The BYOD Model Has Changed — and So Must BYOD Security

The term BYOD, or “bring your own device”, first came into common usage about a decade ago to describe the use of personal computing devices for work purposes. Today, in the wake of a global pandemic that forced companies to abruptly shift to a remote work model, more people than ever are “bringing” their own devices.

BYOD was initially a novelty — one of the earliest forms of shadow IT. As personal computing devices — especially smartphones — increased in number, use, and usefulness, the BYOD model likewise expanded. Before too long, some companies not only accepted the trend, but welcomed it: The BYOD model can reduce capital expenditures, and, in many cases, employees’ personal devices are more powerful and up to date than what companies can offer. Most recently, the ability for employees to use their own devices enabled organizations to quickly shift to a work-from-home model — and, in many cases, to stay in business, especially in the early days of the pandemic.

However, the expansion of BYOD has also expanded companies’ attack surface, and the BYOD model brings with it a set of unique security challenges. 

BYOD Security Challenges

According to the “2022 Verizon Data Breach Investigations Report”, the main ways in which organizations are exposed to the Internet are the same ways they are exposed to attack. These vulnerabilities increase in size and scope due to technology misconfiguration and misuse.[1]

And that’s the issue with employee-owned devices: They cannot be controlled to the extent that corporate-owned devices can. “Enabling BYOD capabilities in the enterprise introduces new cybersecurity risks to organizations,” according to the “Mobile Device Security: Bring Your Own Device” report from the U.S. National Institute of Standards and Technology’s National Cybersecurity Center of Excellence.[2]

The report adds that it can be difficult to secure user-owned devices because of the unique risks that BYOD deployments impose. According to the U.K.’s National Cyber Security Centre’s “Device Security Guidance” report, organizations face several BYOD security challenges, including:[3]

• Ensuring that personally owned devices and their owners comply with company policies and procedures
• Increasing support for a wide range of device types and operating systems
• Protecting corporate data
• Protecting corporate IT infrastructure
• Protecting the personal privacy of the end-user/device owner
• Ensuring legal compliance and meeting contractual obligations

How effective organizations are in addressing these and other challenges depends on two key factors, according to the report: how thoroughly a user’s device can be managed and how well usability and security have been balanced.

The Importance of BYOD Security

How important is BYOD security? Put simply, BYOD security couldn’t be more important, especially considering the role that people (and their devices) play in data breaches. According to the Data Breach Investigations Report, more than 80% of breaches involved the human element. “Whether it is the use of stolen credentials, phishing, misuse or simply an error, people continue to play a very large role in incidents and breaches alike,” states the report.

In fact, the National Cyber Security Centre recommends that organizations limit the corporate functions that can be accessed by user-owned devices, developing a subset of capabilities based on need and risk. 

“While BYOD can be used for some corporate functions, there will almost certainly be aspects of corporate data and resources that need to be kept within fully managed environments,” states the Centre. “You should manage expectations for all parties involved as, for many workers, they will not be able to completely replicate their corporate environment on a personal device. Instead, they may have access to a subset of applications and resources, the levels of which will be dependent upon the risk appetite of your organization.”

And that appetite for risk may be shrinking, given the current threat landscape. According to Mimecast’s State of Email Security 2022 (SOES 2022) report, last year appears to have been the worst year on record for cybersecurity. The biggest culprit, according to the report, was phishing. Thirty-six percent of data breaches were due, at least in part, to employee credentials stolen through a phishing attack, with almost 100% of those attacks occurring through email. 

And, with the increase in the use of email due to the pandemic and the shift to hybrid work (a shift that appears to be permanent), companies are more vulnerable than ever.[4]

There are several products that can be used alone or together to help secure user-owned devices, including mobile device management and mobile application management systems. With the significant risks that email presents, companies also should consider secure email systems that can defend against sophisticated email-based attacks. Email archiving services are also critical, enabling administrators to apply retention policies to email sent via mobile devices.

BYOD Practices Companies Should Adopt

The SOES 2022 report notes that in the last 12 months email usage has increased in eight of 10 organizations. At the same time, 96% of companies report that they have been the target of an email-related phishing attempt. With email being one of the most widely used applications on personally owned devices, especially smartphones, it’s critical to connect those dots with products and processes aimed squarely at protecting organizations’ email systems.

This is especially important given end-users’ understanding (or lack thereof) of current security challenges and safeguards. In fact, when respondents to the SOES 2022 survey were asked what they expected to be their biggest security challenges in the coming year, 40% named employee naivete. And, when asked to name the worst security mistakes made by their organization’s employees, respondents named poor password hygiene, misuse of personal email, and use of collaboration tools more than any other issues.

