This is a subject that, at one time, was pretty much confined to the larger enterprise organisations but largely because of the pandemic, it is gaining popularity within SMEs and is now getting a lot of attention from the National Cyber Security Centre.

So, what is it?  Well the idea was to allow employees to use their own devices for work purposes.  The thinking was that in this day and age, many employees have developed preferences for what they use.  So whilst many will stick to Microsoft, others may prefer an Android or Apple tablet, whilst others still may prefer a MacBook or Chromebook.  There’s a wide choice these days.

But what do we mean by work purposes?  It can mean anything from accessing your emails, which most of us do on our phones, to accessing critical services and applications.  And this makes it a potentially complex issue.

The pandemic brought with it many issues that needed swift resolutions and now, it’s not uncommon to visit companies that have allowed their staff to continue to work from home often because the cost savings in office accommodation are very beneficial, and some have allowed staff to use their own preferred devices when working, including connecting to the company network and/or cloud services, remotely. 

For just about all SMEs, this has started from a position of necessity.  But like many such events, if it seems to be working, it rapidly becomes the norm and in creeps a complacency that it’s actually all OK.

BYOD solutions need to be planned and thought through.  And pretty much the same as most things, particularly risk based assessments, what you need to do really depends on your organisation.  You need to ask some questions:

• Is there anything that needs to be done from the office that cannot be done by home workers?
• Are there functions which employees need to do, that requires the company to have visibility and management of, and is there anything that doesn’t?
• What do my employees need to do?
• How can we balance what employees do that also involves your need to protect data and their privacy (DPA2018)?  They are after all, using their own device.

Above all you need a well thought through and comprehensive strategy, which, while offering flexibility and potential cost savings, recognises and deals with several security implications that organisations must address to ensure sensitive data and systems remain secure. Below are the key concerns:

a. Data Security

• Data Leakage: Employees’ personal devices may lack adequate protections, increasing the risk of unauthorised access or accidental data leaks.
• Loss or Theft of Devices: Personal devices may not have encryption enabled, making sensitive corporate data vulnerable if the device is lost or stolen.
• Uncontrolled Sharing: Employees might unknowingly share corporate data via apps or cloud services outside the organisation’s control.

b. Malware and Cyber Threats

• Insecure Devices: Personal devices might not have up-to-date antivirus software, firewalls, or operating system patches, making them susceptible to malware or ransomware attacks.
• Unverified Applications: Employees may install unauthorised or malicious applications that could compromise corporate networks.

c. Network Security

• Untrusted Connections: BYOD devices may connect to public Wi-Fi networks, exposing them to man-in-the-middle (MITM) attacks that could jeopardise corporate data.
• Device Spoofing: An attacker could mimic a BYOD device to gain unauthorised access to the network.

d. Compliance Risks

• Regulatory Violations: BYOD policies may lead to data handling practices that violate regulations like GDPR or PCI DSS if personal devices aren’t properly managed.
• Audit Challenges: Tracking and demonstrating compliance can become difficult with non-standardised, user-managed devices.

e. Access Control

• Weak Authentication: Personal devices may not support strong authentication mechanisms, increasing the risk of unauthorised access.
• Lack of Segmentation: Employees’ devices may access both corporate and personal systems, creating potential crossover risks.

f. Insufficient Visibility

• Limited Monitoring: Organisations may lack full visibility into personal devices, making it harder to detect breaches or policy violations.
• Shadow IT: Employees might use unauthorised apps or services that bypass official security controls.

g. Employee Turnover

• Data Retention: When an employee leaves, ensuring the removal of corporate data from their personal devices can be challenging.
• Device Ownership: Legal and practical issues might arise when attempting to enforce data wiping on personal devices.

Mitigation Strategies

To address these risks, organisations adopting BYOD should:

• Implement Mobile Device Management (MDM) or Endpoint Detection and Response (EDR) solutions.
• Enforce strong authentication, such as multi-factor authentication (MFA).
• Require device encryption and ensure compliance through regular checks.
• Use some form of file separation to ensure separate corporate data from personal data.
• Deploy a zero-trust security model with conditional access controls.
• Establish clear policies and training to educate employees on BYOD security best practices.

By proactively addressing these risks, organisations can leverage the benefits of BYOD while maintaining robust security.