Is BYOD Good or Bad for Your Business?

Credit: Shutterstock | OlegggCredit: Shutterstock | Oleggg

The way we work is changing. Employees want, or even expect, the freedom and ability to work from anywhere, anytime, on any device. That blurring of lines between home and work life means workers will often use their own devices – whether that’s a laptop, tablet, or smartphone – to conduct business.

Employees often bring personal devices into the workplace too, and while on the surface this might not seem like a big deal, it can create endless headaches for the IT department and the broader organization.

Here we look at some of the challenges that companies face and how they can keep their businesses secure and compliant while affording team members the flexibility to use their personal devices in the workplace.

Top Tips for Making BYOD Secure

Alex Ryals, VP of security solutions at tech distributor Tech Data, offers the following tips for securing employees’ devices:

  • Encryption of laptop hard drives with a technology such as Microsoft Bitlocker. This ensures that if the device is stolen, the data is safe as long as the thief doesn’t have the encryption key.
  • The device should be configured to use complex passwords that expire after three to six months to ensure the employee changes their password regularly.
  • Current anti-virus and anti-malware software, often provided by the company, should be installed and running.
  • An approved VPN client should be installed and used by the employee any time they are not on the corporate network.
  • Enable automatic OS updates on the laptop to ensure the device is patched regularly.
  • A best practice, even for personal devices, is to require the installation of a desktop management application, such as Microsoft System Center Configuration Manager, to catalog installed applications and limit network access for devices with known vulnerable apps installed.
  • Define a policy to limit the use of acceptable apps and cloud services for the storage of corporate information.

Why Is BYOD so Popular?

BYOD stands for bring your own device and is a term coined to describe the trend of employees using their own laptops, phones and other devices at work. The movement gained traction when people began to find that the consumer tech they used in their personal lives was preferred, easier to navigate, or more efficient than the sometimes-outdated IT they were expected to use at work.

This ‘consumerization of IT’ encourages those using the latest smartphone, device or productivity apps in their personal lives to expect the same level of functionality in the workplace–and if that isn’t an option, they will simply use their own device.

Another factor is an increasingly mobile workforce. A 2017 Gallup study shows 43 percent of Americans spend at least some time working remotely, which means employees today expect to be able to do their job from anywhere, at any time. It’s commonplace to check work email from the couch after hours or work on a presentation at a café, on the train home from work or even while en route to a business meeting at 30,000 feet in the air.

Additionally, there has been a steady increase in the number of freelance workers in recent years, which are expected to use their own devices and software, even when contracted to work on-site at an organization.

So What’s the Problem?

The benefits of BYOD are numerous. Employees tend to show better productivity when they use devices familiar to them and enjoy a personalized experience that increases their satisfaction. It can also save the employer money–notably a reduction in the cost of device procurement, employee data plans and IT management. Plus, hardware upgrade cycles could be prolonged as end users take more responsibility for supplying devices and paying for services, for example.

But while the flood of personal devices into businesses might seem like a natural progression in our consumer-led, IT on demand world, it can cause a host of security and other problems for employers.

“Even with the benefits, such as increased productivity and employee satisfaction, there are security concerns that can pose significant risks to businesses ill-equipped to address them,” Michael Cantor, chief technology officer at Park Place Technologies, which provides third-party hardware maintenance and IT support services, tells Tom’s Hardware. “Lack of oversight, malware exposure, compliance requirements, data leaks and device theft all make BYOD security a big mess.”

For example, employees think little of downloading applications that they think will drive productivity to their devices and often don’t consider the security vulnerabilities they could be introducing to the company network.

Earlier this year network management and security company A10 Networks published its Application Intelligence Report, which noted that nearly a third (30 percent) of employees admit to knowingly using non-sanctioned apps at work, despite incidents such as Google removing 700,000 potentially harmful apps from its Play Store in 2017. Of those who use unapproved apps, 51 percent claim “everybody does it,” while 36 percent say they believe their IT department doesn’t have the right to tell them what apps they can’t use.

“Through careless and sometimes negligent behavior with corporate assets and applications, employees are swinging the cybersecurity doors wide open, leaving their companies vulnerable,” notes the report.

Meanwhile, 33 percent claim their company’s IT department doesn’t give them access to the apps they need to do their jobs. Why not use a WhatsApp group message to communicate with colleagues? Why not store sensitive documents in Dropbox for ease of access?

The answer is that as well as the obvious security risks, IT admins cannot guarantee corporate or user privacy. Individual teams that use competing or siloed technology makes collaboration difficult. On top of that, there are the costs associated with paying for separate software licenses.

