Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Leadership and ManagementCybersecurity News

Why Organizations Should Still Care About BYOD

How BYOD has changed... potential risks and advice from seasoned experts.

By Sarah Ludwig
Why Organizations Should Care About BYOD - Security Magazine
Albert Lewis - Security Magazine

Albert Lewis, CISSP, is a principal examiner for the Federal Housing Finance Agency (FHFA), a federal regulatory agency responsible for supervision, regulation, and housing mission oversight of Fannie Mae, Freddie Mac, and the Federal Home Loan Banking System. His primary focus is on planning and leading risk-based examinations in the areas of IT and cybersecurity. Photo courtesy of Albert Lewis

Cody Mulla - Security Magazine

“I see it more as hampering business operations to try to limit BYOD,” says Cody Mulla, infrastructure analyst at Public Utility Commission of Texas. “You need to figure out a way to use it smartly and practically where you’re not going to get pushback.” Photo courtesy of Cody Mulla

Harris Schwartz - Security Magazine

“When a company is clear that there’s a policy for BYOD, people tend to understand that they can only connect to this network or they’re only allowed to use certain applications if they’re working or doing work-related activities,” says Harris Schwartz, executive security advisor at NTT Security. Photo courtesy of Harris Schwartz

Jake Kouns - Security Magazine

“BYOD is a business decision and as security people, we’re going to support whatever you want to do and help you apply that right level of security,” says Jake Kouns, chief information security officer at Risk Based Security. “BYOD does bring in some additional risks, but it’s not like that can’t be managed.” Photo courtesy of Jake Kouns

Kristi Horton - Security Magazine

“When we think about the real risks and the lengths we have to go to these days to protect our data, that’s why a lot of security teams still resist BYOD,” says Kristi Horton, senior cybersecurity risk analyst at Gate 15. “They’re the ones who have to comply with all the regulations and enforce policies.” Photo courtesy of Kristi Horton

Randy Marchany - Security Magazine

“It’s the data element that’s the critical piece, not the device,” says Randy Marchany, chief information security officer at Virginia Tech. Photo courtesy of Randy Marchany

Why Organizations Should Care About BYOD - Security Magazine
Albert Lewis - Security Magazine
Cody Mulla - Security Magazine
Harris Schwartz - Security Magazine
Jake Kouns - Security Magazine
Kristi Horton - Security Magazine
Randy Marchany - Security Magazine
January 11, 2018

The conversation on bring your own device (BYOD) in the workplace has been going on for a while and it’s obviously more a given in some sectors than in others. Opinions among security experts on whether or not BYOD is a good idea depend on who you talk to. What is clear is that organizations may want to at least consider a BYOD program. Why? Because not only do many employees use their personal devices for work anyway, studies show that they’re more productive when they’re allowed to.

Though there are big benefits to having a BYOD program, including boosting employee productivity and morale, as well as possible cost savings, security risks are a critical concern. Employee non-compliance with updates and patches, more potential entry points for hackers and the lurking liability issues are all enough to make some organizations decide BYOD just isn’t worth it. Certainly, the risks must be weighed with the benefits.

 

