BYOD policy, or are personal devices suitable for work?
A BYOD policy has been a cause for some intense debate. For years, many companies attempted to reap its benefits while also balancing endpoint security. However, when employees have permissions to use their personal devices for work-related purposes, they require exhausting governance. If companies blur the line between professional and private lives, they must consider enacting a comprehensive BYOD policy. We shall look at the meaning of BYOD, its advantages, common dangers, and practical security tips.
What is a BYOD policy?
BYOD (Bring Your Own Device) is the practice of employees using personally owned devices for work purposes. Typically, it is both an opportunity and a challenge on both ends.
Employees can enjoy the ultimate flexibility, and companies can significantly reduce their expenses. According to a Cisco report in 2016, businesses could save an average of $350 per year per employee. If applied in correlation with other practices, BYOD policy could bring even bigger savings.
A CyberArk study on remote work found that 77% of employees use unsecured BYOD devices to access corporate systems. The analysis included 3,000 remote workers and IT experts from the UK, US, Germany, and France.
On the surface, BYOD might not seem like a proposal to take issue with. It can appear like a win-win situation, especially for businesses taking their first steps. However, despite offering significant advantages, it is hard to deny its glaring shortcomings.
In essence, companies allow employees to exchange confidential information and work-related assets via potentially vulnerable devices. It might not settle well with many teams and business owners alike.
What happens if a company’s information leaks due to an unsecured endpoint? Who carries the responsibility of maintaining the security of a personal device? A BYOD policy answers all these questions, provides guidelines, and works as the main source of information for employees.
At the same time, BYOD policy and the ability to use a personal device seem necessary for the modern workplace. Employees might need to receive constant updates on their work tasks, regardless of whether they are in the office. As a result, it is not always possible to carry a company-assigned device. Millions of employees use personal smartphones to settle work-related questions quickly. Thus, it is unlikely that BYOD will vanish anytime soon. On the contrary, it might continue to grow, with companies finding new ways to balance security and convenience.
Advantages of having a BYOD policy
- Reduces expenses. Companies can reduce their costs significantly with a well-crafted BYOD policy. Then, employers won’t need to supply phones or computers for each employee.
- Might increase productivity. Studies show that employees might become more efficient if they can use their personal devices. It relates to the fact that the tech might be more familiar to them. Thus, they will be quick to navigate and find solutions appropriate to certain situations. The general idea is that employees are more comfortable with their personal devices. As a result, they will be experts, skipping the learning curve necessary to adapt to new tech.
- Greater flexibility and workforce mobility. A BYOD policy will allow teams to work from anywhere, be it the office or home environment. For instance, an employee can always be reachable by using a personal smartphone for work-related communication. Additionally, if staff notices issues requiring immediate attention, they can resolve them even if their shifts have ended.
- Increased employee satisfaction. Teams might find it convenient that they do not have to operate two devices. Additionally, they can use a machine they prefer as opposed to the ones assigned to them.
- An attraction for potential employees. A workplace following a BYOD policy might appear more flexible and attractive. Thus, potential employees might take it as a sign that employers are open-minded and accommodating to their teams.
Disadvantages of having a BYOD policy
- Theft/loss of personal devices used for work. One of the risks is that employees might lose their machines. In other cases, thieves can steal them, especially if people leave their devices unattended. Thus, it is vital for employees to ensure that their machines would not fall into the wrong hands. If they do, both business and personal data are at risk.
- Data and endpoint security concerns. The security of personal devices might be poles apart. While some employees may equip the necessary solutions, others may not. While BYOD policy should list the tools people ought to use, verifying compliance is difficult. Employers might be tempted to install specific monitoring software, but teams might disapprove. After all, their devices will also take care of a variety of personal tasks. Thus, it becomes challenging to reassure that employees use the tools instructed.