Implementing a BYOD Policy

Because of the deluge of personal apps and devices finding their way onto corporate networks, IT teams have been forced to implement BYOD strategies to help monitor and manage personal device use across this increasingly distributed workforce.

“Given that the biggest security risk to any organization are employees and their lack of discipline when it comes to security best practices, BYOD can be a slippery slope if not implemented with a strict set of security policies and controls,” Alex Ryals, VP of security solutions at tech distributor Tech Data, tells Tom’s Hardware.

But where to start? Ryals says it is critical that an organization inspects all devices before allowing them onto the corporate network.

“An easy way to ensure a device is compliant is by placing some corporate services behind a tightly controlled firewall only accessible through a VPN client into the corporate network,” he advises. “This forces the employee to take their device to IT to have the security certificate for the VPN client installed on the employee’s personal laptop and also allows IT the opportunity to inspect the device for compliance to corporate security policies.”

Park Place’s Cantor also maintains that there are steps IT can take to make sure BYOD programs are executed safely and securely.

“For starters, they should perform a comprehensive risk assessment that considers how devices engage with personal and company data and update it regularly. They should also develop a clear policy on how personal devices should be used, implementing tools like mobile device management to help enforce it,” he says. “With device-specific tools like MAC [media access control] address identifiers and identity access management solutions, IT departments can monitor the devices accessing company resources and protect their data from suspicious activity and unauthorized access.”

Just as important as the technology you use to support BYOD, Cantor adds, are the people behind the screens.

“IT personnel should be seen by employees as a key resource when they offer assistance in managing their devices and application settings. Having a positive relationship will enable IT to upskill employees to enacting security measures when needed,” he notes.

The problem of employee-owned devices in the workplace isn’t going anywhere. In fact, the IT department will have an even harder job managing personal devices with the expected explosion of Internet of Things IoT endpoints, including wearable smart devices, hitting the network.

Nevertheless, says Ryals: “The risk of corporate exposure through BYOD devices is great, but by defining clear acceptable use policies for employees who use their own devices, the risk can be mitigated to an acceptable level. However, the employee has to be willing to give up a little bit of their freedom and convenience for the privilege.”

    Your comment
  • nobspls
    The problem is not the devices. The problem is always the people, (a.k.a the select few idiots) and hopefully not some malicious bad actors (paid moles, spys, etc. like by Russia, China, or commerical/industrial competitors) that makes BYOD a serious security problem.
  • popatim
    It makes things challenging that's for sure. Not only do you need additional security, which certainly isn't free nor cheap, you wind up with the added workload supporting the myriad of users and their oddball devices which they believe you have to resolve all their issues even if it doesn't pertain to the company software. We even had to try installing our security software on old things like ipad 1's that cannot even run a current version of iOS much less our software. Then there are the people that think you have to train them on how to use their chosen device. I must get at least 2 calls a night of users wanting to connect their new device and have n clue on how to even download an app from the app store; and if it's an apple they usually have no idea what their iCloud password is to further complicate the issue.

    I'm not saying I don't enjoy what I do, because I do, its that sometimes when you are very busy the neophyte calls are not what you want to get right then. LoL
  • nobspls
    2132427 said:
    ... paid moles, spys, etc. like by US, United State, or US allies) that makes BYOD a serious security problem.

    Oh come on why hate on the U.S? The most ubiquitous BYOD device is a USB thumb drive. Stuxnet by the U.S. worked wonders on Iran.
  • jakjawagon
    The device should be configured to use complex passwords that expire after three to six months to ensure the employee changes forgets their password regularly

