By: Nihad Hassan
September 16, 2021
Creating A BYOD Policy
By: Nihad Hassan
September 16, 2021
The new trend of remote work is expanding rapidly to include all types of organizations in different industries. The COVID-19 pandemic has boosted remote work; although the pandemic begins to fade slowly, there is no sign that businesses are abandoning the remote work paradigm.
BYOD is an acronym for Bring Your Own Device. It is the practice of allowing employees to use their computing devices – such as laptops, tablets, or smartphones - instead of using company-managed devices. The BYOD acronym also includes the practice of using employees' devices to access the corporate network (work files, email system, databases) remotely, which has become a norm today, especially during the ongoing pandemic. BYOD also reduces IT spending for startups.
To demonstrate how the BYOD trend is increasing steadily, here are some fresh statistics for 2021:
- 67% of employees use personal computing devices at work.
- 69% of IT decision-makers in the U.S. think BYOD is suitable for businesses.
- 59% of organizations adopt BYOD.
- 85% of organizations implemented BYOD policies because of the COVID-19 pandemic (Modern Intelligence).
- The BYOD market is projected to reach $367 billion by 2022, according to betanews.
Utilizing BYOD at work brings numerous benefits to organizations, such as increased productivity, saving operational costs, and enhancing employees' trust and confidence in their organization. However, it expanded organizations' attack surface and provided hackers relatively easy access to sensitive work information stored on less secure employees' devices.
However, before we dive into writing an effective BYOD policy, let us first talk briefly about the most significant risks associated with adopting BYOD.
Top Five BYOD security risks
BYOD introduces various security challenges for organizations; many studies showing that stolen devices containing sensitive information were the leading cause of significant data breaches. The following list the top five BYOD security risks.
Stolen Computing Devices
According to Venturebeat, 41% of all data breaches resulted from lost laptops, tablets, smartphones, and thumb drives. Many CISOs consider stolen or lost BYOD devices the most significant security risk (entry points) utilized by hackers.
Employees' devices are less secure than managed or work devices. Users who aren't tech-savvy will not follow proper security measures when installing internet programs or browsing the web. Many may not be aware that malware can hit smartphones and spy on all their activities, including using their cameras and microphones. Antivirus applications, operating systems, and installed applications may not be up to date on employees' devices. Malicious actors can exploit all these vulnerabilities to gain an entry point into employee devices and, subsequently, their corporate network.
Accessing enterprises resources using untrusted networks
Many employees may need to access their work email on the go using free public Wi-Fi, such as what's available in coffee shops, restaurants, and airports. A free internet connection is not secure and is commonly targeted by threat actors to steal exchanged data, such as users' credentials and other sensitive information.
Using cloud storage
Different cloud storage services provide a good amount of storage for their users, such as Google Drive and DropBox. Employees may find it convenient to store their work files on free cloud services, transferring sensitive work files to the cloud. Free cloud services are preferred targets for malicious actors.
Using different computing devices/operating system types
When allowing employees to utilize their devices at work, one cannot expect all employees to use the same device type and OS version. For example, some employees may have iPhones; others, Android devices; still others, Linux and other Windows OSes. Creating a policy or a technical framework to handle the complexity of all employees' device types is challenging.
Developing Bring Your Own Device Policy
Each organization will have a BYOD policy that governs each employee's usage of computing devices for work-related purposes. This section will discuss the key points that should be covered in any BYOD policy, regardless of organization type or size.
Make a List of Allowed Devices
Decide which device types are allowed along with their operating system version and other physical requirements where applicable. For example, all laptops should have a TPM module (a physical component used to perform cryptographic functions) and Windows 8 or 10 installed. The same thing holds with smartphones and other internet of thing (IoT) devices: you should specify the minimum operating system and related security requirements.
Enforce strong security policy on employees' devices
Organizations commonly enforce strict security policies regarding creating users' passwords to secure work devices and accounts. For example, even when using personal devices, all employees should use strong and complex passwords to secure their local accounts (e.g., Windows login). Mobile touch screens should be protected using a password and screen gestures.
Ensure the privacy of your employees' data
When employees use their devices for work, an organization's data and applications reside on the same machine. Ensure the work applications do not pose any privacy risks to your employees' stored data. Do not exploit the function of employees' devices to collect personal information about them. For example, smartphones store location data about their users – when enabled, they should not exploit this feature to collect personal information about employees.
Decide which applications are allowed and which are not
Specify which applications are allowed to be installed on employee devices and which are banned. For example, users commonly install personal smartphone applications, such as social, sports, VPN, and other productivity applications. Your BYOD policy should specify if any of these application types should be banned to protect company work files (e.g., some free VPN services may inject malware into the system resulting in compromising the devices).
The BYOD policy should also declare whether it can install security products on employees-owned devices, such as antivirus, firewalls, and antimalware, and how to update such solutions.
Define what will happen when discarding employees devices used for work-related purposes
Organizations should enforce a data destruction policy (both physical and logical) when discarding old computing devices and storage units. However, how can this policy be implemented with employee-owned devices? For example, an employee may want to sell his old laptop, which he uses to access and process sensitive work information. Your BYOD security policy should clearly define how such devices should be treated in case of loss, damage, or sale. For instance, the hard drive should be wiped securely by the organization's IT department to avoid leaking confidential work files.
Termination of employment
The BYOD policy should specify how employees' devices used for work purposes should be secured after an employee leaves work. For instance, the employee should give their device to the IT department to inspect it for any work-related data and remove it accordingly.
The organization should have the required tools to backup personal data on employees' devices before wiping the device storage unit.
Finally, all employees aiming to use their devices for work purposes should sign the BYOD usage policy, which clearly defines the obligation of using personal devices at work or processing and storing work information at home, and how the company will handle any violation of the acceptable usage agreement.
Bring Your Own Device (BYOD) is an evolving technological trend that allows employees to access their corporate resources and data using their own devices. This trend will increase significantly in the coming years, as more organizations will adopt the work-from-home model. This article shed light on the BYOD term, mentioned the main risks of using BYOD, and noted the key points that any BYOD policy document should contain.