How to Introduce BYOD Without Impacting Security
The rise in remote and flexible working in the last few years has been one of the biggest changes we’ve seen in the workplace. The days of staff working from large desktop computers in an office are long gone and have been replaced by workers in a variety of locations using all sorts of devices.
Many workers are opting to work from a personal device – whether that’s doing all their work on their own laptop or accessing emails on the road from a mobile phone. But you need to be careful. Personal devices don’t always have the same level of protection as those issued by a company. So, what can you do about it?
What is BYOD?
BYOD stands for bring your own device. BYOD is the concept of employees using their personally owned device(s) for work purposes. With BYOD, an organisation has ownership of the corporate data and resources that may be accessed or stored on a device, but the device itself is the property of the user.
Why Choose BYOD?
As devices and platforms have become more capable of being used in a work context, the concept has matured from its initial roots and aims to:
- Give end-users the ability to use IT they feel comfortable with
- Reduce overheads for the organisation in terms of procurement and provisioning of corporate devices
- Enable flexible (including remote) working
- Increase productivity
- Provide redundancy to business and organisations when workers are unable to access their main places of work
But there’s more to BYOD than just installing company software and signing into key apps. It needs careful consideration to ensure that it meets the needs of the business and satisfies employee desires for flexibility, but without endangering the safety and security of data.
BYOD must be implemented with a clearly defined policy around how it works, particularly how employees’ personal devices are checked by the IT team and approved for use.
Without a policy, access to corporate data and systems quickly becomes a free-for-all, with employees using all manner of different devices, and IT teams not knowing who is using what. This “shadow IT” extends to even basic means of communication like using phones and tablets for Teams calls, sending work-related messages through WhatsApp, or using personal cloud storage services like Dropbox for business documents.
If IT teams don’t know any of this is going on, then they can’t keep control of how data and applications are accessed. This poses inherent risks around data breaches, security and compliance, as IT – and by extension, the business as a whole – has no way of knowing how secure those devices are, how up to date they are or whether proper procedures are being followed.
A BYOD policy should consider the responsibilities of both employees and employers. As part of formulating the policy, think about:
- Which activities are permitted from personal devices
- The types of data that can be accessed and used from those devices
- The extent to which an employer can access personal devices for business reasons,
- Whether employees are happy to grant that level of access
- How the business responds when users don’t adhere to the rules and policies set out
Once these issues have been resolved, you can then put technical controls in place to ensure the policy is properly enforced. These should include hardware and software standards, service access, sensitive data protection, and enforcement-related functionality like authentication or firewalls.
As businesses continue with flexible and hybrid working, we suspect we’ll see BYOD’s popularity increase even more. And with technologies like Azure Virtual Desktop, there is something for everyone.