Companies that didn’t already have a WFH or BYOD (Bring Your Own Device) policy have found themselves with a series of gaps in security policy.

This ultimately begs the question; how can we empower employees to work remotely, bring their own devices for use and maintain our compliance with security procedures to mitigate risks for both parties?

Remote working or working from home (WFH) has revolutionised the workplace across all office-based industries. Many have found that productivity is the same when you remove the need to commute.

In 2022, 30% of the UK’s workforce was working remotely and while it is a decrease of 7% from 2021, those numbers are still very high.  

For many businesses that have been able to expand their workforce, the WFH phenomenon has given rise to an opportunity; a reduction in or spread of set-up costs, by enacting or introducing a BYOD policy for those working remotely, or for those that work from different locations and require agility.

Does the convenience or financial benefits outweigh the potential risks and threats that arise from using BYOD? Ensuring the integrity of access and authentication of data has huge implications in this age of frequent data breaches.

Risks and Threats

With any new policy, employee training should be top of mind. It cannot be assumed that all workers have brought their own devices for work purposes before, or that not all workers have worked from home before. It is safer to assume that employee cyber security awareness training has not been conducted in anything more than a general sense.  

Data security is everyone’s problem, and specific training such as the Phriendly Phishing Security Awareness training or organisation-specific training should be paramount to reduce risk.

One of the most likely risks to data in transit on a BYO device is the maintenance and age of the device. Software updates don’t just ensure your device is running smoothly, but also protect against any known software vulnerabilities that may exist on the device. Older devices that are no longer software-supported lack the ability to update and upgrade security patches for their OS or even individual applications. This is an interesting consideration and risk, in that it isn’t malicious in nature, but rather a hardware restriction on the device. IT administrators should consider listing the minimum device specifications required to safely adhere to the BYOD policy.  

A lost or stolen device is another risk, one with no malicious intent by the user. Not knowing the location of a device that could possibly be accessed by an unauthorised individual is problematic, as are some of the solutions that involve tracking that device when you don’t own it.

Not all risks and threats organisational – some BYOD risks apply to the employee. An employee using their own purchased device, ostensibly for personal use, only to find themselves needing it for work is rife with its own complications and privacy concerns.  Mobile Device Management (MDM) was the traditional approach for BYOD programs, where policies require digital certificates be installed on the device to monitor the organisations accounts utilising the device. These certificates can vary in their application but can restrict use of certain apps that are installed on the device or allow remote wiping of the device.

Mobile Access Management (MAM) has emerged to solve the issue of MDM, as a component of a larger mobile strategy, it enables IT managers to implement and enforce regulations on apps that access corporate data, leaving personal apps and data unaffected. MDM and MAM both have features that are similar to one another. With MAM, IT can remotely delete an app but not the entire device, unlike with an MDM-managed device, for instance.

Planning  

When discussing whether to allow or even recommend BYOD policies, the first item on the agenda is usually a financial benefit to the organisation, avoiding the upfront cost of devices for employees to use. While this is true in a short-term sense, the larger financial cost might be hidden from you until there is a data breach which requires expensive continuation or recovery of business costs.

Doing a cost/benefit analysis that considers all the financial risks of the worst-case scenario is recommended as short-term benefits can be outweighed by the long-term financial risks. One such question that might arise is if the device is essential for work, who then pays for maintenance, account access and if it’s the organisation – does that change the way the device can then be used off the clock?

Eligibility of use of the BYOD policy should be treated similarly to a guest interfacing with the organisation’s systems - a rule of least privilege. Similarly, to the restriction of those with administrator access to your internal systems, reducing the risk to ‘must have’ access and a list of approved devices (new devices still in support periods for OS for example) installed with a list of approved services will reduce your attack surface greatly.  

The relevant legal framework for data collection, sharing and privacy policies in the relevant jurisdiction is a good place to start, especially if your industry is governed by specific data collection

Mitigation

Easy-to-install solutions include Two Factor (2FA) or Multi-factor Authentication (MFA). Multi-factor Authentication, while not infallible, is a great place to start for managing privileged access to systems. MFA requires multiple forms of authentication to approve access to a system or information.

The benefit of MFA is that most devices can be signed up, as they generate individualised tokens.

MFA can be used in multiple forms, ranging from an authentication app, One-Time-Passwords (OTP), biometric security (such as face or fingerprint access), or software certificates.  

For the best protection, organisations should be using a combination of two or more of these security measures. A good reminder for employees is something you have, know and are. For example, your password (you know) an app giving you a code (you have), and fingerprint or face match (you are).  

Virtual Private Networks (VPNs) or tunnels to the network can protect access to sensitive data, however as many businesses are moving towards cloud access, it’s becoming less common to need these. Using an IDAM (Identity Access Management) service for sign-ons when in the office and at home can streamline this, as can MAM (Mobile Access Management) for mobile devices which means applications can be enrolled without taking over the whole device, particularly if it’s not owned by the company.

Preventative measures are important but preparing for the worst is just as important. Introducing training on how to scan and detect malware on personal devices is another layer of security for the employees, but benefits both the organisation and employee by securing both. While phishing and security training is the first line, having a rules-based firewall and detection software for the gaps that may arise in your Human-firewall.

The Bottom Line

The human factor is often the most overlooked form of security. Cyber security training for employees on use of apps, procedures about using the device for home and work and how to access the organisations apps and data is paramount. Ensure your team has been educated on the risks and implement a well-planned policy; from the IT and Security teams down to the part-time or contract employees.  

Phriendly Phishing’s course catalogue includes specific training courses on BYOD and mobile devices. General data and computer security should be a regular health check for organisations that allow BYOD or WFH.

Browse our security awareness training, including courses on BYOD and mobile device security today.

Request a demo of our training platform and get the ball rolling on BYOD best practices.