What is BYOD?

What is BYOD?

BYOD has become commonplace across various industries as more companies embrace a hybrid work model — i.e., when employees come into the office on some days and work from home on others. Rather than using a company-issued computer in the office and a personal device at home, BYOD to work is a feasible solution.

It’s easier for companies to allow employees to use their own devices at home, in the office or from any other location instead of providing them with such equipment. Personal laptops, smartphones, tablets and USB devices are now used for company purposes; those devices can access company networks for employees to complete their work.

Levels of BYOD

While the basics of BYOD to work sound easy to implement, BYOD has certain levels. Each pertains to the amount of security measures in place and the company information employees can access on their personal devices. In general, the more secure the organization or role an individual has, the less work that employee will be able to do on their own personal device.

Cybersecurity experts don’t always agree on the exact specifics of the various BYOD levels, but there are typically three. These levels, depending on the company, either become more or less secure as they ascend or descend. Here’s one perspective where the lower the level, the fewer work-related tasks you can complete on your own device.

• Level 1 policies are the most restrictive. Under these BYOD policies, employees are unlikely to be able to access certain data or files on their own devices. This level grants the least amount of access and usually only allows employees to use personal devices to check nonprivileged information, such as emails or calendars. Some organizations also use this level to refer to banning personal devices from accessing any organizational data.
• Level 2 policies attempt to strike a balance between restrictive policies and security. Under a level 2 policy, individuals can use their personal devices to access company resources. However, to offset the risk, companies require additional security measures like computer encryption. Organizations may also require protective actions from employees, like registering a device or installing specific device management software.
• Level 3 policies grant employees full access to data and corporate resources on their personal devices. This level doesn’t necessarily guarantee security measures are in place, so while it’s the easiest level for employees to access company information, it presents the greatest risk to the organization. This level is typically reserved for individuals or roles with pressing needs to access data or settings, such as executives or IT administrators.

BYOD benefits

Allowing employees to use their own devices for work purposes offers some major advantages for businesses.

Increased productivity

One of the first results you may notice after implementing a BYOD policy is a boost in productivity. Employees being able to access the company network from their smartphone or personal laptop removes the limitations of a 9-to-5 workday — letting them work at any time. Whether it’s checking email while on vacation or updating a presentation on the train ride home, team members are able to get work done outside the confines of the office. Thus, they may make more progress. [Read related article: Cybersecurity While Traveling — Tips & Tricks]

Reduced cost

Cost is another reason why many businesses have embraced BYOD. While companies previously had to pay for the hardware, software and service contracts for business-owned devices, BYOD policies shift those costs to the worker. The staffer is the one buying the phone or tablet, as well as the service contract that goes with it; this frees businesses from having to cover those expenses.

Recruitment appeal

BYOD policies can also help you attract new employees. Since many people prefer to use their own devices, businesses that give workers the ability to do so may have an advantage with job applicants.

BYOD drawbacks

While there are many reasons to favor BYOD, there also are reasons why you might want to think twice. The most pressing concerns involve the security and protection of valuable data.

Breach risk

The first drawback has to do with the sheer number of users and devices that are given access to a company network when allowing BYOD. If a network is open to all employees and their personal devices, the risk of a breach substantially increases.

By opening up their networks, employers are gambling that all employee-owned devices are free of viruses and other malware. Businesses with BYOD policies must have extra security measures in place to ensure their networks are free from cybercriminals who may target personal devices.

Data mishandling

The second concern is that giving employees access to important company information via their own devices increases the possibility that sensitive data could end up in the wrong hands. Once data leaves the protected confines of the company network, it could conceivably be seen or stolen by anyone. Also, should a device become lost or stolen, all of the data it holds may be compromised.

These security worries put a tremendous amount of pressure on IT departments to support the wide variety of devices employees are using; IT must ensure each one meets the organization’s security standards.

What to consider when employees use personal devices for remote work

When personal devices are allowed to access company networks, it makes security more challenging for IT departments. This is particularly true when the employees may be working remotely. Businesses with distributed workforces that use their own device need to keep the following in mind.

Security training

Personal devices tend to have less comprehensive security protections than company-issued devices. Therefore, it’s crucial for companies to educate employees on cybersecurity best practices; these include identifying phishing scams, avoiding spam links and not opening emails from unknown sources.

IT preparedness

Device infection, data leakage or loss, and mixing personal and work data are all issues that can arise in companies that have adopted BYOD policies. IT departments must be vigilant in protecting these personal devices. Installing antivirus software, using firewalls and exercising containerization are some ways companies can reduce the risk of cybersecurity incidents.

Device security

Gone are the days of companies keeping their assets safe simply by locking the office at the end of the day. BYOD policies, especially when combined with remote work, open up devices to additional risks of theft or misplacement. An employee losing their personal phone that only has access to calendar or email information still presents a risk: potentially helping cybercriminals learn of business meetings or employee email addresses. The risk significantly increases if that phone also has access to company data.

