Rebooting your BYOD strategy

A laptop, phone, watch and notepad all organised neatly on a desk
(Image credit: Getty Images)

Bring Your Own Device (BYOD) took on a whole new meaning at the start of the pandemic. Businesses weren’t set up for the sudden move to work from home, and many adopted quick-fix strategies to avoid disruption as COVID-19 took hold.

This rapid shift, however, widened the attack surface. As we settle into 2022, BYOD strategies are further complicated by hybrid work, with employees rotating between their home and the office. The National Cyber Security Centre (NCSC) issued a warning late last year, providing updated guidance on helping UK businesses manage a “potentially difficult IT set up”, suggesting the “just make it work” mentality is over.

The NCSC outlined steps to help companies stabilise BYOD adoption, including sharpening management and deployment methods to ensure BYOD is effective and secure. “You cannot do all your organisation's functions securely with just BYOD, no matter how well your solution is configured,” the NCSC’s senior platforms researcher Luna R wrote in a blog. As we shift into a new era of work, in which working from home is dominant, BYOD strategies must be overhauled to ensure firms remain secure and efficient.

Why BYOD quick fixes don’t work

BYOD cuts IT equipment costs by allowing employees to use their own devices for work. When people were working solely in the office, many businesses managed BYOD with hardware policies and mobile device management (MDM) tools.

The "quick fix" BYOD strategies firms were forced to adopt in 2020, however, were never fit for purpose. When COVID-19 hit alongside home working, it left vast numbers of employees using their own smartphones and laptops without security controls inherent on work-issued devices. The risks are various, including reputational fallout and fines if employees unwittingly expose company data.

A substantial number of companies have failed to re-evaluate their risk profiles since implementing “quick fix” strategies at the start of the pandemic, says Robert Rutherford, CEO at IT consultancy QuoStar. “Nor have they evaluated the technical and policy-based controls required. This is a significant concern that organisations should address urgently.”

The “quick fix” approach to BYOD has often failed to take into account the need to adjust tools, processes, security controls and employee training, says Lorenzo Grillo, managing director of cyber risk services at business management consultant Alvarez and Marsal.

As a result, an employee’s tablet or smartphone could be used in ways that would not be acceptable if it was owned by an organisation. Employees could be late to apply security patches, or, in some cases, not keep devices up-to-date at all. “A device could be taken to unsuitable locations, shared with family and friends, or employees could add unauthorised apps or data,” Grillo warns.

If attackers are able to take over an employee device, the results can be devastating, he adds. “If a personal device is infected with malware, attackers can read the user’s keyboard input, including usernames and passwords. This is how malicious hackers gain access to sensitive company data.”

RELATED RESOURCE

Modernise and thrive with Device-as-a-Service

Improving end-user experience through modernisation

FREE DOWNLOAD

Many "quick fix" strategies have failed because they prioritised access over security, says John Shier, senior security officer at security firm Sophos. He cites, as an example, the overreliance on remote access services such as Remote Desktop. “This presented attackers with a new set of targets that hadn't existed before the pandemic.”

A common mistake made by businesses is the misconfiguration of remote access technologies, which leaves them more open to attack, adds Martin Riley, director of managed services at Bridewell Consulting. “Cyber criminals are evolving and adapting their techniques to exploit the growing reliance on mobile devices and remote working.”

Which BYOD strategy is right for you?

Hybrid working BYOD requires a combination of updated strategies and tools. Many experts recommend adopting a zero trust model – where no person or device is trusted – to manage BYOD. Yet, as Luna R points out in her blog, there are many misconceptions in this area.

Indeed, many of the technical controls for BYOD are similar to those used in zero trust architecture, but there are important differences – and the concept doesn’t work for everyone, Luna R writes.

When used optimally, however, experts say zero trust is a good starting point for BYOD in a hybrid working environment. Zero trust means separating users and devices as much as possible from corporate assets such as data, applications, infrastructure and networks and following an “identify, authenticate, authorise and audit” model, says Riley.

As part of this, visibility is key to managing hybrid working BYOD. Roel Decneut, CMO at IT asset management company Lansweeper describes how organisations can gain visibility into devices and software. He cites the example of the University of Derby, which implemented a BYOD strategy to allow remote learning and new working strategies for its students and staff.

The university started by setting up and auditing existing technologies and processes. Using IT asset management software alongside robust policies and procedures, the university now keeps track of an extended network of remote devices in staff and students’ homes.

Mobile threat defence (MTD) systems, which build on MDM to prevent, detect and remediate attacks, also help improve visibility and manage BYOD. When properly configured and integrated, these enhance existing zero trust controls by outlining your mobile device risk, according to Shridhar Mittal, CEO at mobile security firm Zimperium. MTD can be integrated with extended detection and response (XDR) solutions to cover emails and networks. “This allows you to apply a holistic approach to cyber security, protecting all devices,” says Mittal.

Crafting your BYOD policy for hybrid working

There’s no one-size-fits-all approach, but firms can start by examining the NCSC’s guidance. Going forward, Grillo recommends a BYOD policy outlining which employees are permitted to use personal devices for business and accessing the corporate network.

RELATED RESOURCE

Minimising downtime risk with resilient edge computing

Add value with on-premise edge computing

FREE DOWNLOAD

Firms need to make clear any restrictions on the type of personal devices – for example, specific models and operating systems – that can be used for corporate business, he says. In addition, businesses should decide which apps and collaboration tools are available to employees to use on personal devices and detail any corporate network access restrictions such as virtual private networks (VPNs).

Other considerations for BYOD strategies include bringing in a formal IT security governance framework, such as ISO 27001 or IASME, Rutherford advises.

As hybrid working continues, BYOD increases flexibility and efficiency, but this should not be at the expense of security. The challenge is getting the balance right, says Riley. “Putting too many restrictions on mobile devices could result in a dip in productivity and user experience. If things are too lax, however, you could be subjected to unnecessary risk.”

Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.