Why Organizations Should Still Care About BYOD

The conversation on bring your own device (BYOD) in the workplace has been going on for a while and it’s obviously more a given in some sectors than in others. Opinions among security experts on whether or not BYOD is a good idea depend on who you talk to. What is clear is that organizations may want to at least consider a BYOD program. Why? Because not only do many employees use their personal devices for work anyway, studies show that they’re more productive when they’re allowed to.

Though there are big benefits to having a BYOD program, including boosting employee productivity and morale, as well as possible cost savings, security risks are a critical concern. Employee non-compliance with updates and patches, more potential entry points for hackers and the lurking liability issues are all enough to make some organizations decide BYOD just isn’t worth it. Certainly, the risks must be weighed with the benefits.

Potential BYOD Risks and Drawbacks

Anticipated cost benefits. BYOD may not have the cost benefit for some organizations that they initially thought. “When you’re considering the cost, consider how much it’s going to cost you to implement the security controls necessary to comply with best practices for security,” says Kristi Horton, senior cybersecurity risk analyst at Gate 15. This should ideally include a mobile data management (MDM) or enterprise mobility management (EMM) product to remotely manage devices and keep the organization’s data secure. Additionally, many companies reimburse their employees for a percentage of their device’s costs, a practice that some states are working at putting into law. IBM recommends not basing your decision to implement BYOD on cost savings because there may be little or none.
Employee privacy. 77 percent of employees say they haven’t been trained about the risks of using their devices at work. If your organization is sued, employees’ personal data may be at risk, Horton notes. “Employees still expect privacy,” says Albert Lewis, CISSP, principal examiner for the Federal Housing Finance Agency (FHFA). “How do you achieve that when the organization that’s managing the content on your device can basically see everything?” When employees really understand the privacy risks, they may not want to use their own device for work.
Legal issues and/or costs. With increasing litigation over who’s responsible for the costs of cyber incidents, as well as new laws and regulations regarding how systems need to be managed to interact with sensitive data, there are a lot of potential legal ramifications to consider, says Horton. “If you look at all of the new liabilities between organizations and their third parties when it comes to who’s responsible,…almost every court ruling gives us some additional legal precedent that may cause us to rethink our policies for employees, for third parties, and how BYOD programs are managed, or even if a BYOD program is allowed,” she says.
Network overload. The reality is that with tablets, phones, watches and gaming devices, the average person now has four or five devices, for which many networks haven’t budgeted and may not have the capacity. Randy Marchany, chief information security officer at Virginia Tech, says this has been a big adaptation both IT and security have had to make there. This issue gets into the realm of the Internet of Things (IoT) as well since everything from X-ray machines to printers come with built-in web servers, he says.

How BYOD Has Changed

While BYOD is old news for sectors like technology and universities (Virginia Tech has had BYOD since 1984), here are some interesting ways it is evolving:

Adoption, acceptance and use. Though BYOD used to be limited, it has quickly expanded into all sorts of high-risk areas, says Horton. More than half of North American and European companies are working on BYOD programs thanks to employee demand.
An expanding market. The BYOD and enterprise management software markets are estimated to increase from $35.1 billion in 2015 to $73.3 billion by 2021.
Choose your own device (CYOD) is growing in popularity. This variation of BYOD allows businesses to offer their employees a choice from a pre-approved list of a company-owned and managed devices that they can use for work, typically IOS or Android. Lewis sees BYOD increasingly moving to CYOD. “When you buy devices in bulk, that’s a huge savings, plus you get to deploy and manage the devices the way you want to. That central management becomes a big part of the CYOD approach,” says Lewis. CYOD can increase employee satisfaction too, because employees don’t have to compromise their privacy at work, and if you offer a newer model, they’re especially pleased, Lewis says.
The Internet of Things (IoT). These days, everything from printers to watches to smart refrigerators to miscellaneous office equipment is on a network. 8.4 billion connected “things” are expected to be in use worldwide by the end of 2017, with 20.4 billion predicted to be in use by 2020. IoT devices can easily create security holes thanks to issues such as office equipment being installed by third-party vendors or the office staff, says Cody Mulla, infrastructure analyst at the Public Utility Commission of Texas. “That asset may go unnoticed because they don’t involve the IT department,” he says. “You have this whole siloed issue there where companies are going to have to really look at it holistically.”

