The increase in remote workforce encouraged several organizations across the globe to embrace the Bring Your Own Devices (BYODs) concept. However, using personal devices for official work also brought in various kinds of data security and privacy risks, as organizations lacked visibility to secure these unmanaged BYODs. With the rise in the security issues related to BYODs, the U.K. government recently released guidance for organizations on enabling staff to use their personal devices such as smartphones, tablets, laptops, and desktop PCs to access corporate data.
Released by the National Cyber Security Centre (NCSC), the guidelines are aimed at helping organizations deploy and manage BYODs. The BYODs guidance is primarily intended for large and medium-sized organizations and companies allowing their employees to use personal devices for office work.
Per NCSC, here are some of the questions organizations need to consider:
- Is BYOD right for me?
- What type of BYOD deployment method is right for me?
- Do I need anything else?
- How do I use BYOD appropriately (and legally!)?
Security Challenges of BYOD
As companies deploy more and more BYODs to corporate networks, shadow IoT devices continue to be a growing risk factor to enterprise network security. Shadow IoT devices are internet-connected devices or sensors used inside an organization without the knowledge of the IT team in a company.
The BYOD concept brings several security challenges to organizations, including:
- Ensuring personally owned devices and their owners comply with company policies and procedures
- Increased support for a wide range of device types and operating systems
- Protecting corporate data and infrastructure
- Protecting the personal privacy of the end-user/device owner
- Ensuring legal compliance and meeting contractual obligations
BYOD Risks
The NCSC recommended organizations consider the associated risks with BYODs, which include:
- Easier user-initiated deliberate loss of data
- Less trust in a BYOD device at the point of enrolment
- Employees having access to more resources and services than required
- Higher likelihood of unsupported or out of date devices
- Users being less willing to report security incidents
- Malicious exploitation of devices because of weak security configuration
Actions Before Deploying BYODs
The NCSC also recommended five actions that will help enterprises choose and implement the right BYOD solution, in the right way. These include:
- Action 1 – Determine your objectives, user needs and risks
- Action 2 – Develop the policy
- Action 3 – Understand additional costs and implications
- Action 4 – Deployment approaches
- Action 5 – Put technical controls in place
“The security challenges of BYOD should not be played down. However, with the right technical controls and policies in place, the risks inherent with BYOD can be minimized. Organizations should be mindful of the potential impact BYOD may have on the work/life balance of their employees. A BYOD scheme requires careful design in order to ensure that it works well for employees. If the system makes life difficult, or leads to a poor work/life balance, you could end up with your employees rejecting the approved approach for BYOD. They may even find other ways to do their job using ‘shadow IT’ that are likely to increase your security risk,” the NCSC said.
