Bring-your-own-device (BYOD) policies were some of the many things that changed when the COVID-19 pandemic hit. A study from Palo Alto Networks by ONR found 60% of companies expanded their BYOD policies to help employees manage the shift to remote work at the beginning of the pandemic. However, the convenience that the new BYOD policies provided often came at the cost of security. The study also found that employees at companies that expanded BYOD use were over eight times more likely to ignore, circumvent or disable security than those who restricted BYOD.

Many companies are looking at either full-time remote work or offering a hybrid model for the long term. In the past, the solution was often to restrict uses or implement more controls for how employees use their BYOD devices. However, placing more restrictions on employees often leads to them figuring out how to get around those rules.

How Employees Use Their Devices

In the past, BYOD policies focused on what companies did not allow employees to do on their devices. This approach overlooked how employees could use their devices to more efficiently and accurately perform work-related tasks. For a BYOD policy to be effective today, companies must address the security issues with a solution that works for both employees and the employer.

Leaders should start by fully understanding how employees currently use personal devices. In what other ways can they use devices to improve work/life balance and be more productive? Survey employees in a range of roles and departments to learn how different employees use their devices for work tasks. Questions to ask include:

  • What types of devices they use
  • How often they use them
  • Specific tasks they perform with the devices
  • What applications they use.

The New BYOD Challenges

Before coming up with a solution, organizations must first understand their current digital defenses and what challenges they’re facing. Here are four common challenges.

Employees Using Non-Secure Networks

Work and home life are blending more and more. Employees have more chances and temptation to access sensitive data on public wireless or unsecured home networks. Many employees turn to virtual private networks (VPNs) as the answer for BYOD, but the technology wasn’t designed for today’s complex needs and threats.

VPNs create a very large surface area with so many devices and locations that it’s challenging to protect. Because breaking into a VPN provides access to the entire network, VPNs are big targets for cyber criminals. What’s more, a VPN only provides protection if the employee uses it every time they connect. Because VPNs often slow down the speed and performance of devices, many employees bypass the VPN for faster connections.

Lack of Security Software

Many companies have required employees to use Mobile Device Management (MDM) software on personal devices used for business. Many MDMs allow the partition of work and personal data. However, employees often worry that their company has access to their personal data, such as GPS data on their physical location. Employees often remove or attempt to circumvent MDM software, which then leaves their devices without protection. Organizations often move to Unified Endpoint Management instead. This is a more holistic approach that is not as intrusive to employees’ personal devices and data.

Unpatched Software on Devices

Employees need to install updates or patches on their BOYD devices for work. If they don’t, they create an opening for cyber criminals to gain access to the corporate network, applications and data. MDMs can allow companies to remotely install software and updates on personal devices. However, many employees view this as intrusive and pushback. You need to find a balance. Weigh the company’s need for all devices accessing their networks to have the latest OS against employees’ right to privacy.

Authenticating Personal Devices on Network

Authenticate every device that accesses the network. Employees now use multiple devices even in the same workday. So, the volume of devices connected to networks is now much higher. Many companies have turned to Multifactor Authentication (MFA) to make sure only authorized devices gain access. However, cyber criminals have responded by creating attacks designed for bypassing MFAs. These include SIM swapping, technical loopholes, social engineering and phishing. While MFA is a key component of the right approach for BYOD, many groups use MFA as their entire strategy for authentication.

Change Your Approach to BYOD

It might seem tempting to look for more ways to control and restrict employees. Instead, take a step back and change the approach. The issue with many BYOD policies and restrictions is mainly that they no longer make sense for either security or workflow. Employees need processes and tools that make it possible for them to get their work done efficiently. At the same time, organizations need processes and security tools that keep their networks secure. With many employees remaining remote or hybrid for the long term, the use of BYOD is going to be a constant challenge for the short- and long-term.

Organizations can turn to a zero trust approach to improve security with the expanded BYOD use. With zero trust, the framework starts with the assumption that every access request is not authorized. Everything (device, user, data) must prove authentication. The benefits of using zero trust include protecting customer data, decreasing breach detection times, visibility into traffic, a less complicated security stack and a better user experience.

What Is Zero Trust?

Instead of a single process or technology, zero trust is a collection of the following six principles:

  • Ongoing monitoring and validation
  • Principle of least privilege
  • Device access control
  • Preventing lateral movement
  • Multi-factor authentication (MFA)
  • Microsegmentation.

Because zero trust starts with assuming every access request is unauthorized, the framework solves many of the challenges that the increased use of BYOD has created, such as authenticating multiple devices and increased volume. By using microsegmentation, which means that users and devices only have access to the data, applications and networks they have a business need to access, organizations reduce the impact of an attack or breach. Additionally, MFA combined with other technology — including the principal of least privilege and device control access — improves the security of multiple devices.

Over the past two years, organizations made many decisions quickly as situations changed. Now it’s time to pause and create a plan for the future regarding BYOD. The pandemic has changed many aspects of work forever, and organizations need processes, technology and a framework designed for our future reality. By moving to a zero trust approach, organizations can create an approach that provides two things at once. It offers both the security the organization needs and the flexibility that allows employees to be productive and engaged.

More from Data Protection

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read

Understanding the Backdoor Debate in Cybersecurity

3 min read - The debate over whether backdoor encryption should be implemented to aid law enforcement has been contentious for years. On one side of the fence, the proponents of backdoors argue that they could provide valuable intelligence and help law enforcement investigate criminals or prevent terrorist attacks. On the other side, opponents contend they would weaken overall security and create opportunities for malicious actors to exploit. So which side of the argument is correct? As with most debates, the answer isn't so…

3 min read