BYOD—which, sadly, is not short for bring your own doughnut—has started to replace corporate machines as the IT policy du jour, and is becoming increasingly common these days as businesses struggle to keep up with revolving technical requirements on ever-tightening IT budgets. In fact, according to one study, 87% of surveyed businesses relied on employees’ use of personal devices to accomplish at least part of their work. On the surface, it makes perfect sense: Employees get to use their devices of choice without draining your budget, so everybody’s happy.
Except, perhaps, your IT support team, as BYOD policies threaten IT security even as they ease IT budgets. Employees may not update software and applications on their devices, opening up exploitable vulnerabilities for cybercriminals. Devices may be lost or stolen while IT support teams remain completely in the dark. Employees may rely on poor passwords—or none at all—and may engage with sensitive information over insecure networks. In short, the potential for increased security threats looms large, but the reality of that threat depends on you, your device policies and your corporate culture.
Today, let’s examine the real risk of BYOD, how it stands to impact your data integrity and networks, and, finally, what you can do about it.
How bad is BYOD for security?
The short answer is, “Pretty bad.” BYOD introduces all kinds of potential security loopholes, allowing an unmanaged entry point for data breaches, malware and social engineering attacks. And those new vulnerabilities have already bred consequences for many businesses. Here’s how BYOD security breaks down by the numbers:
- IT solutions providers named BYOD as one of the trends most likely to threaten security in coming years.
- A U.K. survey found that 61% of small businesses experienced some sort of security incident after the introduction of BYOD.
- 40% of large data breaches involved stolen devices, a risk increased with BYOD.
- 50% of companies that both allowed BYOD and suffered some sort of security incident were breached through employee-owned devices.
Is it possible to keep employees off their devices?
Any look into BYOD security policies begins with this question: Is there any way to stop employees from using their own devices? Probably not—and you may not want to stop them, either. After all, the advantages of BYOD have been quantified and found to be plentiful. Allowing employees to use their own smartphones can save 58 minutes a day and result in a net gain of $350 per year, per employee.
Even if you do adopt anti-BYOD policies, team members will inevitably resort to whatever makes it easier to get their jobs done. According to one survey, 90% of U.S. employees use their own smartphones at work, while 82% of U.S. businesses allow employees to use their own devices. Asking employees to stop using their own devices is a bit like trying to put the genie back in the bottle.
Obviously, you should do whatever works best for your business, but banning personal devices may not be practical—and it’s certainly not likely to be met with much enthusiasm (or compliance) from employees.
BYOD best practices
Your best bet, then, is to take a few measures to protect your business. The risks associated with BYOD will always be there, but you can take steps to enforce device security and bolster data security. Try implementing some of the following steps:
- Enforce some level of device management: Allow BYOD but have your IT support team install mobile device management (MDM) systems on employees’ personal devices to encrypt machines and automatically update software.
- Implement virtual private networks (VPNs): Giving employees access to a VPN—and requiring them to use it to access sensitive data—will protect you from data exposure over unsafe Wi-Fi and networks. IT solutions providers can help you create these networks and teach employees how to use them.
- Outline clear procedures for reporting lost or stolen devices: Inform employees who participate in BYOD that if a device is lost or stolen, they must report it, and provide detailed instructions for how to do so. Work with IT support providers to create a response plan for these kinds of incidents, allowing you to delete accounts and change passwords quickly and effectively.
- Insist on strong passwords, PINs and other access keys: Enforce multi-factor authentication where possible, and require employees to use the strongest possible device protections, such as thumbprint or facial recognition.
- Commit to robust, ongoing cybersecurity plans: The cybersecurity landscape is constantly shifting as threat actors find new opportunities to launch attacks. Because of this, BYOD protections should be enacted as part of an overall security prevention and response plan. We strongly recommend that you have your IT solutions provider weigh in as you create this plan.
Of course, BYOD policies may not help if you don’t have strong cybersecurity protections in the first place. To get help with that, download our Ultimate Cybersecurity Bundle for everything you need to launch a strong IT protection plan. It’s still not as tasty as a jelly doughnut, but it’s a lot better for your network health.