We notice you are currently visiting the UK site. Would you like to visit our main site instead?

An employee making use of a personal device at their work desk.

Bring your own device: security measures for personal devices in the workplace

Any company where employees can bring smartphones, tablets or personal laptops to the workplace needs a bring your own device security policy (or BYOD policy, for short). Nearly every employee brings an Internet-connected device to work. Even if this device is not actively connected to a company network, it can still present security risks.

Using a personal device for something as innocuous as sending a work email can create vulnerabilities in an organisation’s network. Organisations of all sizes find BYOD security challenging because companies must exert some control over smartphones and tablets owned by their employees. After all, 40% of data breaches are caused by lost or stolen devices. However, in cultures that place an emphasis on personal liberty, policies such as these can meet resistance or resentment from employees. A delicate but firm approach to this issue is best.

What can companies do to improve their cybersecurity in these conditions? One option is to prohibit BYOD entirely and enforce this policy rigidly. However, the global BYOD market is large and growing. The 2022 market was estimated to be worth $350 billion. The work-from-home trend catalysed by the pandemic has expedited its growth. The alternative is to lean into the practice, while enacting common-sense BYOD policies and security, to make it safer for both companies and employees. Most companies find this to be the easier of the two options to implement, not that a sensible BYOD policy does not require effort and consideration.

BYOD security risks

BYOD means that, nominally, companies spend less on hardware and software for their employees. 82% of companies allow employees to use personal devices for work. 71% of these employers find it allows people to be more comfortable when using devices, since they are most familiar with their personal phones. 58% find that it is more productive. However, only 55% find that it reduces costs. Why the discrepancy? Likely because out of the companies whose security policies permit BYOD, a startling 50% experience data breaches via employee-owned devices. No wonder that 26% of companies that oppose the adoption of BYOD policies cite security concerns as their prime reason.

BYOD security best practices

Colleagues using laptops, tablets and mobile phones together

Any BYOD policy worth its salt will cover these elements:

  • Permissible device types
  • Acceptable use: what apps and assets can employees access from their devices?
  • Minimum requirements for device security controls: what safety measures will the company require for BYOD devices?
  • Company-provided components: for example, SSL certificates for device authentication
  • Company rights concerning the modification of the device: for example, remote wiping in the event of a device’s theft or loss
  • What happens to company data on the devices of employees leaving the company?
  • Who owns the apps and data on the device? Will staff be reimbursed by the company for apps or monthly fees?
  • What support will IT render to device owners?

The following provisions will need to be considered by policymakers so that the best options can be delivered:

  • Common sense rules: a limit to personal calls and video at work, no use when driving
  • Maintenance and upgrades: any finalised policy should ensure that employees reliably keep devices and apps up to date
  • Data transfer provisions: company data should be encrypted and password protected, and only transferred on company-mandated applications
  • Password provisions: password use is obviously non-negotiable in protecting sensitive information; two-factor authentication may also be required

Privacy provisions: how can companies balance data protection and employee privacy with BYOD?

BYOD security policy

How best to go about devising coherent and secure BYOD practices? Any policy drafting of this scale should involve both employees and stakeholders. Employee input can be obtained through a survey, a great basis for planning policy. Execs, HR, IT operations, finance and security should all be looped in and represented in a BYOD project management team. These departments have contributions to make.

Once a survey has been sent out and responses received, beneficial analyses to make include which data and apps are needed on employee devices. After introducing the completed policy, training is a vital stage of the process. Employees at all levels must be instructed on data handling protocol, device troubleshooting, the procedure for lost or stolen devices, which apps to use and anti-phishing measures, as well as broader instruction in vigilance against cyber threats.

It is widely believed that employees untrained in cybersecurity are the greatest hazard to organisational data integrity. In 2014, 87% of IT managers believed that the biggest threat to organisations were mobile devices used by careless employees. In 2020, a startling 96% of attacks on mobile devices used apps as a vector. This is because a supermajority of apps, nearly 4 in 5, embed third-party libraries that can create vulnerabilities.

Which apps should a company that is implementing a strong BYOD policy use? A study found that employees use five or more apps every day. Organisations should include a dedicated secure messaging platform, email, CRM and whichever other apps they feel their employees will need. Make sure that apps which could be liabilities are explicitly off-limits.

Organisations should also have specific procedures in place for employees who leave the company, for whatever reason. When an employee leaves, an organisation must ensure that all data is taken off their devices, and any access to company apps is similarly withdrawn. However, this duty presents many difficulties and is often considered reason enough to abandon BYOD policies and provide their own devices.

A policy is only as strong as the ability of a company to enforce it, which unfortunately requires that there be consequences for those who cannot abide by the policy. Any policy should have specific details concerning the tracking, measurement and enforcement of accountability distributed so that all team members are aware. Lack of oversight is one of the major issues for BYOD implementation. Companies need enough IT support staff to get employees set up, with ongoing support and monitoring.

After systems and protocols have been secured, organisations should prioritise education for employees. If a BYOD is to succeed, impressing the importance of acceptable use and basic data security hygiene upon employees is essential.

Overhead view of three people working at a desk with laptops, tablets and papers.

BYOD security solutions

Security solutions that should be considered for inclusion in a BYOD policy include:

  • Encryption for data at rest and in transit
  • Antivirus: either company-provided or required for employees to install
  • Monitoring: tracking GPS location of employee devices or internet traffic etc.
  • Containerisation: devices that are segregated into personal or finance bubbles with password protection
  • Password hygiene training, including requirements for regular changes
  • Blacklisting: blocking or restricting apps specifically because they are a risk to operational security or a detriment to productivity – this is not usually possible on employee-owned devices except with containerisation
  • Whitelisting: only allowing access to certain approved applications, usually more practical for organisation-distributed hardware
  • A requirement for regular backups, as well as updates to apps and operating systems
  • Periodic training and retraining on how to keep company data safe regarding Wi-Fi network access from BYOD hardware
  • Restriction of data access: for the prevention of data leaks, data access should be tightly controlled so that only those who need access to specific data sets for their job have access from their personal devices

Monitoring tools for data location and data access patterns, for detection of suspicious behaviour such as access from insecure or suspicious locations (e.g. North Korea).

One method of providing better security for BYOD systems is issuing encrypted USB flash drives and encrypted SSDs to employees. More economical than providing phones or tablets for an entire workforce, and considerably more straightforward than containerising every device that a workforce brings on-site, data stored on these devices is much better protected than on the average device. With sufficient quality encryption, a thief who can obtain an encrypted drive cannot make any headway to access privileged data.

#KingstonIsWithYou #KingstonIronKey

Kingston’s ask an expert icon on a circuit board chipset

Ask an Expert

Planning the right solution requires an understanding of your project’s security goals. Let Kingston’s experts guide you.

Ask an Expert

Related Videos

Related Articles