BYOD Security Explained

How can security standards be maintained when employees are using their own devices?

Security challenges

What is BYOD security?

BYOD stands for “bring your own device” and can be defined as employees utilizing personal devices for work purposes. The best, and most common, example of this is using a personal cellphone to read and reply to work emails. BYOD security is the process of securing this new device landscape for organizations.

Anyone with experience in IT or enterprise software can tell you about the consumerization of IT in the last decade, as consumer products like the smartphone and software like Slack have become more popular in the workplace due to their superior user experience, and come to dominate modern company infrastructure. This enabled many people to start bringing personal devices such as cellphones and tablets to use at work, supplementing or replacing existing enterprise hardware.

Additionally, when consumer devices became the default in workplaces, employees started to use their work devices as personal devices also.

This approach was labeled as “bring your own device” (BYOD) and forced companies to change their IT policies, as it flooded company networks with new endpoints and created BYOD security challenges to go with it.

BYOD security risks

At first security hardliners rejected BYOD policies due to risk, outlawing personal devices and in some cases labeling BYOD “bring your own death”. But the bottom-up adoption of technology was too strong and, rather than trying to fight the incoming tide, most organizations have chosen to integrate personal device use and address BYOD security concerns internally. Personal devices still carry BYOD security risk, but it is possible to put security strategies in place to minimize these risks.

Employees using personal devices at work can complicate some security processes. Security teams will have detailed procedures for tracking corporate devices that are stolen or lost, including remotely erasing data where necessary. One BYOD security challenge is efficiently and ethically extending these processes to include personal devices used at work. BYOD can include a vast range of devices, often running different operating systems. Making these devices compliant and ensuring tracking and remote data erasure is a challenge.

Backing up data contained on non-company hardware is another BYOD security challenge that companies need to tackle. For almost all organizations, especially those that have been established for longer, backup processes will have initially been designed with company hardware in mind. Given love of personal devices is often strongest in senior roles, who therefore represent the greatest BYOD security risk, this is an important weakness to address due to the nature and volume of projects these individuals will have access and contribute to.

There are further security headaches created by using company devices for personal purposes. Employees may download unsanctioned apps with data privacy standards that are not compliant with the corporate security strategy, inadvertently putting company data at risk. Some apps are even built with the express purpose of harvesting data and IP, and in a large company, the chances of this happening are elevated, even allowing for training and controls.

Removing the distinction between work and personal devices is another BYOD security risk that needs to be specifically addressed. Many users will have personal data on their work devices, which can create a liability when they move on and the device is presented to a new employee. Wiping devices of all data before passing them on reduces legal liability and protects the privacy of former workers. Similarly, personally owned devices will go with the employee to their new workplace, and therefore any corporate data will need removing before they leave.

These issues became increasingly important during the COVID-19 pandemic, with BYOD being replaced by “bring work to your devices”. Restrictions on travel and in-person gatherings caused more and more work to be done in home offices, often involving more than one personal device. These BYOD security challenges are now sources of risk for corporate security, at a massive scale.

BYOD security policies

When implementing BYOD security policies, the first and most important thing that companies can do is ensure that software is patched on every endpoint that can access company data, whether it is a company-issued laptop or the desktop that an employee logs into at their parents’ house during COVID-19 remote working. Patching should be the bedrock of BYOD security policy. As well as this, devices should be subject to a minimum standard of security controls before accessing company data. Doing this helps keep security top of mind for employees, and reminds them of the importance of maintaining security standards in their personal and professional lives when their devices interact with company data.

Controlling the applications that employees can use is another important part of BYOD security policies. This can be done using a blocklist or an allow list, with each approach having its own advantages and drawbacks. A blocklist can be an inefficient way to keep up with an app ecosystem that is evolving daily, while an allow list will require regular updating, sometimes at extremely short notice to facilitate employee productivity.

Keeping some centralized control of devices is also a sensible part of BYOD security policies. This could include remote patching, tracking devices, wiping company data remotely or any number of other security controls. The important thing is for companies to maintain control over their data, wherever it might be located.

BYOD pros and cons

The pros of BYOD are the same reason its uptake has been so significant: the widespread consumerization of IT. Personal devices proved easier to use and more familiar to employees. This has the knock-on effect of reducing the need for training and troubleshooting, as well as driving higher productivity among users. Employees become more effective and more satisfied at work, creating a virtuous cycle of productivity. It can also reduce the cost of investment in devices, and the need for constant upgrades by the organization.

Cons associated with these policies relate to the BYOD security challenges. Personal devices create distance between the IT team and the device where data is located that makes it harder to monitor usage, patch spftware, and detect and contain potential breaches of policy. Some devices will not have the correct antivirus or firewalls installed, and many will have reduced governance by IT. Most of the benefits of BYOD relate to greater control by users, and allowing this while maintaining compliance requires high standards of BYOD security.

Implementing BYOD security

Many companies saw implementing and expanding BYOD policies as a necessity of adjusting to the pandemic, but there are a wide range of reasons to incorporate devices and consequently invest in BYOD security. Getting it right is a challenge that requires setting comprehensive initial policies and procedures, as well as investing in ongoing support from IT. While BYOD can save money on investment in hardware and software as employees bring their own, it can be more costly in terms of maintenance when it comes to patching and monitoring devices.

Implementing secure BYOD requires having an IT team with broad experience, and a strong knowledge of consumer hardware and how it operates in a corporate setting. While BYOD is associated with being more permissive, doing it securely means having strong boundaries and rules regarding which devices and security controls are acceptable. This might mean enforcing multifactor authentication on personal devices or ensuring VPNs are used at all times. It is important to do this both to protect company data, and to make employees conscious and aware that their personal devices are now a source of security risk to their company.

