The top 4 BYOD risks businesses face in 2024
From social engineering to phishing texts, devices allowed under BYOD policies can be prime targets for cyber attacks – risking individual privacy as much as business reputation
The rise of remote work and the surge in enterprise-facing cyber attacks have put the spotlight squarely on the risks of bring your own device (BYOD).
Once a simple idea — let employees use their own devices for work — BYOD has drawn both corporate mandate and employee approval, thanks to improved autonomy and slashed hardware expenses.
As a fractional CTO and former VP of product and engineering at Zeta, Ambuj Agarwal found BYOD to be a logical next step. The company's previous company owned, business only (COBO) policy limited even senior staff to two devices and was no longer aligned with the team’s idea of “connectivity.”
The potential benefits seem to be paying off: over 82% of frontline workers are currently using personal devices for work communication, according to The Employee App, despite the looming threats of AI, cyber attacks, and zero-day exploits.
But does this number offer justice to the reality of the BYOD movement? Not really. Over 81% of employers are considering a return to company-issued phones for privacy and security reasons, per SlashNext’s 2023 Mobile BYOD Security Report, with leaders identifying work-only devices as the best route for data security and privacy.
It seems the honeymoon period of “personal devices for work” may be drawing to a close. Let's delve into the reasons behind this shift.
The inherent risks of BYOD in 2024
1. Malware attacks
One of the biggest drawbacks of BYOD is IT’s lack of control over the hardware. Sysadmins can't dictate which apps are installed, how devices are secured, or what data is stored. Unsecured personal devices can easily become entry points for malware, putting the entire corporate network at risk.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Often, these devices have unpatched vulnerabilities that hackers can exploit for remote code execution. Remember Standhogg 2.0 which impacted over one billion devices and enabled hackers to hijack data without pre-configuration? There are likely many more similar, undetected vulnerabilities in BYOD devices.
As Harish Vaidyanathan, head of product at Hatica, points out, until BYOD balances user choice with corporate information security, the policy will keep facing pushback from upper management.
Social engineering too adds to the risk. Despite training, employees can fall prey to phishing and baiting scams by downloading malware-infected links. Combined with inefficient device management policies, it creates a perfect storm for data theft, malware infiltration, and covert surveillance at the workplace.
2. Shadow IT sprawl
The average business today uses 342 SaaS applications per Productiv data, a number that climbs to 473 for larger enterprises. The problem? Many of these apps are not directly supervised by the IT teams.
BYOD policies exacerbate this issue. Employees, eager to improve collaboration and deep work, often download unsanctioned tools or store company data on personal cloud drives, fueling the growth of shadow IT—the unchecked proliferation of apps without explicit office approval.
The stakes are alarmingly high. Unauthorized apps, often a byproduct of shadow IT, have become prime targets for ransomware attacks. In fact, one in ten companies has suffered data breaches directly linked to this issue.
BYOD was supposed to reduce company costs but the proliferation of shadow IT has exposed the shakiness of this benefit. Redundant systems, poor standardization, and escalating support needs quickly erode any initial savings.
Factor in lost employee productivity, and regulatory fines– it's clear that the true cost of BYOD-driven shadow IT often goes unnoticed.
3. Data breaches
Perhaps most of all BYOD risks, the risk of a data breach has kept many CISOs awake. Every day, the US sees up to nine data breaches per Statista. Disgruntled employees, lack of multi-factor authentication on personal devices, weak passwords, and constant switching between personal and work profiles have opened a digital backdoor for cyber criminals to steal and exploit data.
“Threat hunters will need to continue paying close attention to attacks against mobile devices this year, even though many of those devices will not be corporate-owned,” says Tim Bach, senior VP of security engineering at SaaS firm AppOmn.
“Threat hunters will need to continue paying close attention to attacks against mobile devices this year, even though many of those devices will not be corporate-owned."
Device theft is another ticking time bomb. Companies are damned if they do, damned if they don't. Wipe the device clean to protect corporate data and you risk destroying personal photos, contacts, and other sensitive information. Leave it alone, and you're a sitting duck for a data breach. It's a no-win situation, thanks to BYOD.
Even advanced security measures like strong passwords and biometrics are no match for persistent attackers on decentralized devices. Amex ran into this problem earlier this year when a hacker accessed vendor devices to steal customer credit cards and social security numbers, as reported by the Washington Post.
Public Wi-Fi, often a necessity for remote workers, adds another layer of risk. Juicejacking – the use of unsecured public networks – exposes devices to interception leading to data exfiltration, account takeovers, and even man-in-the-middle attacks.
4. Privacy violations
"Lightweight MDM agents that safeguard employee privacy have been a real pain in the neck during our BYOD rollout," shares Agarwal. In fact, several C-suite executives have shared Agarwal's concerns about protecting employee privacy in a BYOD environment.
The once-promising vision of a happy, nimble workforce has started to crumble under scrutiny. Most BYOD policies include clauses for remote monitoring or "bossware" installation on employee devices, often tossing privacy expectations out of the window.
In some cases, BYOD programs might not even comply with HIPAA, GDPR, CCPA, Dodd-Frak, or other data protection laws, leaving companies in legal hot water. The other times, employees who didn’t report a lost phone right away were fired for violating their organization’s BYOD policy.
But the legal minefield gets even deeper. Imagine needing to search an employee device for company data. First, doing so without permission could be considered trespassing. Second, what if you stumble upon evidence of them moonlighting? This opens a legal can of worms. Did IT have permission? Can you use the information discovered? Does it hold up in court?
BYOD creates a tangled web of legal and ethical issues that companies are sleepwalking into. Employee happiness? Maybe. Peace of mind? Maybe not.
Bottom line: Protect your devices from BYOD risks
The debate around BYOD is far from settled. With the current market size of $114 billion according to Mordor Intelligence, it's clear that businesses and employees alike are drawn to the promise of productivity and reduced expenditure. Bach tells ITPro that remote work and BYOD trends are expanding across businesses of all sizes, with more and more mobile devices logging into corporate systems.
But this convenience comes with security risks, compliance paralysis, and sometimes, a dent in the company’s reputation and potential lawsuits. The best way forward is to take proactive measures before a crisis hits your BYOD devices.
Regularly audit registered devices, improve cyber hygiene, and implement robust device management with strict access controls. Also, ensure employees are well-versed in virtual private network (VPN) use to access company resources over public networks.
"It's no longer just about where you work, but also when," says Vaidyanathan. "Hybrid work means hybrid device usage. We urgently need devices that can intelligently distinguish between work and personal time so this fluidity doesn’t create challenges for IT security and privacy."
Build a bottom-up culture of privileged access management and you can begin to wrestle with the risks BYOD presents.
Avya Chaudhary is a freelance writer with years of experience writing about tech, particularly when it comes to pieces on AI and cybersecurity. She has previously held the position of content manager at Aviyel, overseeing a team of freelancers and content writers before going freelance in 2024.Outside of ITPro, her work has been featured in MIT Technology Review, TechRepublic Premium, Tech Times, eWeekUK, TechnologyAdvice, Datamation, C&EN, and Sprinklr.