By definition – BYOD, which stands for “bring your own device” – is a program that allows employees to use personal devices (often mobile devices) for work purposes. These programs have grown increasingly popular in recent years due to their benefits to employees and companies alike. In general, employees have higher productivity and improved morale with BYOD, and enterprises benefit from cost savings and faster employee onboarding.
However, BYOD programs also introduce security risks to the organization since corporate data and applications are accessed and stored on devices that the company doesn’t own or fully control. An effective BYOD program is one that implements BYOD cyber security best practices and has BYOD policies that are clearly defined and enforced to protect the company, its data, and its employees.
Why Is Bring Your Own Device Security Important?
Companies are increasingly allowing employees to work from personal devices. This practice is great for employees who get to work with familiar devices that boast the most up-to-date technology, but it also introduces significant security threats to the organization.
While an organization may enforce security policies and install corporate endpoint security solutions on company-owned devices, the same may not be true of an employee’s personal devices. Additionally, BYOD devices may be used for personal use as well and may be accessible to multiple parties within the household. BYOD also introduces serious questions about regulatory compliance and an organization’s control over the sensitive data in its possession.
All of these factors make BYOD security an important component of any BYOD program. Before allowing employees’ personal devices to access corporate applications and systems, the organization should evaluate the potential risks and vulnerabilities and identify BYOD security measures that enable the organization to balance the potential security risks of BYOD with its benefits to the organization.
For example, requiring the use of endpoint security solutions on BYOD systems and mandating that employees promptly install updates to reduce the threat of security vulnerabilities is a good start toward a BYOD security policy.
BYOD Pros and Cons
While BYOD programs are increasingly common, they have both advantages and disadvantages:
Pros of BYOD
Many companies are adopting BYOD policies because of the numerous benefits that they provide, which include the following:
- Reduced Technology Costs: If an organization provides its employees with company-owned devices, then it has to pay to acquire these systems. In contrast, a BYOD policy allows employees to use their own devices, which come at no cost to the company, reducing IT expenditures.
- Cutting-Edge Technology: With employees self-funding their equipment upgrades, they enable the organization to take advantage of more up-to-date technology.
- Employee Satisfaction: An employee’s personal device is one that they selected and that they are familiar with and comfortable using. Support for BYOD helps to improve employee satisfaction and morale by enabling employees to use these preferred devices rather than forcing them to work with a company-selected system.
- Faster Onboarding: When a new employee joins an organization, it takes time for them to receive and set up their new devices and become comfortable and efficient at using them. If an employee works from their own personal devices, these systems are already set up and configured based on the user’s personal preferences, reducing the time spent on employee onboarding.
Cons of BYOD
BYOD policies also have their disadvantages, including numerous remote working security risks. Some of the main challenges and cyber security threats that BYOD programs introduce include the following:
- Increased Security Complexity: A BYOD program allows a wide variety of devices that are not under the control of the company to access corporate systems, applications, and data. The security required to protect corporate IT assets against potential threats introduced by employee-owned devices is significantly more complicated than if all devices are owned by the company and limited to a few types of devices and OSes.
- No Uniform End-User Support: Employees commonly depend on IT support staff to help them troubleshoot and correct the various issues that they might encounter when doing their jobs. With a BYOD program, the IT staff can’t develop playbooks for addressing common issues because the wide variety of user devices can create significant differences in the issues that end users face and their solutions.
- Device as a Distraction: When an employee works from a corporate device, they are limited in the websites that they can browse and the applications that can be installed on it. An employee-owned device, on the other hand, may have games, social media apps, and other software that can serve as a distraction to employees.
- Data Privacy: Companies commonly inspect the web traffic flowing over their networks for malware, data exfiltration, and other potential threats. With BYOD, there is the potential that users will perform personal activities — such as online banking — on these devices that could expose personal information to the company and violate the user’s privacy.
- Regulatory Compliance: Several data privacy laws require companies to demonstrate that they have control over sensitive customer data and that data is not transferred outside of approved jurisdictions. With BYOD, companies may struggle to demonstrate data control, and an employee taking their device with them on vacation may result in a violation of data transfer laws.
- Data Retrieval for Departing Employees: Data loss when employees are departing is a common problem for organizations since many employees will take their work and data with them to their next job. Protecting against this data exfiltration is even more difficult with BYOD because corporate data may be stored on personally-owned devices that employees will not return to the company upon their departure.
