Bring Your Own Device or BOYD has changed the enterprise landscape ever since companies started adopting it as one of their policies. It is a validation that companies acknowledge the value of smartphones, tablets and other mobile devices. BYOD allows employees to use their own devices to connect to the company’s secure network.
There are several reasons why companies adopt BYOD. Foremost of this is the fact that it helps improve employees’ productivity. Since they are allowed to use their own devices, they work more efficiently and comfortably, no matter where they are or what time of day it is. Thus, aside from productivity, BYOD also helps increase flexibility in the workplace.
Additionally, BYOD allows an enterprise to save on expenses as employees are the ones covering the costs of their devices.
This development, however convenient for both the employees and the enterprise, can also bring problems to the company, particularly those related to security.
Since quite a number of employees are able to use their smartphones, tablets and other mobile devices in the workplace, the possibility of an enterprise’s network security being compromised increases. As employees control their own devices, they have the freedom to choose or decide whatever they do with their devices, including software updates and connecting to unsecured networks (outside of the office). Once the network is compromised, exposing personal and enterprise information will follow.
This becomes an even greater problem once you consider the study done by Czech-based antivirus and security company Avast. According to a test they conducted a couple of months ago, even if a network’s security is quite lax, users would still connect to them.
Mobile Users at Risk
Avast’s test was conducted at the Barcelona Airport and had Mobile World Congress 2016 participants and visitors as subjects. The antivirus company observed and studied how many people would still connect to free but unsecured Wi-Fi networks. Avast discovered that over 2,000 users did not really care about security; they cared more about getting a free Wi-Fi connection. Additionally, the researchers who carried out the study admitted that most of the device and user identities were easily visible.
According to Avast’s president of mobile Gagan Singh, a lot of people know or are aware that connecting to an open Wi-Fi hotspot is dangerous. Then again, there are also many users who are not informed that they can actually change the settings of their devices to prevent them from automatically accessing and connecting to a free/open Wi-Fi network or hotspot.
Another study, this time conducted by Allot Communications, focused on 500,000 randomly sampled mobile data records. It revealed that mobile users are the ones who are most at risk of getting malware. Many of these users expose their devices to online danger when they download apps. There are still some users who do not fully comprehend what their unsecure mobile activity can give them (or their device). RiskIQ CEO and co-founder Elias Manousos stressed the need for employees to be properly informed or educated about the risk presented by their personal mobile activity, particularly those that involve downloading apps or pirated material.
BYOD in the Enterprise: The risks
As previously mentioned, accessing unsecured networks allows malware to get into a device or network. It can be that when an employee downloads an app, everything seemed normal. However, as the employee continues to use the app, it becomes more at risk for malware. Once infected, the virus can spread to the enterprise’s entire network, thereby compromising the company’s data and even the employees’ personal information.
This can likewise lead to threats from hackers, which, in the end can add more to the expenses of the company – as the management would counter the threats.
The biggest risk, though, is an enterprise that does not have its own BYOD policy. A company cannot just tell its employees, “Okay, everyone. It’s all right for you to bring your devices and connect to the company’s network”. There has to be a complete set of guidelines; policies that will set parameters to what sites can be accessed, what can and cannot be downloaded and other similar matters. Freedom is okay; but giving too much of it, especially in BYOD and enterprise security, can mean danger later on.
As such, aside from identifying the risk, it is important to know the exact requirements for a good BYOD enterprise security policy.
BYOD Enterprise Security Policy Tips
Of course, the first thing that needs to be done is to educate and inform employees. Not all employees understand the complete concept of a BYOD policy. Some know more and others know a little, but the rest may not really know anything. Let the employees discern that a security policy is important because BYOD can expose their devices and the company’s network to several dangers and risks like malware infiltration, data breaches and hackers.
Once the BYOD security policy is in place, all employees must be required to follow it. Companies can either ask employees to read and sign an agreement or come up with a program that can be used to monitor employees’ BYOD activities and adherence to the policy.
To strengthen the impact of employee education, a series of BYOD trainings can be facilitated for them.
It would also help if a BYOD policy will list in detail the devices that can be used in the office, as well as which operating systems can be utilized. Additionally, it will greatly help if employees are given a list of applications that they will be given access to.
A good way of keeping BYOD security in check is by asking all employees bringing and using all their devices to enter and use a personal identification number or PIN, or a password.
Finally, a company’s BYOD security policy should protect it from unforeseen instances like employee terminations and resignations. The most important thing to do is ensure that the employee’s device cannot anymore connect to the enterprise network. Restriction should be comprehensive.
Some companies may think that a BYOD policy and enterprise security cannot blend. It is, however, a fact that both are valuable for a business to succeed. Thus, both are a necessity. A company cannot have just one or the other; it needs to have both.
The best thing for companies to do is work on simplifying their network so that it can be protected. BYOD security policies, on the other hand, should be multilayered.
And, yes, a well-defined BYOD enterprise security policy is a major need.
Photo courtesy of Bernard Goldbach.