Electronic Health Reporter

Bring-your-own-device or BYOD policies are becoming not just an option, but in many cases necessary because of remote and work-from-home scenarios. BYOD is an increasing priority for IT admins to give employees secure access to the resources they need to do their jobs.

The use of zero-trust architecture is one way to create network security even with a BYOD policy, but there are other things to keep in mind as well. The following are things to know about BYOD policies in general and the cybersecurity implications.

BYOD policies

Under a BYOD IT policy, employees aren’t just permitted but are sometimes encouraged to bring their own devices to access systems and data. Devices can include laptops, smartphones, and tablets.

There are some general options as far as provisioning of access levels when employees use their own devices.

You can offer unlimited access for their personal devices. You can instead allow only access to non-sensitive data and systems on their devices. Another option is to provide access, but with IT control over devices and the fourth option is access, but with the prevention of local data storage on these devices.

There are significant benefits to a BYOD policy for many employers because it can promote productivity and managed risk. Many employees also prefer it. Employees can choose what devices they’re most comfortable using. Due to that comfort, employees are more likely to be productive because they already know how to use them. This might help with buy-in on new technology too.

BYOD policies can cut the costs for your business and alleviate pressure on the IT budget. While there are upsides, there are some potential risks.

Risks of Letting Employees Use Their Own Devices

When your employees are using their own devices for both work and their personal lives, the most considerable risk is the potential for the situation to create cybersecurity vulnerabilities.

Security threats have to be managed appropriately, and this can create more work for your IT department. Things can get increasingly complex for them, and most IT departments are already stretched thin.

Specific risks of BYOD include:

• Lost or stolen devices: Around 60% of network breaches are due to a device that’s lost or stolen. One missing device, if not adequately protected, could quite literally put your entire business at serious risk.
• Unsecure networks: People using their own devices may also be working remotely. Remote work means using public Wi-Fi, which isn’t secure and puts your data at risk. An estimated 40% of mobile devices used in a work capacity face attack exposure within the first four months of being utilized.
• Malicious apps: So many of the issues with cybersecurity on a broad scale right now for modern businesses relate to human error. Among those human errors is downloading a malicious app to a device used for work. Malicious apps can be used by cybercriminals to access the device and whatever’s on it.
• Lack of BYOD policies: Many companies are still in the early phases of even allowing employees to use their own devices, so they might not have a particular policy in place. Even for those companies with a policy, it might be ambiguous, not well-understood or not publicized to employees.

Implementing a BYOD policy

The following are general guidelines for a BYOD policy, as far as both creating and implementing it in a way that will work for your organization.

• Decide whether or not BYOD is even appropriate for your business. You need to think about the risks, and especially the cybersecurity risks. In regulated industries where compliance is a major issue, BYOD may not be an option at all.
• Have a policy before you start to integrate any systems. You might end up buying the wrong systems or cybersecurity tools if you don’t know your goals ahead of time. By mapping out your policy first, you’ll be able to identify potential weaknesses and proactively put in place the means of managing those.
• Identify the scope of acceptable devices. Not all devices may be an option.
• Figure out how you’re going to separate employees’ personal data from company data. You can use technology such as apps with two-factor authentication.
• Have a plan for training employees. Again, human error is a big reason for cybersecurity issues across the board, including within BYOD policies. You need to let your employees know what the threat landscape looks like, your expectations, and their role in securing company data.
• What are the liability considerations you’ll have to keep in mind? What regulatory guidelines do you have to adhere to? For example, are you going to have to prove data is encrypted on employee devices?

Once you have a policy in place, you will need to monitor it regularly for compliance.

Zero-Trust in a BYOD environment

A zero-trust architecture can be helpful in a BYOD environment and likely represents the future for most organizations, especially enterprise-level. Zero-trust architecture speaks to connected mobile use, IoT devices, public cloud applications and also the increasing sophistication of hacking and malware attacks.

With zero trust, there’s no trusted perimeter. Everything is viewed as untrusted, so when a device tries to connect, that’s the premise. Plus, every device and user receives least privilege access, meaning they can access only what’s needed to do their job and nothing more. The default perspective with zero-trust architecture is that everything is a threat and that potential danger needs to be verified.

The traditional security model worked perhaps for on-premises businesses, relying on the concept that everything within the internal network could be trusted. Now, with so many things happening off-premises and the proliferation of BYOD policies, zero-trust tends to make quite a bit more sense.

Zero-trust architecture offers more visibility into traffic that’s internal and can also apply context. Without a zero-trust approach, if someone does access a network, they can work their way around inside it, causing significant harm. Zero-trust architecture, on the other hand, addresses lateral movement with granular segmentation and perimeters.