How to Develop a Bring Your Own Device Policy
BYOD provides significant benefits to an organization, but it can also create major security challenges. One of the most important steps to making BYOD work is developing a BYOD and remote working security policy.
To do so, follow these four steps:
#1. Plan: Planning how BYOD works in advance is an essential first step to an effective BYOD management strategy. If an organization allows BYOD without defining ground rules in advance, it is much more difficult to retroactively apply and enforce security policies. During the planning stage, an organization should develop a strategy for identifying and managing BYOD devices and for designing a network environment that can support them securely. For example, an organization may wish to implement network access control (NAC) to restrict employee-owned devices to corporate assets and require the installation of endpoint security solutions on personal devices granted access to corporate data and systems.
#2. Secure and manage: During the planning stage, the organization should have developed a strategy for tracking, managing, and securing employee-owned devices both on and off of the corporate network. During this step, the company should implement and test its planned strategy. This includes acquiring, deploying, and configuring security tools, defining policies, and testing to ensure that the system can secure corporate assets and scale to meet demand.
#3. Communicate policies: A secure BYOD program requires employee buy-in and cooperation. An endpoint security solution is essential to protecting corporate data and applications on personally-owned devices, and employees need to choose to install these tools on their devices. Before an end-user is permitted to use a personal device for work, they should sign a BYOD policy that outlines security requirements for personal devices and acceptable use of corporate data and systems. Once employees understand and agree to these requirements, the organization can take steps to enforce them, such as installing endpoint solutions on devices to protect corporate data.
#4. Support: Ideally, defining and implementing a BYOD policy would create a usable and secure system for the company and its employees. In reality, employees will likely experience issues with complying with corporate security policies, accessing company applications and systems, and other aspects of their daily work. To prepare for this, IT staff should be trained on common issues and how to resolve them to provide rapid support for users and decrease the risk of shadow IT. Additionally, IT should periodically perform retrospectives and solicit feedback from employees to identify common pain points and devise strategies for addressing them.
BYOD Policies That Are Important to Consider
A BYOD policy needs to address all of the possible use cases and security risks that BYOD users may encounter – this ranges from daily use to how to address a potential security incident.
Some common policies that are important to define and include in a BYOD program include the following:
- Acceptable Devices: While an organization may permit the use of personal devices for business, it may not wish to allow employees to work from any device. For example, a company may forbid the use of devices with known security issues or connecting personal Internet of Things (IoT) devices to corporate networks. This policy defines the systems that are and are not permitted to access corporate data and systems.
- Device Management: If an end user’s device lags behind on security updates, uses insecure software, or has other security issues, then it may place corporate systems and data at risk. This policy defines rules for devices allowed to connect to corporate networks and access company data, such as denying access to BYOD devices that have not installed the latest version of its OS.
- Software Requirements: An organization may wish to define requirements on the types of software that must and must not be installed on devices used for business purposes. For example, a company may mandate the installation of endpoint security and secure remote access software on BYOD systems and forbid the installation of certain types of software.
- Acceptable Use: While employees may own the devices that they use for work, these devices may be connected to corporate networks and applications. A BYOD policy should define acceptable use of corporate resources, such as forbidding the use of social media while connected to corporate networks.
- Password Requirements: Compromised user accounts are a common cause of data breaches and other security incidents as cybercriminals abuse a user’s legitimate access and privileges. This policy can mandate the use of a strong password to reduce the risk that a lost or stolen device will leak corporate data.
- Termination Policy: When an employee leaves an organization, the data stored on personal devices may go with them. A termination policy defines the procedures that will be used to remove corporate data and applications from personally-owned devices upon the termination of employment at an organization.
- Lost/Stolen Device Management: A personally-owned device may be lost, stolen, or otherwise compromised. A BYOD policy should include policies and methods for wiping lost and stolen devices to protect sensitive corporate data from being compromised.
BYOD Policies That Are Important to Consider
A BYOD policy needs to address all of the possible use cases and security risks that BYOD users may encounter – this ranges from daily use to how to address a potential security incident.
Some common policies that are important to define and include in a BYOD program include the following:
- Acceptable Devices: While an organization may permit the use of personal devices for business, it may not wish to allow employees to work from any device. For example, a company may forbid the use of devices with known security issues or connecting personal Internet of Things (IoT) devices to corporate networks. This policy defines the systems that are and are not permitted to access corporate data and systems.