BYOD Security Checklist

Getting BYOD security right means addressing a broad range of controls and policy changes, so it can help to work through a checklist. Here are some of the priorities to work through when implementing and upgrading a BYOD policy.

  • Password provisions: devices should be protected by passwords that are resistant to brute force attacks, with a control that prevents workers from reusing passwords internally.
  • Privacy provisions: employees who use the same devices for work and personal uses are at risk of exposing personal data to their employer, so enforcing privacy provisions through training and technical controls is important to protect workers’ data and reduce legal liability.
  • Data transfer provisions: ensuring that sensitive data sent to personal devices is protected is a top priority for BYOD security, and actions here should include the application of controls such as VPNs, data encryption or zero trust architecture.
  • Proper maintenance / updates: patching employee devices is both the biggest challenge and the top priority for BYOD security. This means knowing what devices are on the company network at all times and ensuring they are regularly patched.
  • Upon termination: security teams will have a detailed offboarding policy for exiting or terminated employees, and this should include removing access to company data immediately once their contract ends.
  • Data wipe procedures: being able to remotely wipe sensitive corporate data protects against theft and insider threats. Every device that can access company data must be configured for remote data wipes for corporate data.

BYOD network security

Bringing personal devices onto a corporate network presents network security issues, including the risk of malware spreading internally. By incorporating Network Access Controls security teams can ensure that all devices that connect to your network are up to date on their software, including anti-virus software. It is also a good reason to insist on higher security standards across the company, such as by implementing two-factor authentication for every device connecting to the network. Security teams should also ensure that all company data downloaded from the network and stored on personal devices is encrypted.

Data encryption at rest and at transit

A main consideration for BYOD security is the access to and sharing of company data via work email accounts on personal or corporate-owned devices. Email is a primary business communication tool and has been relied on more heavily than ever during the COVID-19 pandemic. Email security research shows that 94% of organizations have seen an increase in outbound email traffic since March 2020, with one-in-two experiencing volumes that are 50% higher than pre-pandemic.

Emailing from a mobile device represents several BYOD security risks. Firstly, there’s the likelihood that employees will send sensitive data in error, as smaller screen sizes and emailing on the go make it harder to detect incorrect recipients or when the wrong files have been attached. Similarly, it is more difficult to view the email addresses behind display names on mobile devices, which means it is more likely that an employee will fall victim of a spear-phishing attack via a mobile device and, for example, reply to someone impersonating their CEO. Finally, when employees send emails from mobile devices, it can be difficult to ensure they have applied the right level of encryption to sensitive data to make sure it is secure in transit and at rest in the recipient’s mailbox. Similarly, any emails sent to the employee’s device without encryption will remain in plaintext in their mailbox app.

Additionally, although employee movement may be restricted due to the pandemic and therefore mail apps could be used less during the daytime by individuals who prefer to respond to emails via the desktop, many employees will continue to use mobile devices outside of work hours, during evenings and at weekends. Regardless of usage levels, all emails will continue to appear in the mail app unless it is disconnected. When they do leave their homes, there is still a chance that devices can be lost or stolen, which will include corporate data contained in the mail app.

Egress delivers BYOD security through it’s Intelligent Email Security platform. Egress Prevent can detect whether employees are emailing incorrect recipients or sharing the wrong data via email direct from the mail app. This protects employees from leaking data by misdirecting emails on mobile devices as part of BYOD security. The technology can also detect when someone is replying to a spoofed email address and therefore about to fall victim to a spear phishing attack. Emails that are secured with Egress Protect are delivered encrypted to the mail app. This means sensitive corporate data is encrypted at rest within the mailbox, supporting BYOD security for lost or stolen devices. These emails can be decrypted within the Egress mobile apps for iOS and android devices, with access to the app able to be restricted without having the device present (in the case of lost or stolen devices) for BYOD security. The Egress mobile app can work as both the users’ exclusive mail app or simply for initiating, reading and replying to secure emails. The app also provides audit logs for shared data for compliance purposes and enables users to revoke access to the emails they’ve send directly from their mobile device, which can be used in instances where the recipient no longer have access to it. The Egress mobile apps are free to download and use as a recipient of Egress encrypted emails, supporting the uptake BYOD security.

Legal issues with BYOD

Implementing BYOD carries with it some legal implications, such as ensuring that business records stored on an employee’s personal device have been saved long enough to satisfy electronic discovery requests during litigation. If not, failure to retrieve information stored on a worker’s personal device may lead to severe adverse consequences for the employer in the underlying litigation. Similarly, organizations need to be able to locate any data stored on a mobile device under the scope of data subject access requests (DSARs), which are supported under numerous older data privacy regulations, and increasingly come with more comprehensive provisions under newer and more stringent legislation and laws, like the California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDPR). These newer regulations also provide citizens with the right to request partial or full erasure of their data, which needs to be extended to mobile devices as part of BYOD security and compliance policies.

GDPR also imposes restrictions on holding a person’s data when it is not strictly necessary. Implementing BYOD policies poorly may open an employer up for liability here when backing up work devices. By using mobile device management technology to create a virtual partition in each device that separates work data from personal data, the legal liability is reduced while improving security.

Finally, it is also important to balance security controls in the BYOD policy against legal overreach. Arizona law, for example, provides remedies that could allow an employee to sue an employer for excessive monitoring practices.