  • pug_s
    I work in IT and it is much cheaper for BYOD than the company owning your device. 1) They don't have to pay for your device. A new iphone cost $800-1000 and the cost savings is huge. 2) Paying your monthly bill for your cell phone service is peanuts compared to them buying the cell phone service and having insurance for your device. They don't have to keep extra device in case if you break yours. 3) Companies can easily manage your device by paying for an MDM (mobile device Management) solution like Maas360 (fiberlink), Airwatch or mobileiron.
  • nobspls
    I do software development and provide support for our IT. The thing is bottom line there is no cheap security. You can go cheaper and be less secure, or you got to pay more for more. BYOD can be substantially cheaper, but it is also substantially less secure. The place I work has taken the policy of not even allowing USB thumb drives the most common place BYOD device, that little thing your key chain is strictly verboten! You are also not allowed to attach your phone to the machines at your desk, not even for charging. They are so freaked out about that next "STUXNET" that can jump the air gap and send data out of the network.
  • anushua.gorai
    BYOD involves some security risks. But, over a period of time, it offers significant revenue gains and productivity increase. It is advisable for enterprises to filter the benefits and costs through a lens of risk. The true benefit of BYOD lies in improving employee experience. For any BYOD policy, to start giving returns, takes atleast 3 years.
  • pdxitgirl
    I constantly have issues with BYOD devices, due to Apple's moronic inability to allow their devices to be properly managed in an enterprise environment. Even the best MDMs are still far too limited, and often prevented from doing their job by iOS overpowering them, resetting things we explicitly set, and the like. I really detest having to support personal & mobile devices of any type. At least keeping the personal devices on a VLAN-separated Guest wireless network, and not allowing company data on them, helps. But even company-owned iPads are nearly impossible to cleanly manage properly, regardless of the MDM we employ.
  • pdxitgirl
    NOBSPLS wrote:
    "The problem is not the devices. The problem is always the people, (a.k.a the select few idiots) and hopefully not some malicious bad actors (paid moles, spys, etc. like by Russia, China, or commerical/industrial competitors) that makes BYOD a serious security problem."

    No, the problem is most definitely the devices in my experience. We can train our users, and they do pretty well. But there are so many problems getting mobile devices to behave properly on our corporate network, whether personal or company-owned. Android is a little better about respecting the MDMs, but both Android and iOS are atrocious at simply doing what we ask them to. Even Windows & macOS seem to cause more and more issues as they both veer away from corporate and into this consumer, mobile touchscreen mindset that just drives me up the wall. "Professional" or "Enterprise" doesn't mean crap anymore in the Microsoft world, for example, it still comes bundled with crap that should never exist on a corporate OS and for some inane reason, you often can't disable.

    When my startup actually launches, employees' personal devices WON'T TOUCH the company network OR any of its files!!
  • pdxitgirl
    "BYOD involves some security risks. But, over a period of time, it offers significant revenue gains and productivity increase. It is advisable for enterprises to filter the benefits and costs through a lens of risk. The true benefit of BYOD lies in improving employee experience. For any BYOD policy, to start giving returns, takes atleast 3 years."

    I find this VERY hard to believe. How on earth does this give revenue or productivity gains!?! If the company needs to provide an employee with a phone to get hold of them, then even a basic smartphone SHOULD work fine. They aren't at work for fun or games, and the trend of allowing employees to play on their phone during the day is NOT a good one to allow to continue. Most employees at most companies, however, shouldn't be expected to be "available" after hours, nor should they be required to be checking their email after hours, thus there really should not be a need for a company-provided smartphone. And again, if it's being able to get hold of them in emergencies, they can either call their personal phone, or provide a cheap smartphone. Otherwise, personal phones should exist on an isolated Guest wifi network WITHOUT access to company data or email.

    If they need to get work done outside of the office, they should be able to use their company laptop. If they are a road warrior (a big IF -- most employees at most companies aren't), then MAYBE they justify the expense of a reasonably-priced smartphone. But only if they NEED access to email on-the-go. "Improving employee experience??!" I do hope this isn't giving in to the young people who THINK they need fancy smartphones to do their jobs.

    And as NOBSPLS stated, there is no cheap security. I disagree STRONGLY with PUG_S. Most MDMs I've used don't manage mobile devices well, especially on iOS which is so strongly aimed at consumer that it just doesn't play well with enterprise-minded policies or lockdowns. And who wants to allow their employer to take control of their expensive, PERSONAL smartphone?? Few do. These things should never mix.

    I see personal, BYOD devices as far too problematic and risky for business / work use. Especially given what people do on their personal phones. IF they truly need to access email and work files on the go, and their company laptop won't suffice, then the company should provide a reasonably-priced smartphone. Doesn't need to be top end. Otherwise, the idea that an employee must be reachable after hours is wrong and needs to stop, unless they're in IT and on call. Thus there should NOT be a need for a smartphone for each employee. They can use their own phones on segmented, Guest WiFi while at work **on breaks or lunch only**, otherwise **it has no reason to be used during work, or accessing company data.** And even Guest WiFi is being generous -- they're there to work, not play online.

    People THINK they need all sorts of things, especially younger people. Heck, security-wise, they should be locking up their personal devices before entering the office, in my eyes. It's just not worth the security risk for BYOD. The added expense should be worth it where needed, and nowhere else.

    It's time we stopped this nonsense.