BYOD: The Complete Guide
What is BYOD?
Bring Your Own Device (BYOD) is a growing trend, in which devices owned by employees are used within the enterprise. Smartphones are the most common example, but employees may also bring their own tablets, laptops and USB drives.
BYOD is part of the IT consumerization trend—the deployment of consumer software and hardware in enterprises. Bring your own technology (BYOT) refers to the use of consumer devices and applications, selected and configured by employees, in work environments.
In some cases, employee-owned equipment is allowed for use by the company, and may even be subsidized or supported by the IT organization. In other cases, the equipment owned by the employee is part of a parallel ecosystem known as shadow IT—hardware or software unknown or disallowed by the organization’s central IT department.
Whether your organization supports employee-owned hardware and software or not, the reality is that employees will at some point use personal devices to connect to the corporate network or access corporate data, and this poses a security risk. Many companies implement BYOD policies to minimize risk and address the need for consumer technology in the workplace.
Why is BYOD Important?
When employees use technology they are familiar with, they are inherently more productive. Many employees are digital natives, and find it difficult to function without their personal devices. When using personal devices at work lets them focus on their work, rather than adapting to the digital tools provided by the enterprise.
According to a Dell survey, 61% of millennials and 50% of workers 30 years or older believe that technology tools they use in their personal lives are more effective and productive than those they use in their professional lives.
Another benefit of BYOD is major cost savings. According to a Cisco report, Companies implementing BYOD can save $350 per employee per year, by passing on the cost of equipment to their employees.
BYOD Pros and Cons
BYOD has many advantages and disadvantages to consider. Here are some of the benefits of BYOD to organizations:
- Better equipment—personal equipment is usually faster and more advanced than aging equipment provided by IT departments.
- Employee satisfaction—most employees find personal equipment more comfortable and efficient to use. BYOD employees are typically more satisfied with their user experience than those with corporate devices.
- Reduced costs—when employees bring their own equipment, this means the enterprise spends less on new equipment, and also saves the cost of maintenance and technical support.
- Increased productivity—employees working on personal devices are more productive and have less technical issues.
- Easier onboarding and offboarding —onboarding a new employee or terminating employment with company-provided devices can be a difficult process. BYOD, when properly managed, can make employee transitions much easier to manage.
What are the risks of BYOD?
- Limited control and difficulty of monitoring usage of multiple types of devices.
- Security risks caused by employees accessing corporate systems and data on personal devices. Personal devices, even those covered by a BYOD policy, generally do not have the same level of security as corporate devices.
- Employee privacy can also be an issue. Organizations must use security features or deploy security solutions on personal devices, to ensure the security of corporate data. However they must do this without compromising the privacy of the employee’s private data.
When considering a BYOD policy, every company must perform a risk assessment and understand the impact of personal devices. Financial, healthcare, law firms, or companies in other regulated industries, will face much more serious consequences of BYOD security issues.
The type of corporate data being accessed is also important—encrypted data is less sensitive than cleartext. Publicly available company information is less sensitive than personally identifiable information (PII) or company intellectual property.
Alternatives to BYOD: CYOD and COPE
While BYOD has compelling advantages for both organizations and employees, there are alternative models. Two models adopted by many organizations are CYOD and COPE.
Choose Your Own Device (CYOD)
This policy allows companies to offer a set of pre-approved devices and let the employee choose between them. These devices have a secure configuration and come with business applications pre-installed. CYOD policy allows users to select their own equipment and choose devices they are more comfortable with, while companies maintain ownership and cover costs.
CYOD is a compromise between BYOD and a strict company-owned equipment policy, because it gives employees some freedom. The company selects the type of equipment to deploy, to ensure compatibility and enforce a certain level of security on all devices. Unfortunately, employees are not always happy with the choice of equipment available. Even if the selection is broad, the employee may not find a device they are familiar or proficient with.
Corporate-Owned, Personally-Enabled (COPE)
This strategy provides employees with devices that are fully owned by the company. While the company maintains ownership and pays for the device, users are allowed to personalize it. They are allowed to download software that is not work related (with some restrictions of course), and customize the interface to their liking.
COPE provides the organization the highest level of control over user equipment. The company does not give up ownership and can ensure devices are pre-configured to ensure security and compatibility with enterprise systems—effectively, the company can harden and lock the device in advance.
However, COPE can be inconvenient to employees, as they do not have the ability to choose equipment that suits their needs. Another disadvantage of COPE is that it is the most expensive model for the enterprise.
Creating Your BYOD Policy
A BYOD policy contains the rules governing the level of corporate involvement in the management of employee-owned devices. The policy defines the level of IT support provided by the organization to the employees, as well as the areas employees are responsible for.
Typically, BYOD policies contain:
- Clear documentation of employer and user responsibilities.
- Specific instructions regarding the software application used to manage network devices.
- Signed agreements acknowledging that all employees understand the policy and agree to comply.
Organizations also choose to add the following information to their BYOD policy:
- Security policies—based on industry standards, such as data encryption and using strong passwords.
- User guidelines—defined for the purpose of preventing BYOD users from introducing threats into the corporate network.
- Formal BYOD training—designed for the purpose of clarifying policies and providing employees with updated information.
Learn more in our in-depth guide to BYOD policy
BYOD Best Practices
There are many valuable techniques you can use to implement your BYOD policy. Here are key practices to consider.
