Is BYOD Good or Bad for Your Business?

(Image credit: Shutterstock | Oleggg)

The way we work is changing. Employees want, or even expect, the freedom and ability to work from anywhere, anytime, on any device. That blurring of lines between home and work life means workers will often use their own devices – whether that’s a laptop, tablet, or smartphone – to conduct business.

Employees often bring personal devices into the workplace too, and while on the surface this might not seem like a big deal, it can create endless headaches for the IT department and the broader organization.

Here we look at some of the challenges that companies face and how they can keep their businesses secure and compliant while affording team members the flexibility to use their personal devices in the workplace.

Top Tips for Making BYOD Secure

Alex Ryals, VP of security solutions at tech distributor Tech Data, offers the following tips for securing employees’ devices:

  • Encryption of laptop hard drives with a technology such as Microsoft Bitlocker. This ensures that if the device is stolen, the data is safe as long as the thief doesn’t have the encryption key.
  • The device should be configured to use complex passwords that expire after three to six months to ensure the employee changes their password regularly.
  • Current anti-virus and anti-malware software, often provided by the company, should be installed and running.
  • An approved VPN client should be installed and used by the employee any time they are not on the corporate network.
  • Enable automatic OS updates on the laptop to ensure the device is patched regularly.
  • A best practice, even for personal devices, is to require the installation of a desktop management application, such as Microsoft System Center Configuration Manager, to catalog installed applications and limit network access for devices with known vulnerable apps installed.
  • Define a policy to limit the use of acceptable apps and cloud services for the storage of corporate information.

BYOD stands for bring your own device and is a term coined to describe the trend of employees using their own laptops, phones and other devices at work. The movement gained traction when people began to find that the consumer tech they used in their personal lives was preferred, easier to navigate, or more efficient than the sometimes-outdated IT they were expected to use at work.

This ‘consumerization of IT’ encourages those using the latest smartphone, device or productivity apps in their personal lives to expect the same level of functionality in the workplace–and if that isn’t an option, they will simply use their own device.

Another factor is an increasingly mobile workforce. A 2017 Gallup study shows 43 percent of Americans spend at least some time working remotely, which means employees today expect to be able to do their job from anywhere, at any time. It’s commonplace to check work email from the couch after hours or work on a presentation at a café, on the train home from work or even while en route to a business meeting at 30,000 feet in the air.

Additionally, there has been a steady increase in the number of freelance workers in recent years, which are expected to use their own devices and software, even when contracted to work on-site at an organization.

So What’s the Problem?

The benefits of BYOD are numerous. Employees tend to show better productivity when they use devices familiar to them and enjoy a personalized experience that increases their satisfaction. It can also save the employer money–notably a reduction in the cost of device procurement, employee data plans and IT management. Plus, hardware upgrade cycles could be prolonged as end users take more responsibility for supplying devices and paying for services, for example.

But while the flood of personal devices into businesses might seem like a natural progression in our consumer-led, IT on demand world, it can cause a host of security and other problems for employers.

“Even with the benefits, such as increased productivity and employee satisfaction, there are security concerns that can pose significant risks to businesses ill-equipped to address them,” Michael Cantor, chief technology officer at Park Place Technologies, which provides third-party hardware maintenance and IT support services, tells Tom’s Hardware. “Lack of oversight, malware exposure, compliance requirements, data leaks and device theft all make BYOD security a big mess.”

For example, employees think little of downloading applications that they think will drive productivity to their devices and often don’t consider the security vulnerabilities they could be introducing to the company network.

Earlier this year network management and security company A10 Networks published its Application Intelligence Report, which noted that nearly a third (30 percent) of employees admit to knowingly using non-sanctioned apps at work, despite incidents such as Google removing 700,000 potentially harmful apps from its Play Store in 2017. Of those who use unapproved apps, 51 percent claim “everybody does it,” while 36 percent say they believe their IT department doesn’t have the right to tell them what apps they can’t use.

“Through careless and sometimes negligent behavior with corporate assets and applications, employees are swinging the cybersecurity doors wide open, leaving their companies vulnerable,” notes the report.

Meanwhile, 33 percent claim their company’s IT department doesn’t give them access to the apps they need to do their jobs. Why not use a WhatsApp group message to communicate with colleagues? Why not store sensitive documents in Dropbox for ease of access?

The answer is that as well as the obvious security risks, IT admins cannot guarantee corporate or user privacy. Individual teams that use competing or siloed technology makes collaboration difficult. On top of that, there are the costs associated with paying for separate software licenses.

Implementing a BYOD Policy

Because of the deluge of personal apps and devices finding their way onto corporate networks, IT teams have been forced to implement BYOD strategies to help monitor and manage personal device use across this increasingly distributed workforce.

“Given that the biggest security risk to any organization are employees and their lack of discipline when it comes to security best practices, BYOD can be a slippery slope if not implemented with a strict set of security policies and controls,” Alex Ryals, VP of security solutions at tech distributor Tech Data, tells Tom’s Hardware.

But where to start? Ryals says it is critical that an organization inspects all devices before allowing them onto the corporate network.

“An easy way to ensure a device is compliant is by placing some corporate services behind a tightly controlled firewall only accessible through a VPN client into the corporate network,” he advises. “This forces the employee to take their device to IT to have the security certificate for the VPN client installed on the employee’s personal laptop and also allows IT the opportunity to inspect the device for compliance to corporate security policies.”

Park Place’s Cantor also maintains that there are steps IT can take to make sure BYOD programs are executed safely and securely.