Perhaps the biggest challenge with IoT devices is that buyers don’t have any control over their configurations. “We can’t tell an IoT manufacturer what they can put on their device, and there’s a lack of vendor awareness of the security issues,” Marchany says. “It’s kind of like if you’re living in a gated community, and every house in the gated community has no locks on the doors. So if you could hop the fence, you could get into any of these houses with no problem at all, yet you’re being sold the idea that you’ve got a gate there so the bad guys won’t get in.”

“You get people that just plug things into the network because they claim they need it for business, but it doesn’t go through the normal process for approval, and they figure no one will find it. I’ve seen situations where this causes security incidents,” says Harris Schwartz, executive security advisor at NTT Security. “The IoT devices are targets for attackers to compromise and create these zombie networks.”

But like BYOD, IoT isn’t going away. “We have learned from BYOD that we can’t stop this stuff. It’s coming,” says Jake Kouns, chief information security officer at Risk Based Security. “If you’re a security professional, the answer ‘no’ isn’t going to cut it. When people want to bring these consumer devices in and it’s no longer just a laptop or a phone, how are you going to control it, and what have we learned from the BYOD experience that can help us moving forward?”

BYOD Advice

If you don’t currently employ BYOD at your organization but you’re considering it, or you’re looking to improve your program, here are some tips.

Develop your policies first. Considering that a recent study showed that 21 percent of organizations have had a data breach thanks to a BYOD device, this point is key. “Take your top 20 critical security controls and apply them and see if a BYOD program is going to be easy to implement or maintain,” advises Jennifer Kazy, cybersecurity risk analyst for Gate 15.

“It’s important to create parameters around the use of BYOD devices and set allowable use,” says Schwartz. Questions to think about include: “What types of activities will be permitted to be performed on devices? What type of work activities? What type of data? Is that data regulated in terms of privacy security? Is your security monitoring platform already compatible with mobile devices and IoT? What types of devices will you let your employees or third parties bring into the workplace? How will you balance privacy with your need to protect the security and privacy of the corporate data?” Horton says.

“What are your goals? What are you trying to accomplish and why?” Lewis says. “Are your goals based on business needs and if so, what’s your strategy? Should you have a separate network? Do you have an endpoint management strategy that makes sense?”

Train your employees. Getting your workforce to understand the privacy risks, requirements, terms and rules around device security, especially BYOD devices, is absolutely essential. “Make them sign a piece of paper,” Horton advises. “It needs to be separate from their employee agreement, and it needs to be something that they consciously and transparently do.” Mulla believes that when employees understand the whys of security policy, it makes a big difference in compliance. “They start feeling like they’re doing something good and they’re helping,” he says.
Consider a CYOD program. “BYOD blurs the line between personal and work, and this has created IT shops that need to manage too many complex devices and employees who feel that they have no privacy on their personally owned devices,” says Lewis. “CYOD gives organizations control over one or two devices maximum, and gives employees the devices they want to use.” Looking at your potential policies and top 20 security controls can also help you decide if BYOD or CYOD is a better fit for your organization.
Keep an inventory of all devices on your network. “Unauthorized devices shouldn’t be allowed to connect,” says Horton. “Or they can be provisionally allowed to connect, but only to a limited network where we can verify configuration remotely. What this means is that every device that employees are bringing in needs to be registered in advance and properly configured before it’s allowed to connect.”

One approach Lewis has seen used, particularly with CYOD, is for companies to set up a separate, personal use Wi-Fi network that employees can use if they want to bring in their personal devices, while they use their work devices on a different network for work-related activities. This keeps work and personal lives separate, maintains personal device privacy and lets the organization maintain control over and mitigate risks from the work-issued device.

Mulla recommends separate networks as well, especially because of the limited built-in security that IoT devices have. “Understand what’s connected to your network at all times,” he says. “It’s important to monitor activity because if you have a spike in activity then that can be an indicator that something is wrong.”

Look into an enterprise mobility management system (EMM). Lewis recommends doing a maturity self-assessment before you decide to go with either BYOD or CYOD. This can also help you decide on the best EMM for your organization. EMM manages the entire device while mobile device management (MDM) only manages the device features. Endpoint management solutions are another technology that will likely become more mainstream in the future since they allow wearables, mobile, office and desktop devices to be managed together.
Do periodic checkups. Even if you implemented your BYOD program a long time ago, “it makes sense to do some auditing and checking that you’re not finding random things that aren’t implemented the way you expect,” says Kouns.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

Right now, in the pandemic environment, business leaders are balancing internal priorities – managing cost and impacts to productivity – with market and external priorities like government requirements, customer needs, and perceived standards of safety and health.

Why Organizations Should Still Care About BYOD