Prior to the COVID-19 pandemic, bring-your-own-device (BYOD) internal controls and data protection policies ranked fairly low on most priority lists. While many companies had BYOD programs, they often applied to only a small subset of employees and contractors. Then, the pandemic forced organizations to expand their remote-work programs at an unprecedented, emergency-level rate. The result was that BYOD became a standard operating practice across the enterprise which required robust internal controls and safeguards for data protection and governance.
IT security professionals are deeply concerned about the cybersecurity implications. Sixty-seven percent of respondents to a recent survey by the Ponemon Institute and Keeper Security reported that use of their own mobile devices by remote workers has negatively impacted their organizations’ security posture and 55 percent say smartphones represent the most vulnerable endpoint at their organizations.
As the line between personal and work devices increasingly blurs, organizations must achieve a harmonious balance between protecting organizational security and respecting employee privacy. There’s an inherent challenge for organizations to mandate policies and govern controls on BYOD devices because these devices are used to transact both on and with sensitive company information. Even if an organization had robust BYOD security policies prior to the pandemic, it’s time to reevaluate and update them to reflect the expansion of BYOD across the enterprise and address the specific challenges of BYOD security in distributed, remote-work environments.
Here are five steps that organizations should take to ensure that their BYOD security protocols reflect the new remote work reality:
If organizations are not yet using a Zero Trust security model, they need to implement one immediately. Zero Trust has become essential not only for BYOD security, but remote work security as a whole. In a Zero Trust environment, no users, devices, or apps are trusted by default. Every time a user, device, or app requests access to organizational resources, it must get authenticated, authorized within policy constraints, and inspected for anomalies before access is granted.
Establish clear, written security policies for BYOD.
A good BYOD policy clearly spells out organizational expectations and employee responsibilities. Areas the policy should address include:
The policy should also inform employees what to do in the event their device becomes lost or stolen.
While specific security controls vary depending on individual organizational needs, at a minimum:
MDM products work towards Zero Trust security by helping organizations ensure that only compliant, trusted devices and apps can access enterprise systems and data. While the exact features vary by vendor, robust MDM solutions offer IT administrators visibility into mobile device health and compliance and the ability to enforce controls, such as blocking copy/paste or download/transfer within enterprise apps to ensure that business data cannot be downloaded to the employee’s device.
Many remote workers are unaware of how to translate in-office cybersecurity best practices to home office environments, yet more than half of respondents to the Ponemon Institute survey report that their organizations had not educated their workforces about remote-work security risks. Even the most comprehensive BYOD security policies will fall flat if employees don’t understand the risks they face or aren’t properly trained on proper procedures.
Once the COVID-19 pandemic has subsided, organizations that proactively address the security implications of remote work and BYOD are positioned to capitalize on the benefits, including reduced costs, flexibility, and enhanced employee productivity and satisfaction.
Darren Guccione, co-founder and CEO, Keeper Security