Potential BYOD Risks and Drawbacks

  • Anticipated cost benefits. BYOD may not have the cost benefit for some organizations that they initially thought. “When you’re considering the cost, consider how much it’s going to cost you to implement the security controls necessary to comply with best practices for security,” says Kristi Horton, senior cybersecurity risk analyst at Gate 15. This should ideally include a mobile data management (MDM) or enterprise mobility management (EMM) product to remotely manage devices and keep the organization’s data secure. Additionally, many companies reimburse their employees for a percentage of their device’s costs, a practice that some states are working at putting into law. IBM recommends not basing your decision to implement BYOD on cost savings because there may be little or none.
  • Employee privacy. 77 percent of employees say they haven’t been trained about the risks of using their devices at work. If your organization is sued, employees’ personal data may be at risk, Horton notes. “Employees still expect privacy,” says Albert Lewis, CISSP, principal examiner for the Federal Housing Finance Agency (FHFA). “How do you achieve that when the organization that’s managing the content on your device can basically see everything?” When employees really understand the privacy risks, they may not want to use their own device for work.
  • Legal issues and/or costs. With increasing litigation over who’s responsible for the costs of cyber incidents, as well as new laws and regulations regarding how systems need to be managed to interact with sensitive data, there are a lot of potential legal ramifications to consider, says Horton. “If you look at all of the new liabilities between organizations and their third parties when it comes to who’s responsible,…almost every court ruling gives us some additional legal precedent that may cause us to rethink our policies for employees, for third parties, and how BYOD programs are managed, or even if a BYOD program is allowed,” she says.
  • Network overload. The reality is that with tablets, phones, watches and gaming devices, the average person now has four or five devices, for which many networks haven’t budgeted and may not have the capacity. Randy Marchany, chief information security officer at Virginia Tech, says this has been a big adaptation both IT and security have had to make there. This issue gets into the realm of the Internet of Things (IoT) as well since everything from X-ray machines to printers come with built-in web servers, he says.

 

How BYOD Has Changed

While BYOD is old news for sectors like technology and universities (Virginia Tech has had BYOD since 1984), here are some interesting ways it is evolving:

  • Adoption, acceptance and use. Though BYOD used to be limited, it has quickly expanded into all sorts of high-risk areas, says Horton. More than half of North American and European companies are working on BYOD programs thanks to employee demand.
  • An expanding market. The BYOD and enterprise management software markets are estimated to increase from $35.1 billion in 2015 to $73.3 billion by 2021.
  • Choose your own device (CYOD) is growing in popularity. This variation of BYOD allows businesses to offer their employees a choice from a pre-approved list of a company-owned and managed devices that they can use for work, typically IOS or Android. Lewis sees BYOD increasingly moving to CYOD. “When you buy devices in bulk, that’s a huge savings, plus you get to deploy and manage the devices the way you want to. That central management becomes a big part of the CYOD approach,” says Lewis. CYOD can increase employee satisfaction too, because employees don’t have to compromise their privacy at work, and if you offer a newer model, they’re especially pleased, Lewis says.
  • The Internet of Things (IoT). These days, everything from printers to watches to smart refrigerators to miscellaneous office equipment is on a network. 8.4 billion connected “things” are expected to be in use worldwide by the end of 2017, with 20.4 billion predicted to be in use by 2020. IoT devices can easily create security holes thanks to issues such as office equipment being installed by third-party vendors or the office staff, says Cody Mulla, infrastructure analyst at the Public Utility Commission of Texas. “That asset may go unnoticed because they don’t involve the IT department,” he says. “You have this whole siloed issue there where companies are going to have to really look at it holistically.”

Perhaps the biggest challenge with IoT devices is that buyers don’t have any control over their configurations. “We can’t tell an IoT manufacturer what they can put on their device, and there’s a lack of vendor awareness of the security issues,” Marchany says. “It’s kind of like if you’re living in a gated community, and every house in the gated community has no locks on the doors. So if you could hop the fence, you could get into any of these houses with no problem at all, yet you’re being sold the idea that you’ve got a gate there so the bad guys won’t get in.”

“You get people that just plug things into the network because they claim they need it for business, but it doesn’t go through the normal process for approval, and they figure no one will find it. I’ve seen situations where this causes security incidents,” says Harris Schwartz, executive security advisor at NTT Security. “The IoT devices are targets for attackers to compromise and create these zombie networks.”

But like BYOD, IoT isn’t going away. “We have learned from BYOD that we can’t stop this stuff. It’s coming,” says Jake Kouns, chief information security officer at Risk Based Security. “If you’re a security professional, the answer ‘no’ isn’t going to cut it. When people want to bring these consumer devices in and it’s no longer just a laptop or a phone, how are you going to control it, and what have we learned from the BYOD experience that can help us moving forward?”

