Light Dark
November 9, 2021 By Jennifer Gregory 4 min read
Data Protection
Endpoint
Incident Response
Risk Management
Security Services

Bring-your-own-device (BYOD) policies were some of the many things that changed when the COVID-19 pandemic hit. A study from Palo Alto Networks by ONR found 60% of companies expanded their BYOD policies to help employees manage the shift to remote work at the beginning of the pandemic. However, the convenience that the new BYOD policies provided often came at the cost of security. The study also found that employees at companies that expanded BYOD use were over eight times more likely to ignore, circumvent or disable security than those who restricted BYOD.

Many companies are looking at either full-time remote work or offering a hybrid model for the long term. In the past, the solution was often to restrict uses or implement more controls for how employees use their BYOD devices. However, placing more restrictions on employees often leads to them figuring out how to get around those rules.

How Employees Use Their Devices

In the past, BYOD policies focused on what companies did not allow employees to do on their devices. This approach overlooked how employees could use their devices to more efficiently and accurately perform work-related tasks. For a BYOD policy to be effective today, companies must address the security issues with a solution that works for both employees and the employer.

Leaders should start by fully understanding how employees currently use personal devices. In what other ways can they use devices to improve work/life balance and be more productive? Survey employees in a range of roles and departments to learn how different employees use their devices for work tasks. Questions to ask include:

  • What types of devices they use
  • How often they use them
  • Specific tasks they perform with the devices
  • What applications they use.

The New BYOD Challenges

Before coming up with a solution, organizations must first understand their current digital defenses and what challenges they’re facing. Here are four common challenges.

Employees Using Non-Secure Networks

Work and home life are blending more and more. Employees have more chances and temptation to access sensitive data on public wireless or unsecured home networks. Many employees turn to virtual private networks (VPNs) as the answer for BYOD, but the technology wasn’t designed for today’s complex needs and threats.

VPNs create a very large surface area with so many devices and locations that it’s challenging to protect. Because breaking into a VPN provides access to the entire network, VPNs are big targets for cyber criminals. What’s more, a VPN only provides protection if the employee uses it every time they connect. Because VPNs often slow down the speed and performance of devices, many employees bypass the VPN for faster connections.

Lack of Security Software

Many companies have required employees to use Mobile Device Management (MDM) software on personal devices used for business. Many MDMs allow the partition of work and personal data. However, employees often worry that their company has access to their personal data, such as GPS data on their physical location. Employees often remove or attempt to circumvent MDM software, which then leaves their devices without protection. Organizations often move to Unified Endpoint Management instead. This is a more holistic approach that is not as intrusive to employees’ personal devices and data.

Unpatched Software on Devices

Employees need to install updates or patches on their BOYD devices for work. If they don’t, they create an opening for cyber criminals to gain access to the corporate network, applications and data. MDMs can allow companies to remotely install software and updates on personal devices. However, many employees view this as intrusive and pushback. You need to find a balance. Weigh the company’s need for all devices accessing their networks to have the latest OS against employees’ right to privacy.

Authenticating Personal Devices on Network

Authenticate every device that accesses the network. Employees now use multiple devices even in the same workday. So, the volume of devices connected to networks is now much higher. Many companies have turned to Multifactor Authentication (MFA) to make sure only authorized devices gain access. However, cyber criminals have responded by creating attacks designed for bypassing MFAs. These include SIM swapping, technical loopholes, social engineering and phishing. While MFA is a key component of the right approach for BYOD, many groups use MFA as their entire strategy for authentication.

Change Your Approach to BYOD

It might seem tempting to look for more ways to control and restrict employees. Instead, take a step back and change the approach. The issue with many BYOD policies and restrictions is mainly that they no longer make sense for either security or workflow. Employees need processes and tools that make it possible for them to get their work done efficiently. At the same time, organizations need processes and security tools that keep their networks secure. With many employees remaining remote or hybrid for the long term, the use of BYOD is going to be a constant challenge for the short- and long-term.

Organizations can turn to a zero trust approach to improve security with the expanded BYOD use. With zero trust, the framework starts with the assumption that every access request is not authorized. Everything (device, user, data) must prove authentication. The benefits of using zero trust include protecting customer data, decreasing breach detection times, visibility into traffic, a less complicated security stack and a better user experience.

What Is Zero Trust?

Instead of a single process or technology, zero trust is a collection of the following six principles:

  • Ongoing monitoring and validation
  • Principle of least privilege
  • Device access control
  • Preventing lateral movement
  • Multi-factor authentication (MFA)
  • Microsegmentation.

Because zero trust starts with assuming every access request is unauthorized, the framework solves many of the challenges that the increased use of BYOD has created, such as authenticating multiple devices and increased volume. By using microsegmentation, which means that users and devices only have access to the data, applications and networks they have a business need to access, organizations reduce the impact of an attack or breach. Additionally, MFA combined with other technology — including the principal of least privilege and device control access — improves the security of multiple devices.

Over the past two years, organizations made many decisions quickly as situations changed. Now it’s time to pause and create a plan for the future regarding BYOD. The pandemic has changed many aspects of work forever, and organizations need processes, technology and a framework designed for our future reality. By moving to a zero trust approach, organizations can create an approach that provides two things at once. It offers both the security the organization needs and the flexibility that allows employees to be productive and engaged.

 |  |  |  |  |  |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from Data Protection
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature