The ‘Bring-Your-Own-Device’ (or, BYOD) policy is increasingly being implemented in workplaces around the globe. A recent report showed that nearly 3 out of every 4 businesses worldwide either already practise BYOD policies, or have plans to implement it in the foreseeable future. Considering the many benefits of BYOD (productivity enhancement, lower costs, better mobility, etc.) – the rapid growth of this policy does not seem particularly surprising. The overall size of the BYOD market will swell to $181.4 billion by the end of this year.
While much has already been documented about the merits of implementing BYOD at workplaces, it is vital to not lose sight of the risks and potential problems with this policy. According to the heads of 78% firms around the world, security is the biggest point of concern with BYOD. In what follows, we will put the spotlight on some such probable BYOD risks:
Latest security patches and updates not being installed
There is no guarantee that all employees would actually have updated security patches and fixes on their devices. Smartphones and tablets with outdated software are more vulnerable to hack attacks – which can compromise the confidentiality of valuable corporate data. The problem gets more compounded for Android handsets – since the availability of the latest security updates depend on the OEMs and carriers on this platform. Unless employers can make sure that all the devices brought in by workers have the necessary ‘protections’, problems can always crop up.
Note: Companies need to have a policy that makes it mandatory for employees to regularly update the firewall/antivirus on their devices.
2. Malware applications
It is next to impossible for organizations to keep a tab on the different types of mobile apps that employees choose to install in their handsets. Hackers can easily create applications with malware – and when people install them (often, app permissions are allowed without checking the details carefully), all official data present in the device gets exposed. In fact, such spyware apps can even be used by third-party agents to access servers and ‘steal’ important data stored therein. It is extremely important for businesses to have a proper ‘Mobile Application Management’ (MAM) standard in place – to minimize the chance of such risks (downloads from third-party app stores should be banned). The IT departments can also blacklist each and every suspicious app.
3. The problem of stolen devices
On average, close to 70 million smartphones are misplaced or lost by users. Of more relevance to our current discussion is the stat that, nearly 4.5% of all smartphones issued by organizations to their employees are stolen every year – with almost 52% of such cases happening at the workplace itself. Now, every stolen device poses a security risk – since all the data stored in it can be accessed/used/manipulated by the perpetrator. While there are tools to remotely wipe off data from stolen devices, an Osterman Research report revealed that this is possible in less than 25% of all such lost smartphones.
Note: Most employees either do not protect their devices with passwords/passcodes. That makes ‘data stealing’ that much easier.
Using unsecured wifi access points
Many personal devices are set up to connect to any open wifi network available. While organizations with BYOD policies, of course, have secure access points for employee handsets – connecting to other open wifi networks (at public places, hotels, restaurants, etc.) can be dangerous. Experts advise caution while using unsecured wifi at home as well. Using a malicious wifi network can lead to official tasks becoming visible to hackers (i.e., the network visibility can be unnecessarily increased) – and chances of ‘man-in-the-middle’ attacks become higher. To work around this risk, companies should make it compulsory for employees to use a virtual private network (VPN) while interacting with any official data on their personal handsets.
Devices of departing workers
Employees can leave a company at any time – and rather alarmingly, most BYOD-following companies do not have clearly-defined policies for such employees. As a result, sensitive corporate information remains in their devices – and that can easily fall in the wrong hands. The risks of such ‘data leakage’ is even greater when a person is terminated and leaves on unpleasant terms (since (s)he can deliberately five out the information with competitor firms). While it might not be practically feasible to ask employees who are leaving to wipe all data from their devices – at least business-related apps and files need to be erased. Once a person is no longer a part of a company, (s)he should not have access to any internal information of the latter.
Jailbroken or rooted devices
Many iDevice-owners jailbreak their handheld devices (China leads the way regarding jailbroken iPhones). On the other hand, close to 28% of all Android phones are ‘rooted’ by their users. When such jailbroken/rooted devices are brought under the BYOD-fold, they can ‘open up’ entire databases – providing a convenient entry point for hackers and cyber criminals. Native security restrictions become invalid, and users (with their administrator-level rights) might unknowingly install external malware applications. Prior to registering any device for corporate use, the IT security staff should ensure that it has not been jailbroken or rooted.
Loss of control over data movements
In 2016, close to 87% of businesses across the world faced cyber security threats in some form or the other (as per a Bitglass report). Since enterprises typically use both mobile storage and cloud storage for data transmission and maintenance – it becomes difficult after a point in time to keep track of the status of any particular information (i.e., data movements). There are third-party tools can perform this task – but their reliability remains an issue. As SaaS standards are becoming more advanced and reliance on cloud services are increasing, risks of data stealing (through ‘phishing’ and similar attacks), ‘data loss’ and lack of compliance are going up too. A whopping 90%+ organizations have serious concerns over cloud security.
Note: Last year, there was a three-fold increase in ransomware attacks on organizations.
Lack of reimbursements to employees
In a bid to minimize overall operating expenses, many companies stay away from providing full reimbursements to their employees (to cover BYOD costs). According to a Tech Pro Research report, 18% respondents receive a monthly stipend – while a measly 7%-8% employees actually receive full reimbursements. That, in turn, retains the ‘personal’ nature of the devices, with employees feeling greater freedom to use their favourite apps and games. Gaming, in particular, on a registered device (using the corporate network) can put additional bandwidth and storage pressure on the network. Productivity levels can also be hampered, if workers access social media sites or play games or chat on IM applications on their devices (using up available data resources as well).
Line between personal device and company device being blurred
With BYOD policies evolving over time, it is becoming increasingly difficult to demarcate between personal usage and official usage of a device. Employees are unlikely to react well to a ‘big brother’ attitude from organizations (i.e., full restrictions on the apps and activities permissible on devices). At any time, a company might feel the need to remotely wipe off the data on a device – and personal data might also get erased. If there are any glitches in the endpoint security standards of the BYOD policy and infrastructure, problems are likely to happen.
Note: Employees can also access/download malicious unauthorized content on their devices, particularly since data restrictions are (at most organizations with BYOD) minimal.
10. Role of tech departments
8 out of every 10 employees feel that personal smartphones will have larger roles to plays in workplaces, in the near future. In such a scenario, the importance of maintaining diligent mobile device management (MDM) becomes immense – and the responsibility of ensuring the compliance lies on the tech/IT departments of organizations. The stats, however, paint a contradictory picture. Close to 18% workers report that they use personal handheld devices for officework – without the respective IT departments even being aware of it. More alarmingly, over 28% of tech departments prefer to gloss over active BYOD in workplaces. There is clearly a lack of surveillance – and that is increasing the vulnerabilities of BYOD in practice.
11. Violation of network policies
Even if a company has a clear network access/usage policy – controlling which devices can access it – security threats remain. For the tech-savvy employees, it is fairly easy to use an alternative mechanism (generally in the form of third-party mobile apps) to access corporate databases, without the permission of the authorities. In the absence of set parameters (to monitor data access), confidential information can fall in the hands of unauthorized individuals. Network policies that are applicable only on wired LAN systems are not adequate for companies that allow BYOD.
12. Probable increase in costs
One of the key drivers behind the growing popularity of BYOD is the chance of lowering overall costs. However, this advantage can very well be nullified – if large expenses become necessary for managing the different types of employee devices that are being used for corporate tasks. There is also the chance of an employee leaving AFTER the organization has spent money to provide him/her with a device and associated service plan(s). In such cases, the concerned organization ends up with sunk costs – which can be considerable.
BYOD allows employees to be ‘always on’, and provides an additional layer of flexibility to the working pattern of workers. The higher productivity levels achieved should also lead to greater employee-satisfaction. As discussed above, the policy has its fair share of risks and security threats – but fortunately, most of these problems can be effectively tackled. Organizations need to form and implement a thorough security policy and provide adequate training to workers – before granting the permission for BYOD. It is a dynamic, future-oriented technology and it is set to become mainstream in workplaces worldwide. The onus is on the users to make sure that BYOD does not, in any way, put corporate information in danger.