The Risks with Bring Your Own Device Policies
The business world is experiencing an unprecedented shift to remote work/work from home.
The office space was seen as an unnecessary risk to employee health and many organizations, even roughly 18 months after the widespread lockdowns, have still not required employees to return to the office. Further, some organizations have gone so far as to shut down or sell off their office space as it no longer fits their work model.
During the early days of this shift to working from home, companies were simply unprepared to provide the necessary IT equipment to properly support users in a home environment.
The huge demand for laptops, monitors, and related equipment, even office chairs, continues to constrain supplies. These delays and lack of supply forced organizations to allow users to use their personal devices to avoid an interruption in their ability to work and began the widespread adoption of “Bring Your Own Device” (BYOD) policies.
What began as a lack of supply due to a boom in purchasing demand transformed into constraints across the entire supply chain. What used to take merely a matter of days to purchase and receive a shipment of compute devices became a matter of months often with repeated missed shipping targets along the way.
This lack of supply forced organizations to make tough decisions including further extending the use of or even fully embracing the adoption of BYOD policies.
Letting new employees, or even certain positions that only require minimal capabilities such as email or web browsing, use a personal computer reduced the pressure on already tight IT asset inventory and provided a means to keep the hiring and onboarding processes moving along.
What may not be as immediately apparent are the underlying risks associated with a BYOD model. When an employee is using their personal computer, the organization typically does not have insight into the health or configuration of the machine. “BYOD blind spots” can include:
- What software is being used?
- What anti-virus, if any, is protecting the system, and is it current?
- Are the Operating System, applications, and browser being consistently patched?
- Are there restrictions on who else in the family or circle of friends may also have access to and use the computer or what they may be using it for?
- What happens if the computer is used for viewing sketchy websites or downloading files off of BitTorrent?
- When the employee uses the computer to fulfill their position responsibilities, are they storing sensitive corporate documents locally?
- Do they handle financial accounts or transactions online?
- Are they connecting to the corporate network via VPN?
When we combine these risks with how an employee might use their computer for work, the threats to an organization posed by BYOD become hard to ignore. Despite the challenges of supply constraints, the benefits of finding creative solutions to enforce corporate compute device deployment to employees are worthwhile.
Ways to Secure Your BYOD Environment
While BYOD can come with security risks, there are ways to mitigate them. Standardization of both hardware and software configuration makes it substantially easier for overburdened IT staff to support the environment, and allows for the storage of loaner devices should an employee need a replacement.
Standardization on a particular compute device vendor takes it a step further by enabling the coordination of warranty support which can often be dispatched by the vendor around the world.
Having standardized corporate compute devices enables the central management of device health telemetry, disk encryption, patching, and security software. IT staff can then view real-time monitoring dashboards, live threat logs and generate factual compliance adherence reports.
They are then able to reduce the attack surface of the organization and provide meaningful data for key stakeholders as validation of business, regulatory, or even insurance requirements.
Having organization-provided devices enables employee data security and retention through common technologies such as Microsoft Intune, one of many options for mobile device and application management, and Microsoft OneDrive for Business.
When used properly, OneDrive for Business allows an employee to safely store their documents and files in an encrypted cloud storage vault that travels with them and can also be retained by corporate IT staff in the event of employee offboarding.
Access to a managed device can also be protected by Active Directory authentication and may even be further reinforced by Multi-Factor Authentication (MFA), ensuring only the employee or other authorized personnel may sign into the device.
Policies such as these are typically centrally configured and pushed out to all employee devices using solutions like Intune. These solutions limit how data is accessed or shared, which applications may or may not be used, firewall rules, enforcement of Operating System settings, and more.
In our current age when cyber-theft and compromise are becoming almost daily occurrences, organizations must raise the bar on security, re-evaluate best practices and carefully reassess the BYOD strategy.
Looking to lower your organization’s cybersecurity risk? Contact our team today.