“For starters, they should perform a comprehensive risk assessment that considers how devices engage with personal and company data and update it regularly. They should also develop a clear policy on how personal devices should be used, implementing tools like mobile device management to help enforce it,” he says. “With device-specific tools like MAC [media access control] address identifiers and identity access management solutions, IT departments can monitor the devices accessing company resources and protect their data from suspicious activity and unauthorized access.”

Just as important as the technology you use to support BYOD, Cantor adds, are the people behind the screens.

“IT personnel should be seen by employees as a key resource when they offer assistance in managing their devices and application settings. Having a positive relationship will enable IT to upskill employees to enacting security measures when needed,” he notes.

The problem of employee-owned devices in the workplace isn’t going anywhere. In fact, the IT department will have an even harder job managing personal devices with the expected explosion of Internet of Things IoT endpoints, including wearable smart devices, hitting the network.

Nevertheless, says Ryals: “The risk of corporate exposure through BYOD devices is great, but by defining clear acceptable use policies for employees who use their own devices, the risk can be mitigated to an acceptable level. However, the employee has to be willing to give up a little bit of their freedom and convenience for the privilege.”

  • nobspls
    The problem is not the devices. The problem is always the people, (a.k.a the select few idiots) and hopefully not some malicious bad actors (paid moles, spys, etc. like by Russia, China, or commerical/industrial competitors) that makes BYOD a serious security problem.
    Reply
  • popatim
    It makes things challenging that's for sure. Not only do you need additional security, which certainly isn't free nor cheap, you wind up with the added workload supporting the myriad of users and their oddball devices which they believe you have to resolve all their issues even if it doesn't pertain to the company software. We even had to try installing our security software on old things like ipad 1's that cannot even run a current version of iOS much less our software. Then there are the people that think you have to train them on how to use their chosen device. I must get at least 2 calls a night of users wanting to connect their new device and have n clue on how to even download an app from the app store; and if it's an apple they usually have no idea what their iCloud password is to further complicate the issue.

    I'm not saying I don't enjoy what I do, because I do, its that sometimes when you are very busy the neophyte calls are not what you want to get right then. LoL
    Reply
  • nobspls
    21342124 said:
    ... paid moles, spys, etc. like by US, United State, or US allies) that makes BYOD a serious security problem.

    Oh come on why hate on the U.S? The most ubiquitous BYOD device is a USB thumb drive. Stuxnet by the U.S. worked wonders on Iran.
    Reply
  • jakjawagon
    The device should be configured to use complex passwords that expire after three to six months to ensure the employee changes forgets their password regularly
    ftfy
    Reply
  • pug_s
    I work in IT and it is much cheaper for BYOD than the company owning your device. 1) They don't have to pay for your device. A new iphone cost $800-1000 and the cost savings is huge. 2) Paying your monthly bill for your cell phone service is peanuts compared to them buying the cell phone service and having insurance for your device. They don't have to keep extra device in case if you break yours. 3) Companies can easily manage your device by paying for an MDM (mobile device Management) solution like Maas360 (fiberlink), Airwatch or mobileiron.
    Reply
  • nobspls
    I do software development and provide support for our IT. The thing is bottom line there is no cheap security. You can go cheaper and be less secure, or you got to pay more for more. BYOD can be substantially cheaper, but it is also substantially less secure. The place I work has taken the policy of not even allowing USB thumb drives the most common place BYOD device, that little thing your key chain is strictly verboten! You are also not allowed to attach your phone to the machines at your desk, not even for charging. They are so freaked out about that next "STUXNET" that can jump the air gap and send data out of the network.
    Reply
  • mischon123
    Hardening IT means less IT on island and IT free business processes. Like this:

    http://i0.wp.com/www.ebonheart.net/view/bird-toy-famous-alms-inspirational-lovely-drinking-desk-typing-keyboard-birds-executive-style-bobbing-dimensions-of-a-aetna-pharmacy-help-pne-number-vintage-water-novelty.jpg?resize=890,700&strip=all

    No need for execs to have a phone or laptop.
    Reply
  • anushua.gorai
    BYOD involves some security risks. But, over a period of time, it offers significant revenue gains and productivity increase. It is advisable for enterprises to filter the benefits and costs through a lens of risk. The true benefit of BYOD lies in improving employee experience. For any BYOD policy, to start giving returns, takes atleast 3 years.
    Reply
  • pdxitgirl
    I constantly have issues with BYOD devices, due to Apple's moronic inability to allow their devices to be properly managed in an enterprise environment. Even the best MDMs are still far too limited, and often prevented from doing their job by iOS overpowering them, resetting things we explicitly set, and the like. I really detest having to support personal & mobile devices of any type. At least keeping the personal devices on a VLAN-separated Guest wireless network, and not allowing company data on them, helps. But even company-owned iPads are nearly impossible to cleanly manage properly, regardless of the MDM we employ.
    Reply
  • pdxitgirl
    NOBSPLS wrote:
    "The problem is not the devices. The problem is always the people, (a.k.a the select few idiots) and hopefully not some malicious bad actors (paid moles, spys, etc. like by Russia, China, or commerical/industrial competitors) that makes BYOD a serious security problem."

    No, the problem is most definitely the devices in my experience. We can train our users, and they do pretty well. But there are so many problems getting mobile devices to behave properly on our corporate network, whether personal or company-owned. Android is a little better about respecting the MDMs, but both Android and iOS are atrocious at simply doing what we ask them to. Even Windows & macOS seem to cause more and more issues as they both veer away from corporate and into this consumer, mobile touchscreen mindset that just drives me up the wall. "Professional" or "Enterprise" doesn't mean crap anymore in the Microsoft world, for example, it still comes bundled with crap that should never exist on a corporate OS and for some inane reason, you often can't disable.

    When my startup actually launches, employees' personal devices WON'T TOUCH the company network OR any of its files!!
    Reply