How Much Control Should Businesses Have Over BYOD Tools?
The Bring Your Own Device (BYOD) revolution is a polarizing phenomenon. On one hand, it cuts business costs significantly while encouraging employees to complete work-related tasks anywhere and anytime. On the other hand, it also has significant impacts on a business’s cybersecurity, potentially crippling an otherwise strong and stable security strategy.
BYOD makes maintaining pre-existing security strategies difficult for a few reasons. First, it calls into question the ownership of data. Business-related information might be intermingled with personal files, or worse, a laid-off or fired employee might take business data with them when they leave.
Second, workers using their own devices might be more relaxed about their cyber hygiene; they might generate weaker passwords, delay software updates, and pause antivirus scans because they are using a personal device. Finally, BYOD is dangerous for business security because it means the business loses control over its hardware.
Besides prohibiting BYOD, businesses have no single, easy way of eliminating all these risks – and banning BYOD often prevents businesses from becoming agile against competitors and attractive to new talent. The best solution is a combination of security actions that keep a business’s data and devices secure: management, policymaking, and control.
Managed BYOD – sometimes abbreviated to MBYOD – is the only viable solution for permitting BYOD while maintaining sufficient cybersecurity. In effect, managed BYOD consists of a tiered system of access to data and the corporate ecosystem. It begins with securing data at its source; then, businesses must secure data at rest and in transit; and finally, data must be secured within internal systems. By doing this, business leaders can effectively segregate personal data from enterprise data, removing the first risk of BYOD.
How a business defines its tiers is dependent on its size, device ecosystem, existing security, and other important factors. For example, a medium-sized business composed of mobile devices, desktops, servers, and IoT tools as well as client devices might separate this environment into four tiers, defined by the devices’ and users’ existing security and reliability. Once the tiers are determined, business leaders should develop policies for the system and make those policies readily available to employees – which brings us to the next step of the BYOD security process.
No two BYOD policies should be identical; they should be handcrafted by business leaders to acutely address the unique issues of their workforce. That said, the strategy for developing a BYOD policy is largely the same because all businesses must address the same important issues. These include:
- Device selection. What devices and platforms can employees use?
- Acceptable use. Which functions can a user access? What behaviors are acceptable on devices used for work?
- Reimbursement. Will the company pay for users’ devices and monthly services?
- Applications and security. What programs are prohibited, and which are permitted? Will the company’s security policy address necessary precautions for BYOD users?
- Agreements. How will the business ascertain the agreement of each BYOD user?
There are challenges to building a comprehensive policy. It is imperative that businesses define personal use of devices compared to business use and separate them as much as possible. Yet, even with a foolproof policy in place, businesses that cannot observe or control users’ hardware are destined to develop vulnerabilities – and data breaches will follow. Thus, we move to the last vital element of BYOD security.
Control and Containment
It doesn’t matter how thoroughly a business defines acceptable use, how complete a business’s whitelists and blacklists of devices and applications, if a business has no means of enforcing its policies. Fortunately, there is a simple solution to this rampant BYOD problem: endpoint control and mobile device management. These security tools give business’s IT departments access to users’ devices, allowing them to see installed applications, monitor behaviors, and retrieve or eradicate data. Ultimately, endpoint solutions return control of hardware to businesses, closing most vulnerabilities in the process.
Once the hardware is under business control, businesses can go about separating personal and business applications and data. Virtual desktop environments help contain business activities and information, as do dual persona and application wrappers. In fact, there are dozens of solutions businesses can employ to generate managed BYOD. However, if a business fails to establish the infrastructure needed for MBYOD – the defined tiers, the written and accessible policy, the endpoint control – successful management will not occur.
BYOD is difficult, but it is even more difficult when a business doesn’t put the work into considering its BYOD needs and wants. With a foundation of control, employees and businesses can enjoy safe and productive device use.