BYOD devices are usually not controlled by IT. This means each employee must be trained to implement security first when protecting the device. Employees should be encouraged to add multi factor authentication to their devices and use strong passwords. Organizations should consider providing employees with the tooling needed to protect their BYOD devices.
Employees should be properly trained in security risks they may face while using their BYOD devices. Risks like shadow IT, phishing schemes, and malware should be clearly explained to each BYOD user, as well as the proper measures required to prevent and respond to these security incidents. An educated employee can potentially prevent a massive breach.
Establish a Culture of Trust
BYOD devices can significantly escalate the damage insider threats might achieve with their privileges. Establishing a culture of trust throughout the organization can help create a deeper connection between the employees and the organization, and potentially prevent privilege abuse by disgruntled staff members or ex-employees.
Establish an Employee Exit and Onboarding Plan
When employees use company devices, it is relatively easy to control how the device and the information it stores should be treated once employees leave the company. However, when employees use their own devices, the organization cannot easily wipe out the data. Establishing an employee exit and onboarding plan can help you set clear expectations and rules regarding how to secure corporate information during these transition periods.
Learn more in our in-depth guide to BYOD security
Implementing a BYOD strategy in most organizations requires additional technologies or solutions, which make it possible for users to bring their own devices, while accessing managed IT resources.
Mobile Device Management (MDM)
This is the most common form of BYOD management. MDM solutions can be deployed locally or in the cloud. They enable management of mobile devices, including deployment, security, monitoring, and integration with enterprise systems. They can protect corporate applications and data on personal devices, and automate delivery of enterprise applications to these devices.
MDM aims to prevent company policy violations, while maintaining employee productivity. MDM solutions enable:
- Separation of company data from personal data
- Protection of email and corporate documents on user devices
- Enforcing company policies such as disallowed applications or web content
- Remote management of mobile devices such as smartphones, laptops and tablets
Endpoint Protection Platforms (EPP)
As the BYOD trend gains momentum, endpoint security becomes very difficult. When deciding on a BYOD policy, your organization must address legal, privacy, HR, and many other concerns. BYOD introduces access and security challenges. Phishing attacks can lead to identity theft, data loss, IP theft, compliance fines, and legal exposure.
An EPP is a solution deployed on endpoint devices, which can prevent file-based and fileless malware attacks, detect malicious activity by the user (or an attacker who has compromised the device), and dynamically respond to security events and alerts. EPPs also provide the critical ability to remotely investigate security incidents on an endpoint, and perform remediation to mitigate threats.
EPPs prevent a variety of threats by providing the following measures:
- Next Generation Anti-Virus (NGAV)—detects and blocks malware, including new types that evade detection by modifying binary signatures.
- User and Event Behavior Analysis (UEBA)—detects unusual or suspicious behavior on the endpoint and alerts security staff.
- Application control and whitelisting—enabling the organization to define specific applications and websites that are allowed on the endpoint, and blocking all others.
- Device control—allows security teams to remotely control endpoints, collect data and enforce policies for audit, investigation and compliance purposes.
- Sandbox—an isolated location on the device that can detonate potential malware in a controlled manner, analyzing it without threatening other parts of the device.
Desktop Virtualization: VDI and DaaS
Virtual desktop infrastructure (VDI) solutions provide a way for remote devices to access an enterprise-controlled desktop environment at any time. The IT team provides access to these virtual desktops and selects which resources are available to different categories of end users.
When BYOD users work on an enterprise-hosted desktop, the organization has improved control over their use of business applications and data. For example, it is possible to limit a user’s ability to download files or copy-paste information to the local device (while this may also hinder productivity).
VDI solutions require a major investment in infrastructure. A growing alternative, which is very easy to deploy and does not have large upfront costs, is desktop as a service (DaaS). DaaS is VDI hosted and operated by a cloud provider, billed according to desktops actually used.
Hysolate: Isolated Workspace-as-a-Service
Hysolate offers a unique set of features that together, provide employees a positive day-to-day work experience while working from BYOD devices.
- Smooth deployment, onboarding and maintenance—Hysolate offers instant one-click installation or silent provisioning, including automatic installation in the secured operating system of all company-approved applications and automatic provisioning of company policies.
- Privacy and collaboration by design—with virtual workspaces that function like completely separate physical environments, employees enjoy their privacy, collaborate on tools of their choice, take their laptops home, promote ad-hoc team building through social media and more. They enjoy the feeling of freedom, trust and privacy that keeps them to stay on your team long-term. Easy-to-access ongoing support can be given, including remote access, without viewing the users’ private data.
- Continuous and uninterrupted access to company assets—Hysolate provides a completely isolated corporate virtual machine as well as improved VPN security, and secured split tunneling. Employees can work continuously without having to suffer overloaded networks, sudden IP changes, disconnects and the like, no matter where they are.
- Embedded granular security—Hysolate offers remote wipe and locking of corporate data, built-in data loss prevention, ongoing device health checks and granular policy management. Policies can determine when and how objects can be copied, cut and pasted between operating system workspaces, who has admin rights, what networks are permitted, whether USB devices are allowed and more. Hysolate can prevent keystroke recording, screenshots, and other malicious attack techniques. Security teams can ensure all company assets stay protected without disrupting the natural user workflow.
- A safe and positive end-user experience—Hysolate guided tours make it quick and simple for users to onboard. From there, the sky’s the limit. With workspaces that act like multiple desktops, a thing common to most of us these days, users switch between desktops seamlessly. No more mind-boggling context switching and other unpleasant disruptions.