- Device Management: If an end user’s device lags behind on security updates, uses insecure software, or has other security issues, then it may place corporate systems and data at risk. This policy defines rules for devices allowed to connect to corporate networks and access company data, such as denying access to BYOD devices that have not installed the latest version of its OS.
- Software Requirements: An organization may wish to define requirements on the types of software that must and must not be installed on devices used for business purposes. For example, a company may mandate the installation of endpoint security and secure remote access software on BYOD systems and forbid the installation of certain types of software.
- Acceptable Use: While employees may own the devices that they use for work, these devices may be connected to corporate networks and applications. A BYOD policy should define acceptable use of corporate resources, such as forbidding the use of social media while connected to corporate networks.
- Password Requirements: Compromised user accounts are a common cause of data breaches and other security incidents as cybercriminals abuse a user’s legitimate access and privileges. This policy can mandate the use of a strong password to reduce the risk that a lost or stolen device will leak corporate data.
- Termination Policy: When an employee leaves an organization, the data stored on personal devices may go with them. A termination policy defines the procedures that will be used to remove corporate data and applications from personally-owned devices upon termination of employment at an organization.
- Lost/Stolen Device Management: A personally-owned device may be lost, stolen, or otherwise compromised. A BYOD policy should include policies and methods for wiping lost and stolen devices to protect sensitive corporate data from being compromised.
BYOD Best Practices
When implementing common BYOD best practices – such as endpoint security and remote wipe functionality — it is also important to ensure that a BYOD program meets an organization’s unique needs. When designing the program, it is important to consider the various internal and external requirements that the program needs to fulfill. For example, companies operating in particular industries may need to provide employees with certain software and capabilities and comply with industry regulations and standards. Beyond these industry-specific needs, companies are also subject to various regulations designed to protect customers’ sensitive data against unauthorized use and potential breach.
These external requirements — as well as an organization’s internal business and security needs — inform a corporate BYOD policy and the solutions needed to implement it securely. For example, an organization managing extremely sensitive data or operating specialized software may wish to use desktop virtualization software to provide a consistent operating environment that ensures that sensitive data remains under the organization’s control. Companies with significant cloud-based infrastructure need to ensure that users have high-performance, secure access to their various cloud environments. Organizations with a large remote workforce should implement remote work security best practices and ensure that all employees have secure remote access to corporate environments and software.
BYOD Policy Template Sample
With a variety of situations and security risks to consider, ensuring that BYOD policies cover all relevant information and policies can be difficult.
However, numerous resources are available to help organizations to get started on the journey of developing and implementing BYOD best practices and policies. For example, the National Cyber Security Society (NCSS) has published a BYOD sample template that provides an outline and sample verbiage for many of the most common BYOD policies. Companies can modify, personalize, and expand this template to meet their unique needs. For example, an organization may wish to require longer passwords than those defined within the template or define additional rules specific to the types of sensitive data and corporate systems accessible from BYOD systems.
What Level of Access Does BYOD Provide Its End Users?
In theory, an organization could allow BYOD systems to have the same level of permissions and access as a company-owned device, treating the two as interchangeable. However, BYOD introduces additional security risks, and it may make sense to restrict the access that employee-owned devices have to corporate data and systems.
Companies can manage access of BYOD in the workplace via a variety of remote device management systems. On corporate networks, a NAC solution can be used to define rules for BYOD access to corporate networks and systems. Identity and access management (IAM) systems can also be configured to take device characteristics into account when deciding whether to permit or deny an access request. With zero-trust network access (ZTNA), access policies can even be configured so that applications and systems that a device can’t access are completely invisible to it.
Which Types of Employees Is BYOD Relevant For?
Any employee within an organization may wish to take advantage of a BYOD policy. The ability to work from personally-owned devices is widely appealing and a common booster of employee morale.
However, a BYOD policy may be more useful for some types of workers than others. For example, salespeople, management, tech workers, and other employees that travel frequently might prefer to downsize the number of devices that they need to carry with them. Developers, IT and security personnel, and other technically-inclined workers may have strong preferences about the systems they work with. A company may also benefit from a BYOD policy when working with contractors, hourly workers, and other personnel who may have their own devices and for whom issuing a corporate-owned device doesn’t make sense.
How to Provide Secure Remote Access With BYOD
One of the most important aspects of a BYOD program is providing employees with secure remote access to corporate data, systems, and applications. Organizations can accomplish this by deploying a few key solutions.