 

BYOD Advice

If you don’t currently employ BYOD at your organization but you’re considering it, or you’re looking to improve your program, here are some tips.

  • Develop your policies first. Considering that a recent study showed that 21 percent of organizations have had a data breach thanks to a BYOD device, this point is key. “Take your top 20 critical security controls and apply them and see if a BYOD program is going to be easy to implement or maintain,” advises Jennifer Kazy, cybersecurity risk analyst for Gate 15.

“It’s important to create parameters around the use of BYOD devices and set allowable use,” says Schwartz. Questions to think about include: “What types of activities will be permitted to be performed on devices? What type of work activities? What type of data? Is that data regulated in terms of privacy security? Is your security monitoring platform already compatible with mobile devices and IoT? What types of devices will you let your employees or third parties bring into the workplace? How will you balance privacy with your need to protect the security and privacy of the corporate data?” Horton says.

“What are your goals? What are you trying to accomplish and why?” Lewis says. “Are your goals based on business needs and if so, what’s your strategy? Should you have a separate network? Do you have an endpoint management strategy that makes sense?”

  • Train your employees. Getting your workforce to understand the privacy risks, requirements, terms and rules around device security, especially BYOD devices, is absolutely essential. “Make them sign a piece of paper,” Horton advises. “It needs to be separate from their employee agreement, and it needs to be something that they consciously and transparently do.” Mulla believes that when employees understand the whys of security policy, it makes a big difference in compliance. “They start feeling like they’re doing something good and they’re helping,” he says.
  • Consider a CYOD program. “BYOD blurs the line between personal and work, and this has created IT shops that need to manage too many complex devices and employees who feel that they have no privacy on their personally owned devices,” says Lewis. “CYOD gives organizations control over one or two devices maximum, and gives employees the devices they want to use.” Looking at your potential policies and top 20 security controls can also help you decide if BYOD or CYOD is a better fit for your organization.
  • Keep an inventory of all devices on your network. “Unauthorized devices shouldn’t be allowed to connect,” says Horton. “Or they can be provisionally allowed to connect, but only to a limited network where we can verify configuration remotely. What this means is that every device that employees are bringing in needs to be registered in advance and properly configured before it’s allowed to connect.”

One approach Lewis has seen used, particularly with CYOD, is for companies to set up a separate, personal use Wi-Fi network that employees can use if they want to bring in their personal devices, while they use their work devices on a different network for work-related activities. This keeps work and personal lives separate, maintains personal device privacy and lets the organization maintain control over and mitigate risks from the work-issued device.

Mulla recommends separate networks as well, especially because of the limited built-in security that IoT devices have. “Understand what’s connected to your network at all times,” he says. “It’s important to monitor activity because if you have a spike in activity then that can be an indicator that something is wrong.”

  • Look into an enterprise mobility management system (EMM). Lewis recommends doing a maturity self-assessment before you decide to go with either BYOD or CYOD. This can also help you decide on the best EMM for your organization. EMM manages the entire device while mobile device management (MDM) only manages the device features. Endpoint management solutions are another technology that will likely become more mainstream in the future since they allow wearables, mobile, office and desktop devices to be managed together.
  • Do periodic checkups. Even if you implemented your BYOD program a long time ago, “it makes sense to do some auditing and checking that you’re not finding random things that aren’t implemented the way you expect,” says Kouns.
KEYWORDS: Bring Your Own Device (BYOD) cyber risk management mobile security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Employee works from home

    Why hybrid workforces should reconsider BYOD

    See More
  • Why Physical Keys Should Still Be a Part of your Security Strategy

    See More
  • New Newswire Feature Image 3/8/2012

    Consumers Say Organizations Don’t Care About Protecting Their Data

    See More

Related Products

See More Products
  • 150 things.jpg

    Physical Security: 150 Things You Should Know 2nd Edition

  • CPTED.jpg

    CPTED and Traditional Security Countermeasures: 150 Things You Should Know

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing