasked with keeping the lights on, but ultimately, digital transformation is about balancing productivity and security, making sure that it is as easy as possible for end-users to log on and work while keeping data secure. 

In the context of BYOD, consumer apps are easy to use seamlessly across platforms. However, old enterprise apps can be rigid and more difficult for users to operate. In which case, this develops issues such as shadow IT, where your users will create their own solutions and fryou won’t have visibility over this. For example, you may now have multiple VPNs, users will have to keep logging in and out of apps, which creates undesirable friction managing multiple accounts and passwords. This can influence shadow IT, because it’s so much easier for them to use a cloud-based service, like DropBox for example to carry out these tasks. 

For the most part, this is not malicious, it’s just your employees wanting to get on with their work, and the tools they have been given aren’t intuitive. As an outcome, however, it makes it more challenging for you to encourage your users to stick to the rules. An example is when your organization is working with a contractor and there is ambiguity in connected workplace apps, shared files, and mobile enterprise messaging. During the confusion, they may store customer data or billing information elsewhere which would make your company liable if leaked. 

You’ll also want to consider how securely your users can connect to corporate devices, a VPN/VDI isn’t suitable for all device types, so after vetting your environment you may find this won’t work for BYOD. A Privileged Access Management (PAM) solution is a favorable option and enables you to restrict your employees from gaining full access to the company network. In this case, they will only be able to use the apps they need for work.

 

BYOD Policy Timeline

To implement your strategy effectively you should create a plan and timeline for how you’re going to enable BYOD in your organization. You want to consider the following factors: 

  1. Enrolment Guides – you want your users to enroll their devices for visibility. Here, we recommend that you provide a thorough guide to the MDM tool you choose to use.
  2. Email Communications – to ensure the rapid adoption of your BYOD strategy, you should communicate with your user’s levels of expectations and that a policy is coming to them which should be understood and signed. 
  3. Other Promotional Materials – depending on the nature of your user’s work, additional promotion such as banners across intranet sites and around the workplace to further communicate the importance of education around this model. 
  4. Education – Users should be fully aware of the detrimental business costs associated with the BYOD model if it’s not followed and practiced accordingly. Holding corporate webinars or issuing compulsory training courses around this area would be the best course of action. 

Like any IT security project, designing a timeline will help you stay on track and ensure nothing is missed. Here is an example of the type of plan we’d recommend: 

  • Preparation: work with your IT team to identify key players for the initiation of this project, develop goals you want to achieve, and train them fully to manage queries 
  • 1-2 weeks prior to project launch: start communicating with your users with an email to say that a new BYOD policy is to be unveiled, and provide some basic ‘what you should know’ background to avoid being inundated with help desk requests on launch
  • BYOD project launch: the date for when you’re pushing out your BYOD policy, here you need to start pushing out your guidelines and any associated educational materials, ideally, you’ll have an email series out to make sure this doesn’t go missed by your users
  • 1-2 weeks into project launch: here you should be tracking the progress of your project. You can do this by completing an audit of which users have signed the policy and completed any educational materials. Then, for those who haven’t, send reminder communications out to them – whether that’s by email or direct messaging them. You can also spend this time promoting tips and tricks across your organization. 
  • 3 weeks after project launch: once you’re happy with the results of your project, you can send a completion email out to your users. Here, you can communicate that the project has met satisfactory standards with your IT team and that users must stay vigilant and compliant with the new BYOD policy. 

Final Thoughts

Whilst Bring Your Own Device is an attractive and popular solution especially in the mad rush to get users online in 2020, there are many considerations that we have raised in this blog. It’s important to keep your stakeholders informed throughout this process, have a regimented plan to execute, and ensure you’re using the right tools to stay secure. Wandera’s Private Access solution gives flexibility to your users to work anytime, anywhere, on all platforms, on any unmanaged device. Private Access provides capabilities to restrict access from unsecured or infected devices and increases your SecOps visibility into app access in real-time and identifies any shadow IT. To learn more visit our product page here.