What is BYOD (Bring-Your-Own-Device)?

February 10, 2022

What is BYOD?

BYOD stands for Bring Your Own Device and refers to a business policy that allows employees to use personally owned devices for work purposes. BYOD was already common prior to COVID and is now the norm even for enterprises that were formerly wary of the policy’s potential security risk.

BYOD comes in many flavors in the corporate environment. BYOD means the device is owned by an employee and used for both business and personal tasks. CYOD, or “choose your own device,” is when the organization offers users a choice of devices from a limited list. These may be owned by the company or the employee, but either way, any customization has to go through the IT department. COPE is “corporate-owned, personally enabled,” in which the device is owned by the business and issued to the employee, who is allowed to also use it for personal activities. The most restrictive category is COBO, “company-issued, business-owned,” which is when the company owns the device and the employee can only use it for business activities.

What are the benefits of BYOD?

A better user experience that leads to increased productivity is the best reason to embrace BYOD. Users have already selected devices that suit their way of interacting with technology and they’re comfortable with their devices. They don’t need to be trained, so they can get right to work without the need for instructional technology. They know the capabilities of their devices, so they can use them fluently to complete their tasks quickly. And no one has to experience the frustration of using a device they don’t understand or don’t like, which improves morale and boosts performance.

Most users eagerly upgrade their personal devices when new versions are released, and with their new devices they get new capabilities. They’ve already been primed to use the fresh features by an onslaught of television commercials showing their benefits, and users will typically incorporate those benefits into their workflows with no friction at all. Innovations that might be received with frustration in the corporate environment are embraced more readily on personal devices — perhaps because users are accustomed to adapting to upgraded phones and tablets, but more likely because the designers of mobile experiences are extremely good at making new experiences feel intuitive. The result is that innovative technologies are pushed into the hands of employees with literally no effort whatsoever from employers.

BYOD is often said to offer a significant cost benefit, but just how significant that savings will be varies. According to Wired Magazine, most organizations report a savings of around $300 per BYOD user per year, which is trivial for a small company but meaningful for a mid-sized business or enterprise with a workforce of hundreds or thousands.

What are the risks of BYOD?

As all security professionals know, an organization’s greatest vulnerability is its users. Allowing users to connect to the company network with personal devices that are not governed by the organization and that mingle employees’ personal data with company data is risky. In addition, there is no way to control an employee owned device if it is lost or stolen, and there is no way to know if a logged-on user is the credentialed employee or the credentialed employee’s friend or relative.

App security is a great concern because IT cannot know what apps are installed on the BYOD device. Almost every app uses some open source code, which is not inherently dangerous — but if the app developer doesn’t pay attention to news about newly discovered vulnerabilities in the open source code and take appropriate steps to secure the app, there is a problem. And that is the norm. Developers usually incorporate the open source code once and never think about it again as they move on to adding other features.

Another issue with apps on BYOD devices is excessive mobile permissions. Many apps are greedy in requesting unnecessary permissions. This may be because the developers are thinking ahead to a feature they expect to build in an upcoming quarter, or because the developers do not understand what they are asking for, or because they have malicious intent. There is no way to know, but the risk is the same in all cases: a potential breach of corporate data. Users need to understand the level of access they are providing to the apps they download, and they need to make sure others who borrow their personal devices understand access levels as well. If the user is lending their device to their children, there is really no way to trust that those children will deny inappropriate permission requests.

The networks on which the BYOD device is used can introduce risk. Home Wi-Fi networks do not have the same security controls as corporate networks. Neither do the public networks at coffee shops, stores and other places from which remote workers are likely to access the corporate network. Companies need to assume employees will access sensitive data through insecure home or public networks and take necessary steps to hunt for intrusions from a greater number of entry points.

When a corporate device is reported lost or stolen, the IT department can brick it so it is unusable. When a personal device is lost or stolen, that isn’t possible. And while the IT department can block access to the corporate VPN or apps, that doesn’t guarantee a bad actor won’t be able to use vulnerabilities elsewhere in the device, such as an insecure app, as a means to gain information that can be leveraged to breach the corporate network.

There is also no way to ensure that each user does install all operating system updates and does not store corporate files on the device. And if an employee is fired or resigns, there is no way to delete company data they have downloaded to the device.

If a BYOD device is “jail-broken,” it has no restrictions on what the user can do with it. Other terms for jail-breaking are privilege escalation and rooting, which are both ways of saying the user can make changes to the operating system and remove built-in restrictions. For instance, a user can employ a jail-broken phone as a Wi-Fi network that allows other devices to access it. A jail-broken device lacks the protections its manufacturer has incorporated to prevent the use of unapproved apps and the injection of malware. An organization can exclude the use of jail-broken devices from its BYOD program, but there are good reasons to avoid this measure. For one, jail-breakers tend to be power users, and in a competitive job market, it may not be wise to exclude the type of people who are passionate enough about technology to jail-break their phones. There is more risk from ordinary users who download sketchy apps, use weak passwords, reuse passwords, and lend their logged-in devices to relatives or friends than there is from the small number of jail-breakers.

Compliance has to be considered as well. BYOD devices that touch regulated data are considered part of the company’s responsibility, even though there is no way to ensure that a BYOD user is not sharing sensitive data with unauthorized people.

And while there are many strong business cases for the use of BYOD, one caveat is to be sure that BYOD does not hamper innovation. If a company avoids the chance to try a groundbreaking technology because it is not confident it can do so in a BYOD environment without losing data or degrading interoperability capabilities, it is missing an opportunity to evolve.

What should be included in a BYOD policy?

There is no template for a BYOD policy that will work for all businesses. Each unique organization must forge its own path. Start by seeking input from a range of departments to understand how different groups of users will perform work on their mobile devices, and from there extrapolate what the policy must cover. Expect to implement the policy in stages and to conduct a practice of continuous improvement that is guided by the need for flexibility, security and employee support.

A BYOD security policy must be endpoint-independent so it can serve new and emerging devices and platforms. Otherwise, the security team will be forced to constantly revise the policy, which in turn will make enforcement difficult. In most cases, there should be a different BYOD policy for FTEs, contractors and temps.

Not all devices are suitable for a BYOD program, such as obsolete devices or those using outdated operating systems. Specify what is allowed, what will be maintained by the company, and what the user is responsible for maintaining.

Expressly encourage multifactor authentication (MFA). Modern smartphones will require this security feature by default, but put it in the security policy so users who have turned off their lock screens or taken other steps to avoid MFA know that its use is a condition of BYOD.

The policy should be clear on who owns which data that is on the device and whose phone number the data is associated with. State what happens to data if the mobile device user leaves the company. And lastly, be sure to have a thoughtful privacy policy that protects not only the company, but the user as well.