Mobile Device Management (MDM)
Mobile device management (MDM) software is installed on user devices to enable an organization to manage these devices and protect corporate data and applications. With MDM, IT security teams can monitor the state of devices for potential security risks, push out actions, and achieve centralized visibility into devices with access to corporate data and systems.
Some of the benefits of MDM for BYOD include the following:
- Policy Enforcement: With MDM, an organization can define security policies and actually ensure that they are enforced. For example, MDM can track devices’ locations and monitor their state to see if endpoint security applications are installed, running, and up-to-date.
- Device Visibility: MDM solutions can help to address the security complexity of BYOD programs by centralizing visibility into mobile devices. IT and security personnel can centrally monitor systems for potential usability and security issues.
Endpoint Protection Platforms (EPP)
Endpoint protection platforms (EPP) focus on securing the devices where they are deployed. An EPP can prevent the installation of malware on managed devices and support remote, centralized threat detection and remediation for BYOD systems.
Some of the aspects of BYOD security addressed by EPP include the following:
- Device Security: EPP solutions help to prevent and remediate security threats to endpoints. This helps to ensure that personally-owned devices don’t pose a threat to corporate data and systems.
- Regulatory Compliance: Data protection regulations commonly mandate that companies implement certain security controls on devices with access to sensitive, protected customer data. Deploying EPP as part of a BYOD program helps to meet these security requirements.
Desktop Virtualization: VDI and DaaS
Desktop virtualization solutions such as virtual desktop infrastructure (VDI) and desktop as a service (DaaS) improve the usability and security of a BYOD program. By providing employees with remote access to systems under the company’s control, an organization can help ensure the usability of corporate applications and reduce the risk of data breaches.
The benefits of desktop virtualization for BYOD include the following:
- Improved Support: BYOD programs make IT support more difficult due to the variety of employee-owned systems in use. Desktop virtualization makes it possible for the company to support a single, company-defined environment that employees can access from any device.
- Data Loss Prevention: With desktop virtualization, an organization can allow employees to work from personally-owned devices without the need to store corporate data and applications on these devices. This reduces the risk that data will accidentally be exposed by these devices.
Venn Software
Venn Software is designed to enable secure work on personally-owned devices. Venn’s software creates a secure enclave on a user’s device that isolates corporate data and applications from personal apps. Venn software can enforce corporate security policies and remotely wipe data in the secure enclave if a device is lost, stolen, or otherwise compromised.
This isolated environment provides significant benefits to the company and its employees, including the following:
- Security Policy Enforcement: With Venn software, the secure enclave is under the control of the organization. Inside the enclave, the company can enforce its security policies and ensure that all traffic is routed through the corporate gateway for security inspection and policy enforcement.
- Data Control and Security: Corporate data and applications within the secure enclave can be monitored, managed, and secured by the organization. This isolated enclave ensures that a company can protect its data even on personally-owned devices.
- Employee Privacy: With Venn, the company can only monitor and secure data and applications within the secure enclave. Personal activities performed outside of the secure enclave are kept private.
The Rising Trend of BYO-PC (Bring Your Own Personal Computer)
Often, the term BYOD is used to refer to the use of any personal electronic device for work. However, especially with the growth of remote work, employees are increasingly working from personally-owned PCs. This trend is sometimes referred to as bring your own PC (BYO-PC) and introduces different usability and security challenges than BYOD programs. To learn more, check out our guide article on ‘What is BYO PC?’
FAQ
What does BYOD mean?
BYOD stands for “bring your own device” and refers to the trend of allowing employees to work from personally-owned devices — most commonly mobile devices — instead of company-owned systems.
Why does an organization use BYOD?
Organizations adopt BYOD programs because they can provide various benefits to the company and its employees. Common benefits of BYOD programs include improved employee morale, lower IT costs, the ability to use more up-to-date technology, and faster employee onboarding.
What are the challenges with a BYOD policy?
BYOD programs can create IT and security challenges for an organization. For example, these policies mean that IT departments must support a wider range of systems, and security teams must protect corporate data and applications installed on devices not owned by the organization.
How does BYOD work?
A BYOD program begins with a BYOD policy that defines the rules for how employees can use personal devices for business. If an employee chooses to opt in, the company may use various security and management tools to monitor and enforce compliance with corporate policies.
What is an example of BYOD in practice?
An organization may have employees that commonly travel for business, such as managers or salespeople. If the company allows them to use personal phones to check email, access corporate apps, and other tasks, then this is an example of a BYOD program.