- No cybersecurity training for employees. One issue with BYOD policy support might be the lack of guidance. The policy might cover the basics but fail to guarantee complete understanding. Thus, employees might not clearly understand the consequences of, say, the absence of an antivirus solution.
- Complicated IT support and governance. With everyone using different devices, there might be issues with finding suitable software. For instance, even operating systems might differ: some might use macOS, others might opt for Linux. With no unified approach, IT specialists might struggle to provide support or ensure that everyone uses recommended tools.
- Questionable termination process. Naturally, employees will have a great amount of intellectual property on their devices. How can employers reassure that members who quit will erase all that data? Companies can require resigning employees to hand over their devices for inspection. However, it is not only uncomfortable but might also trigger some legal issues.
- Employees delaying software updates. Applying regularly released software patches is essential. However, companies will struggle to warrant that every employee updates their software as prescribed. Thus, a BYOD policy leaves a lot to trust and users’ independent willingness to follow the rules.
Questions a BYOD policy should answer
Once a company decides to allow personal device usage, an extensive BYOD policy should accompany the announcement. It should explain everything from what devices/OSs are acceptable to common cybersecurity risks. Some of the questions a BYOD policy should discuss include the following:
- What activities can employees perform on their personal devices? Sometimes, employers might encourage their teams to keep certain messaging apps on their personal devices. However, they might not allow employees to access other assets. Companies need to set these boundaries as clearly as possible.
- How much power are employers looking to have over personal devices? For instance, employers might require the right to wipe employees’ entire devices in an emergency. People should be comfortable with this, but the chances are, there will be objections.
- What are the minimum requirements for hardware and software? Outdated software versions can contain critical vulnerabilities. In other cases, some tools might not be compatible with older versions.
- How will employers warrant compliance with the BYOD policy? Companies should clearly list the methods they will use to ensure that everyone follows the rules.
- What tools need to be active while working on a personal device? In some cases, employers can require teams to keep antivirus and VPN solutions enabled. The latter might be the tool you need to gain specific access rights. If not used for access control, the VPN protects the integrity of data employees exchange. An antivirus solution is quite self-explanatory: to protect the devices from viruses or malware.
These are the fundamental questions a BYOD policy should address. Depending on the situation, it should go even further to explain everything clearly.
Tips for employees using personal devices for work
- Comply with the requirements listed by your employer. You should always check whether your activities and decisions coincide with the BYOD policy.
- Educate yourself on common cybersecurity issues and dangers. Even if you have attended a cybersecurity seminar, always try to keep up with the latest news. For instance, software providers could release a critical patch you need to apply to fix dangerous flaws.
- Use two-factor authentication everywhere possible. If you secure your accounts with 2FA, you minimize the risks of unauthorized access.
- Go that extra mile. Practice the general tips for safe browsing and device management. It might include clearing old files or avoiding unknown sites.
- Set a strong password for your device. Lock your device with a strong password to prevent others from accessing it. If you use the same machine with multiple people, create several individual accounts.
- Never leave your device unattended. Do not step away from your device, especially if you leave it unlocked. Ensure that the environment is safe if you wish to step away from it.
- Back up important data. Your employer might require you to back up specific data. Thus, always create a backup for confidential information or anything necessary for your work.
- Never install unknown tools. Since you have complete control over your device, you can install anything you want. The crucial thing is to avoid unknown or pirated software. It can not only spread malware but can put you at risk legally.
- Connect to free Wi-Fi only if it is safe to do so. If you decide to work from a location offering free Wi-Fi, be cautious. You should not connect to it without verifying that it is adequately secured. Frequently, it won’t be ready to protect your communications.
- Keep a VPN enabled. A VPN app can guarantee that you can connect to any network safely. Additionally, since it encrypts users’ data, you won’t risk having your communication intercepted or altered. Thus, a VPN is a must-have if you wish to ensure safe browsing and prevent eavesdropping.
Former chef and the head of Atlas VPN blog team. He's an experienced cybersecurity expert with a background of technical content writing.