Prior to the COVID-19 pandemic, bring-your-own-device (BYOD) internal controls and data protection policies ranked fairly low on most priority lists. While many companies had BYOD programs, they often applied to only a small subset of employees and contractors. Then, the pandemic forced organizations to expand their remote-work programs at an unprecedented, emergency-level rate. The result was that BYOD became a standard operating practice across the enterprise which required robust internal controls and safeguards for data protection and governance.
IT security professionals are deeply concerned about the cybersecurity implications. Sixty-seven percent of respondents to a recent survey by the Ponemon Institute and Keeper Security reported that use of their own mobile devices by remote workers has negatively impacted their organizations’ security posture and 55 percent say smartphones represent the most vulnerable endpoint at their organizations.
As the line between personal and work devices increasingly blurs, organizations must achieve a harmonious balance between protecting organizational security and respecting employee privacy. There’s an inherent challenge for organizations to mandate policies and govern controls on BYOD devices because these devices are used to transact both on and with sensitive company information. Even if an organization had robust BYOD security policies prior to the pandemic, it’s time to reevaluate and update them to reflect the expansion of BYOD across the enterprise and address the specific challenges of BYOD security in distributed, remote-work environments.
Here are five steps that organizations should take to ensure that their BYOD security protocols reflect the new remote work reality:
Adopt a Zero Trust security model.
If organizations are not yet using a Zero Trust security model, they need to implement one immediately. Zero Trust has become essential not only for BYOD security, but remote work security as a whole. In a Zero Trust environment, no users, devices, or apps are trusted by default. Every time a user, device, or app requests access to organizational resources, it must get authenticated, authorized within policy constraints, and inspected for anomalies before access is granted.
Establish clear, written security policies for BYOD.
A good BYOD policy clearly spells out organizational expectations and employee responsibilities. Areas the policy should address include:
- Acceptable use.
- Any rights the organization may have to alter the device, such as the ability to remotely disable or wipe a stolen device.
- Security controls, such as password security procedures, the use of encryption for stored data, and VPN usage.
- Requirements that the employee install certain security apps, such as anti-virus packages or mobile device management (MDM) solutions.
The policy should also inform employees what to do in the event their device becomes lost or stolen.
Create strong security controls for BYOD.
While specific security controls vary depending on individual organizational needs, at a minimum:
- Require employees to exercise good password security practices, including the use of strong, unique passwords, multi-factor authentication (MFA), and a password manager.
- Restrict employees from using rooted devices to access organizational resources. A rooted device (also known as a “jailbroken” device) is an Android phone or tablet that has been unlocked to install unapproved apps, delete unwanted apps, underclock or overclock the processor, or perform other customizations.
- Prohibit employees from storing organizational data on their personal devices. Doing so violates certain compliance requirements, and it puts the organization at risk should the device become lost or stolen. About 70 million smartphones are stolen annually, and only 7 percent are recovered.
- Require employees to enroll BYOD devices for mobile device management.
Implement a mobile device management solution.
MDM products work towards Zero Trust security by helping organizations ensure that only compliant, trusted devices and apps can access enterprise systems and data. While the exact features vary by vendor, robust MDM solutions offer IT administrators visibility into mobile device health and compliance and the ability to enforce controls, such as blocking copy/paste or download/transfer within enterprise apps to ensure that business data cannot be downloaded to the employee’s device.
Train employees about remote-work security risks and procedures.
Many remote workers are unaware of how to translate in-office cybersecurity best practices to home office environments, yet more than half of respondents to the Ponemon Institute survey report that their organizations had not educated their workforces about remote-work security risks. Even the most comprehensive BYOD security policies will fall flat if employees don’t understand the risks they face or aren’t properly trained on proper procedures.
Once the COVID-19 pandemic has subsided, organizations that proactively address the security implications of remote work and BYOD are positioned to capitalize on the benefits, including reduced costs, flexibility, and enhanced employee productivity and satisfaction.
Darren Guccione, co-founder and CEO, Keeper Security