The way we work is changing. Employees want, or even expect, the freedom and ability to work from anywhere, anytime, on any device. That blurring of lines between home and work life means workers will often use their own devices – whether that’s a laptop, tablet, or smartphone – to conduct business.
Employees often bring personal devices into the workplace too, and while on the surface this might not seem like a big deal, it can create endless headaches for the IT department and the broader organization.
Here we look at some of the challenges that companies face and how they can keep their businesses secure and compliant while affording team members the flexibility to use their personal devices in the workplace.
Top Tips for Making BYOD Secure
Alex Ryals, VP of security solutions at tech distributor Tech Data, offers the following tips for securing employees’ devices:
Encryption of laptop hard drives with a technology such as Microsoft Bitlocker. This ensures that if the device is stolen, the data is safe as long as the thief doesn’t have the encryption key.
The device should be configured to use complex passwords that expire after three to six months to ensure the employee changes their password regularly.
Current anti-virus and anti-malware software, often provided by the company, should be installed and running.
An approved VPN client should be installed and used by the employee any time they are not on the corporate network.
Enable automatic OS updates on the laptop to ensure the device is patched regularly.
A best practice, even for personal devices, is to require the installation of a desktop management application, such as Microsoft System Center Configuration Manager, to catalog installed applications and limit network access for devices with known vulnerable apps installed.
Define a policy to limit the use of acceptable apps and cloud services for the storage of corporate information.
Why Is BYOD so Popular?
BYOD stands for bring your own device and is a term coined to describe the trend of employees using their own laptops, phones and other devices at work. The movement gained traction when people began to find that the consumer tech they used in their personal lives was preferred, easier to navigate, or more efficient than the sometimes-outdated IT they were expected to use at work.
This ‘consumerization of IT’ encourages those using the latest smartphone, device or productivity apps in their personal lives to expect the same level of functionality in the workplace–and if that isn’t an option, they will simply use their own device.
Another factor is an increasingly mobile workforce. A 2017 Gallup study shows 43 percent of Americans spend at least some time working remotely, which means employees today expect to be able to do their job from anywhere, at any time. It’s commonplace to check work email from the couch after hours or work on a presentation at a café, on the train home from work or even while en route to a business meeting at 30,000 feet in the air.
Additionally, there has been a steady increase in the number of freelance workers in recent years, which are expected to use their own devices and software, even when contracted to work on-site at an organization.
So What’s the Problem?
The benefits of BYOD are numerous. Employees tend to show better productivity when they use devices familiar to them and enjoy a personalized experience that increases their satisfaction. It can also save the employer money–notably a reduction in the cost of device procurement, employee data plans and IT management. Plus, hardware upgrade cycles could be prolonged as end users take more responsibility for supplying devices and paying for services, for example.
But while the flood of personal devices into businesses might seem like a natural progression in our consumer-led, IT on demand world, it can cause a host of security and other problems for employers.
“Even with the benefits, such as increased productivity and employee satisfaction, there are security concerns that can pose significant risks to businesses ill-equipped to address them,” Michael Cantor, chief technology officer at Park Place Technologies, which provides third-party hardware maintenance and IT support services, tells Tom’s Hardware. “Lack of oversight, malware exposure, compliance requirements, data leaks and device theft all make BYOD security a big mess.”
For example, employees think little of downloading applications that they think will drive productivity to their devices and often don’t consider the security vulnerabilities they could be introducing to the company network.
Earlier this year network management and security company A10 Networks published its Application Intelligence Report, which noted that nearly a third (30 percent) of employees admit to knowingly using non-sanctioned apps at work, despite incidents such as Google removing 700,000 potentially harmful apps from its Play Store in 2017. Of those who use unapproved apps, 51 percent claim “everybody does it,” while 36 percent say they believe their IT department doesn’t have the right to tell them what apps they can’t use.
“Through careless and sometimes negligent behavior with corporate assets and applications, employees are swinging the cybersecurity doors wide open, leaving their companies vulnerable,” notes the report.
Meanwhile, 33 percent claim their company’s IT department doesn’t give them access to the apps they need to do their jobs. Why not use a WhatsApp group message to communicate with colleagues? Why not store sensitive documents in Dropbox for ease of access?
The answer is that as well as the obvious security risks, IT admins cannot guarantee corporate or user privacy. Individual teams that use competing or siloed technology makes collaboration difficult. On top of that, there are the costs associated with paying for separate software licenses.
Implementing a BYOD Policy
Because of the deluge of personal apps and devices finding their way onto corporate networks, IT teams have been forced to implement BYOD strategies to help monitor and manage personal device use across this increasingly distributed workforce.
“Given that the biggest security risk to any organization are employees and their lack of discipline when it comes to security best practices, BYOD can be a slippery slope if not implemented with a strict set of security policies and controls,” Alex Ryals, VP of security solutions at tech distributor Tech Data, tells Tom’s Hardware.
But where to start? Ryals says it is critical that an organization inspects all devices before allowing them onto the corporate network.
“An easy way to ensure a device is compliant is by placing some corporate services behind a tightly controlled firewall only accessible through a VPN client into the corporate network,” he advises. “This forces the employee to take their device to IT to have the security certificate for the VPN client installed on the employee’s personal laptop and also allows IT the opportunity to inspect the device for compliance to corporate security policies.”
Park Place’s Cantor also maintains that there are steps IT can take to make sure BYOD programs are executed safely and securely.
“For starters, they should perform a comprehensive risk assessment that considers how devices engage with personal and company data and update it regularly. They should also develop a clear policy on how personal devices should be used, implementing tools like mobile device management to help enforce it,” he says. “With device-specific tools like MAC [media access control] address identifiers and identity access management solutions, IT departments can monitor the devices accessing company resources and protect their data from suspicious activity and unauthorized access.”
Just as important as the technology you use to support BYOD, Cantor adds, are the people behind the screens.
“IT personnel should be seen by employees as a key resource when they offer assistance in managing their devices and application settings. Having a positive relationship will enable IT to upskill employees to enacting security measures when needed,” he notes.
The problem of employee-owned devices in the workplace isn’t going anywhere. In fact, the IT department will have an even harder job managing personal devices with the expected explosion of Internet of Things IoT endpoints, including wearable smart devices, hitting the network.
Nevertheless, says Ryals: “The risk of corporate exposure through BYOD devices is great, but by defining clear acceptable use policies for employees who use their own devices, the risk can be mitigated to an acceptable level. However, the employee has to be willing to give up a little bit of their freedom and convenience for the privilege.”