Organizations must address each and every one of these weak spots, and some are doing so by taking a zero-trust approach to security (up to and including the federal government, as outlined in the Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity).[5]

According to Gartner, zero trust “describes an approach where implicit trust is removed from all computing infrastructure. Instead, trust levels are explicitly and continuously calculated and adapted to allow just-in-time, just-enough access to enterprise resources.” Gartner notes that it might not be possible to achieve a complete zero trust security posture, but that the model can be applied to specific initiatives.[6] 

Zero trust could be applied as a BYOD best practice, for example, to help companies fight the rising email threat. Mimecast notes that “the application of a zero trust model to email security is especially important since it is this trust that hackers seek to exploit.”

Shifting BYOD Security Risks

The risks associated with BYOD in 2010 were very different from the risks associated with BYOD in 2022. Organizations never could have foreseen just how different; nor can they predict the future.

For example, while cyberattacks have increased in scope, number, and sophistication, so, too, has data — across thousands of apps and cloud services. There is no one product or even platform that can ensure security in such as complex environment, which is why some technology providers are partnering to combine best-of-breed systems into solutions that provide end-to-end protection.

Mimecast, for example, is partnering with Netskope and Crowdstrike to provide email gateway, endpoint protection, and secure web gateway, respectively, to achieve stronger layered protection and avoid the added risks of the inherent security monoculture of a single-provider solution.

With that said, people are the biggest BYOD risks, which is why security awareness training must be at the heart of any BYOD security policy or plan. 

Indeed, the SOES 2022 report notes that while more than 90% of security breaches involve some degree of human error, the blame isn’t necessarily on the people who committed those errors because it’s highly likely that they weren’t properly prepared to deal with an attack. This is especially true for users working from home, most likely on their personally owned devices. 

Effective security training is much more than a one-off video followed by a test to prove that the training was “completed”. In fact, security awareness training is never completed. Organizations must offer their employees purposeful, engaging, and timely training to successfully reduce risk. Mimecast notes that effective end-user security awareness training must be:

• Persistent
• Delivered regularly in small doses
• Scheduled to fit into employees’ lives
• Positive

How to Define a BYOD Security Policy

As “bringing your own device” has become more commonplace, especially with the shift to remote work in 2020, users and companies alike may be less stringent about security measures. In fact, in a 2020 Ponemon Institute study, “Cybersecurity in the Remote Work Era: A Global Risk Report”, 67% of respondents said BYOD has actually decreased organizations’ security posture.[7] 

To combat the rise in phishing and business email compromise that go along with a rise in BYOD, organizations should consider revisiting — or developing from scratch — a specific BYOD security policy.

BYOD security policies will differ depending on company size, industry, and other factors. For example, a BYOD security policy for an organization in the healthcare industry would likely be much stricter than a BYOD security policy for an organization in, say, marketing and public relations. In general, though, your BYOD security policy should:

• Determine which types of user-owned devices — and operating systems — will be supported. Consider obvious devices, such as smartphones and laptops, as well as the not-so-obvious devices, such as smartwatches and VR headsets. When it comes to operating systems, be sure to specify which versions the organization will support.
• Determine which corporate applications and assets employees are and are not permitted to access from their personal devices.
• Specify security requirements. A BYOD policy should determine which security protections must be in place for a device to be used to access corporate networks, applications, and assets. For example, the policy could mandate that multifactor authentication be implemented or that encryption be enabled.  
• Determine the extent to which IT can manage and support user-owned devices, including whether a device can be remotely wiped if it is lost or stolen.
• Address the ownership of data stored on employee-owned devices, and whether employees can store corporate data on personally owned devices.
• Address the process for handling personally owned devices when the device owner leaves the organization.

The Bottom Line

BYOD has changed since the model first took hold, especially with the recent rise of remote work. The use of personally owned devices for work benefits organizations in many ways, but it also increases security risk. Organizations must consider technology, policy, and ongoing end user training when developing or refining their strategy to reduce BYOD risks.

[1] “2022 Verizon Data Breach Investigations Report,” Verizon

[2] “Mobile Device Security: Bring Your Own Device,” National Cybersecurity Center of Excellence, NIST

[3] “Device Security Guidance,” UK National Cyber Security Centre

[4] “State and Local Governments Turn to Normalizing the ‘New Normal’ Workplace,” GCN

[5] “Executive Order on Improving the Nation’s Cybersecurity,” The White House

[6] “New to Zero Trust Security? Start Here,” Gartner

[7] “Cybersecurity in the Remote Work Era: A Global Risk Report,” Ponemon Institute