The new BYOD: How tech leaders can securely evolve policy

Bring your own device (BYOD) has been used by businesses for years as a tool to cut costs and increase efficiency. The trend surged during the pandemic as workers began to work from home full time using their own laptops, smartphones and tablets to connect to company networks.

Now, things are changing again as hybrid working sees employees using an increasingly wide range of personal devices at home and in the office.

This comes with its own unique security risks, which in many cases is prompting a rethink of current BYOD policies. More than half (52%) of enterprises are mulling a ban on personal devices in the office, with laptops, tablets and webcams all set for the chopping block, according to a survey conducted by Kinly.

Over half (57%) of respondents to Kinly’s survey said it’s becoming harder than ever to secure devices used outside the office and on home networks.

While BYOD isn’t new, the recent shift to hybrid working patterns means the practice has become untenable from a security perspective, according to Kinly.

So what’s gone wrong with BYOD, and how can firms evolve their policy?

BYOD and the working environment

Over the last few years, the working environment has changed significantly, yet BYOD policies often remain the same.

Today’s BYOD controls don’t keep pace with the changing IT environment, says Alan Jones, CEO and co-founder of YEO Messaging. “Businesses assumed virtual private networks (VPNs) and mobile device management (MDM) tools could cover the risks — but they don’t protect the actual data, or provide control over confidentiality.”

The BYOD initiative began as a cost-conscious strategy. However, it is now equally driven by “user demand, flexible working, security improvements, and the evolution of cloud-native and virtualisation technologies”, says Steven Wood, director, solution consulting EMEA at OpenText Cybersecurity.

Adding to this is “the sheer pace of digital transformation”, which is “outstripping IT’s ability to keep up”, Wood says. “Organizations have needed to apply layer after layer of software tools to keep their businesses safe, at the same time, battling skills gaps. Meanwhile, time-strapped employees are leaning into whatever software and generative tools will help them get the job done the fastest, often without approval or oversight of IT teams.”

This is leading to “a whole new headache”: shadow IT and shadow AI, according to Wood. “This new phenomenon means businesses struggle to gain visibility and control of the applications used, running the risk of compromised security, compliance shortfalls and even poor quality and inaccurate work.”

Modernized BYOD

Amid this complex environment, firms lacking a modernized BYOD policy are putting themselves at risk. Pitfalls include data loss, regulatory breaches and reputational damage.

A hacked device or misused app can leak sensitive contracts, customer data or intellectual property, Jones warns. “The legal and compliance risks are staggering — especially in regulated environments such as finance, healthcare and the legal sector.”

From a security perspective, unmanaged devices are “a telemetry black hole”, says Adam Seamons, head of information security at GRC International Group. “Collecting meaningful log data is difficult, weakening incident response and forensic capability.”

Mobile app management (MAM) tools offer some middle ground, but they’re not a fix for all issues, he says. “Data loss prevention (DLP) becomes challenging, particularly when users access corporate data through consumer apps or personal email.”

Data privacy is “another minefield”, especially when complying with regulation, says Seamons. For example, he asks: “How do you respond to a subject access request to comply with regulation such as the General Data Protection Regulation (GDPR) when sensitive client information has been discussed over personal messaging apps?”

A BYOD strategy for now

It’s clear BYOD needs to evolve, so how can you update your policy to fit the fast-changing working environment?

First, really assess how employees are working, says Jones. Then “stop relying on tools built for 2015”, he says. “The future of BYOD is about protecting data and access to the apps and operating system, not just the hardware,” he warns.

Seamons concurs: BYOD policies must evolve to reflect how people actually work, with controls built around identity, access and data – not just the device, he advises.

It all starts with understanding what people use personal devices for, and why, agrees Attila Török, CISO at GoTo. “It may be because it’s cumbersome to read a company email, or the work machine doesn’t have the right app installed.”

This step is key in setting boundaries and establishing defined processes and best practices that allow people work more effectively, says Török. “It’s surprising how many IT security teams do it the other way – crafting policies, denying applications before understanding what people want to achieve.”

Other actions that IT teams should think about include prohibiting the use of consumer-grade apps or having corporate policies to control them.

Meanwhile, firms should consider investing in end-user security awareness education or training courses, says Wood.

The way leaders relay the rules to employees is key to a policy’s success. It’s important to communicate a BYOD and acceptable use policy as clearly as possible, says Török. For instance, instructing employees to always keep home routers and personal devices updated with the latest software will offer a basic level of protection via frequent security patch refreshes, Török suggests.

Similarly, setting strict rules around only using approved applications will help reduce the chances of accidental exposure to malware via through unvetted technology – as well as potential leakage of confidential data and communications, Török adds.

Employees also need to know the reason that rules are in place. Businesses should reiterate the policy, explaining what software is marked for acceptable use and highlighting the risks to the business security and reputation when employees don’t adhere, Wood advises.

BYOD security can be evolved, but approaches to the trend need to change. As part of this, businesses need to stop treating the area as “a low-friction perk”, says Seamons. “If you can’t enforce a policy, monitor access or ensure data can be recalled, you’re in breach of basic security and privacy principles.”