BYOD is defined as Bring Your Own Device (to work) and is referred to devices owned by employees being used to conduct business on behalf of their employer. BYOD became a popular trend several years ago and like many technologies, its adoption has been accelerated by the pandemic.
BYOD has several advantages including keeping costs low (for the employer) and keeping employees happy because they can use a device that they feel more comfortable with (like a super-cool MacBook or that Dell laptop with a giant screen, green-LED keyboard and alien head sticker).
Before allowing employees to use their own devices to conduct official business, business owners and managers should be aware of the potential risks. Organizations that require high security standards should avoid BYOD altogether and those that have a more acceptable risk-tolerance should still plan carefully to avoid common issues related to BYOD.
In an age where hacking is so prevalent that it no longer makes the news (save some really big hacks), security is paramount. Bringing employee-owned devices has security implications because you cannot add the same constraints to devices that you don’t own. Employees are free to use their own BYOD devices to visit any Internet site, download any application and even jailbreak their own smartphones. This creates potential for malware which in turn can be used to attack the network (from a device within the network) and spread malware internally.
Jailbroken phones are susceptible to BEC (business email compromise) and can lead to one of cyber crime’s most prolific money-making scams: bank wire fraud.
Bad actors can also view, copy, delete and encrypt data in any BYOD that is compromised by a RAT (remote access trojan) and use the device as a staging area within the organization’s network.
Compliance and Privacy
Certain industries have strict compliance frameworks such as HIPAA, FISMA, PCI and others. Even without regulations, the same issues that affect regulated businesses can become nightmares for non-regulated businesses. The fines may not apply, but the economic fallout still does.
Modern computers and devices often synch with cloud storage services such as iCloud and Google Synch. Organizations may not want their files, photos, databases, financial information and other data to end up on their employee’s personal cloud accounts where the security, retention and disposal of said data is out of reach of the organization.
Employees that leave the organization retain synched data and cloud service providers may have joint rights to the data where owner rights and privacy may not be guaranteed.
Privacy may also be a concern since BYOD devices are typically shared by several family members who may have access to, and view the organization’s sensitive data (whether intentionally or not). BYOD devices are often taken to repair shops where technicians may have access to view and copy the organization’s data stored on the device’s hard drive.
Finally, BYOD devices cannot be returned to the organization, wiped or locked if an employee is terminated, making the retention, transfer and security of data stored on the BYOD device nearly impossible.
Unlike organization-owned devices, security policies cannot be pushed out to BYOD devices. This leaves users with the ability to choose weak password (or no password), use outdated or non-existing anti-virus software, and apply security gaffes that would otherwise be prevented with policy constraints by the organization.
Higher Long-Term Cost
Although BYOD can initially save your organization money, the long-term effect may be negligible. The cost savings issue is still debatable because employees may ask the employer to repair or replace their BYOD device since it’s used for business, and repairing an iMac is going to cost a lot more than repairing a Dell or HP laptop.
Not having constraints can lead to employees spending more time on non-work-related tasks and eroding productivity, negating any initial capital expenditures costs savings. There is a reason business computers are dull and boring: it’s because they are for business. Lacking an app store, pre-loaded games and the ability to surf unhindered, business PCs may be boring but they do not entertain or distract your employees from work.
Legal Hold and Discovery
Data that is created, stored, forwarded or modified on BYOD devices are subject to legal hold and discovery. The Federal Rule on Civil Procedure (FRCP) dictates that all businesses must preserve and produce electronically stored data under its control. This means that if you are the target of a regulatory or legal action, your BYOD devices are not exempt. Needless to say, having your employees’ personal and business data in a device that is subject to hold and discovery will not fare well. Employee privacy may be compromised if a device is searched, copied or seized on account of legal action related to the organization.