Bring your own.

Bring your own device (BYOD) was a very hot topic a few years ago. While vendors had introduced a number of variants (see below) prior to COVID-19, interest among organizations seemed to have waned. However, when restrictions were put in place to combat the pandemic, many companies relied heavily on employees using their own devices to maintain operations. More than one in three (36%) organizations opened up access to corporate resources and systems to employees using personal devices—that’s on top of those that already allowed it.

Identify

• As with any security topic, understanding the risks is a crucial first step. You should develop a detailed BYOD policy that clearly lists responsibilities. This should tackle the tough questions, like does the organization have the right to remotely wipe (or seize) the device if a security threat is detected? But beware of being too draconian. A secure BYOD program relies on users feeling able to share concerns, not covering up potential issues. For the same reason, make sure that the policy is written in clear language and is easy to understand. This may involve translating it into local languages.
• Ensure that all your employees understand their responsibilities when using their own devices for business purposes. This matters because people behave differently when using a personal device than when using a company-owned one. Differences could include letting a friend or family member use it, giving the login password to a third-party support or repair person, or simply visiting inappropriate sites.
•  Proofpoint found that the vast majority (90%) of people back up important files using a cloud-based storage service or an external drive.¹⁴  While this could be good news from the perspective of business continuity—and thwarting ransomware attacks—it could be worrying in terms of IT having little insight or control over where sensitive data is stored. You should educate users on the dangers of storing corporate information locally on devices, especially ones not controlled by the organization.

Protect

• Not all threats are malicious. Employees often increase risk unintentionally or even with the best of intentions. For example, a user might have their devices set up to automatically back up to the cloud. If that user then starts using a device for work purposes, this could not just pose an additional security risk but also contravene privacy regulations. Those who are new to remote working are likely to be less aware of such issues than experienced Omniworkers and Nomads.
• Educate users on the importance of managing the permissions granted to apps. Users often aren’t aware of how some permissions can be exploited for nefarious purposes.
• There are a range of technical services, such as MDM, that can help remotely secure, manage and support personally owned devices. Some of these have a “container mode,” which enables administrators to create an isolated area of the device to run corporate applications in. As well as giving increased control, this can also get around the potentially thorny issue of permission to wipe an employee-owned device.
• Strong authentication is important on every device, but BYOD presents particular challenges. With personally owned devices, IT will have less control and visibility, so malware can be more of an issue. The compromise of credentials could lead to sensitive business applications and data being exposed. Consider using different credentials and giving devices not controlled by the company restricted access.
• Ensure that participants—especially former Commuters and others new to using personal devices for work—understand the importance of keeping both the operating system (OS) and apps up to date. And educate them on the dangers of malware and how to reduce the risks. Malware could obviate protections like containerization.
• A zero trust approach is ideal for a BYOD program. It can reduce the reliance on end users making informed and security-conscious decisions. And it can improve user satisfaction and productivity as it automates many aspects of security protections, reducing the number of intrusions to the user’s activities. See page PAGENO for more about zero trust.

Detect

• BYOD devices should have all the standard security measures—such as mobile threat detection (MTD)—that you’d put on a company-owned and controlled device. An MDM solution can make managing a diverse fleet of devices much easier, including deploying applications, checking that patches have been installed and enabling remote wipe if a device is lost, stolen or compromised.
• Endpoint detection and response (EDR) uses behavioral-based analysis to provide threat protection. A typical EDR solution consists of an app that sits on the device and gathers thousands of data points. These data points are automatically analyzed to detect threats and mitigate them. These solutions can also provide much greater visibility into the mobile fleet, providing valuable insight.
• Consider implementing data loss prevention (DLP) to detect and block the exfiltration of information. But give users an authorized—and easy-to-use—means to share files outside the company to avoid putting them in a corner.

Respond

• Many traditional security controls relied upon having a relatively homogeneous fleet of devices—the “bad old days” of everybody having the same brick phone and laptop. Most BYOD programs increase the variety of devices being used—in fact, many programs were introduced to answer demand for specific devices. This is likely to place increased demand on support, as there will be more operating systems to understand, more operating systems and app variants to patch, and more device-specific vulnerabilities to worry about. Make sure that your team is prepared for this, or you could be creating a security nightmare.
• Ensure that staff members know what to do if a device is lost or stolen, or they spot something suspicious—which should be part of your general security policy, but it’s worth reiterating here. Make sure that your employees feel comfortable reporting potential issues, as this can help identify attacks faster. Early detection can drastically reduce the damage caused, but, as anybody that’s read the Verizon DBIR will know, it often doesn’t happen. Make it easy—it shouldn’t be something people have to look up—and remember, the employee might not be able to access company systems when reporting an issue. Create a memorable external-facing email alias like security@companyname.com

Recover

• Remember that employees may not have the cash to replace an expensive device and an insurance policy may take time to pay out. Make sure that you have some spare devices to loan to users to keep them productive while loss/theft issues are resolved.
• Unlike devices bought by the company, the IT department may never get their hands on new devices under BYOD programs. Consider the time it may take to build a new device over a typical home broadband connection—apps like Microsoft 365 (formerly Microsoft Office 365) are a multiple gigabyte download. Provide users with advice on prioritizing the build process and how to use web-based options (such as Microsoft 365 Online) in the meantime.
• MTD combined with unified endpoint management (UEM) can help bring devices that are out of compliance back into line through self-remediation.

Performing digital forensics on an employee-owned device can present many problems. Develop a clear policy in consultation with the legal department. Make sure that you have the processes and capability in place to carry out an investigation in line with the policy.