Businesses should consider mandating additional authentication methods for any BYOD mobile devices, including phones and laptops. For example, organizations may want to consider two-factor authentication or fingerprint scanning to ensure only the device owner is using it.

Safe browsing

An additional risk with personal devices is employees may interact with phishing emails or visit malicious websites that they would not otherwise view on work-issued devices. This is especially true when employees work remotely, as the lines between work and home are further blurred. If individuals conduct work on personal devices, organizations should take time to educate employees on safe browsing habits.

What to include in a BYOD policy

Companies that allow employees to use their own devices need to have a well-thought-out BYOD policy that governs how they can be used. These policies are designed to protect companies from numerous security concerns.

These are some aspects every effective BYOD policy should include.

• Devices: Spell out which specific devices and operating systems are allowed.
• Passwords: Require password protection on all devices. See our guide on how to create a strong password.
• Use: Determine which company functions — email, databases, etc. — employees can access from their devices.
• Applications: Ban any outside apps that cause extra security concerns.
• Two-factor authentication: Require at least two-factor authentication on all devices. This keeps hackers from impersonating users, as it requires employees to log in to company software through two methods rather than one.
• Reimbursement: Detail any device-related costs you might reimburse employees for.
• Training: Explain how you will update your employees on any security issues; also, host ongoing learning opportunities for anything related to BYOD.
• Device control: Make clear you will remove business data from employees’ devices if they leave the company.

After you draft your BYOD policy, require all employees to sign it and alert them any time you make a change to the policy.

Best BYOD practices

BYOD brings a lot of flexibility to the workplace. This can be a huge boon for companies and employees; however, unless instituted correctly, BYOD can also pose a significant security threat to organizations.

Organizations hoping to implement BYOD should follow these best practices for both employee and organizational safety.

• Begin with a comprehensive policy document. As outlined above, this document should clearly spell out what is expected from employees in terms of acceptable use of personal devices; it should also include steps to secure the devices and any employee responsibilities. The policy should also mention employer responsibilities or expectations regarding employees using their own personal devices.
• Perform frequent employee education and training. This is especially the case when it comes to acceptable device use, mobile device security threats and how BYOD may relate to other policies; the latter includes proper data handling. Training should also educate employers on matters like proper virtual private network (VPN) use when connecting to corporate resources and the dangers of connecting to public Wi-Fi.
• Audit user devices. As part of BYOD, organizations should have a clear and comprehensive catalog of all personal devices employees use. All devices should be registered with the company prior to use; also, team members should report to the organization when they change what device they use.
• Encourage users to keep their devices up to date. Maintain clear lines of communication about the importance of security updates and guide employees through any required ones. They should be instructed to implement security patches and bug fixes as necessary.
• Put in place security measures. Such measures include mandating VPN usage to connect to sensitive internal data or applications, requiring authentication to access the corporate network, and encrypting data.
• Monitor device connections. Track device access to specific resources and look for activity that seems suspicious; such activity includes attempts to access data far outside of normal work hours or job scope.

Alternatives to BYOD

There are alternatives to BYOD that may better fit with a company’s security culture or regulatory compliance requirements. Instead of allowing employees to use their personal devices, consider these options.

Corporate-owned devices (COD)

Organizations provide employees with company-owned devices, such as dedicated cell phones or laptops, to use for work purposes only. COD gives businesses greater control over these devices; it can include monitoring software or prevent team members from installing unvetted applications. However, COD costs more for the company as you must purchase and provide each device.

Choose your own device (CYOD)

Organizations allow employees to select from a range of company-owned and -provided devices. This grants employees greater flexibility in device choices, such as choosing between a PC or Mac; however, it still allows the company to apply any desired security controls on the device. Like with COD, CYOD devices are still business devices that are not intended for personal use.

Corporate-owned, personally enabled (COPE)

Organizations provide employees with devices that can be used for both personal and professional reasons. Businesses specifically configure the devices to be usable in most circumstances — granting employees flexibility while still keeping company security measures in place.

Virtual desktop infrastructure (VDI)

VDI allows employees to access a virtualized desktop environment (VDE) through their personal computers as long as they have an internet connection. The VDE is hosted in the cloud and can contain all of an employee’s work files and network connections. VDIs can be configured to prevent staffers from moving any files between the VDI and their personal storage; this allows for secure, remote connections to employer resources that can be easily terminated if necessary. [Read related article: What is Workspace Virtualization? And Does Your Business Need It?]

Deciding on BYOD

BYOD can offer businesses a range of advantages, from attracting remote talent to saving money. However, companies need to keep in mind that BYOD is not a one-size-fits-all solution. Instead, organizations need to consider exactly what they want from BYOD and how the practice fits into their wider security needs. For businesses requiring higher levels of device security, alternatives to BYOD may ultimately be a better fit.

Shannon Flynn and Chad Brooks contributed to this article.