Bring-your-own-device (BYOD) policies were some of the many things that changed when the COVID-19 pandemic hit. A study from Palo Alto Networks by ONR found 60% of companies expanded their BYOD policies to help employees manage the shift to remote work at the beginning of the pandemic. However, the convenience that the new BYOD policies provided often came at the cost of security. The study also found that employees at companies that expanded BYOD use were over eight times more likely to ignore, circumvent or disable security than those who restricted BYOD.
Many companies are looking at either full-time remote work or offering a hybrid model for the long term. In the past, the solution was often to restrict uses or implement more controls for how employees use their BYOD devices. However, placing more restrictions on employees often leads to them figuring out how to get around those rules.
How Employees Use Their Devices
In the past, BYOD policies focused on what companies did not allow employees to do on their devices. This approach overlooked how employees could use their devices to more efficiently and accurately perform work-related tasks. For a BYOD policy to be effective today, companies must address the security issues with a solution that works for both employees and the employer.
Leaders should start by fully understanding how employees currently use personal devices. In what other ways can they use devices to improve work/life balance and be more productive? Survey employees in a range of roles and departments to learn how different employees use their devices for work tasks. Questions to ask include:
- What types of devices they use
- How often they use them
- Specific tasks they perform with the devices
- What applications they use.
The New BYOD Challenges
Before coming up with a solution, organizations must first understand their current digital defenses and what challenges they’re facing. Here are four common challenges.
Employees Using Non-Secure Networks
Work and home life are blending more and more. Employees have more chances and temptation to access sensitive data on public wireless or unsecured home networks. Many employees turn to virtual private networks (VPNs) as the answer for BYOD, but the technology wasn’t designed for today’s complex needs and threats.
VPNs create a very large surface area with so many devices and locations that it’s challenging to protect. Because breaking into a VPN provides access to the entire network, VPNs are big targets for cyber criminals. What’s more, a VPN only provides protection if the employee uses it every time they connect. Because VPNs often slow down the speed and performance of devices, many employees bypass the VPN for faster connections.
Lack of Security Software
Many companies have required employees to use Mobile Device Management (MDM) software on personal devices used for business. Many MDMs allow the partition of work and personal data. However, employees often worry that their company has access to their personal data, such as GPS data on their physical location. Employees often remove or attempt to circumvent MDM software, which then leaves their devices without protection. Organizations often move to Unified Endpoint Management instead. This is a more holistic approach that is not as intrusive to employees’ personal devices and data.
Unpatched Software on Devices
Employees need to install updates or patches on their BOYD devices for work. If they don’t, they create an opening for cyber criminals to gain access to the corporate network, applications and data. MDMs can allow companies to remotely install software and updates on personal devices. However, many employees view this as intrusive and pushback. You need to find a balance. Weigh the company’s need for all devices accessing their networks to have the latest OS against employees’ right to privacy.
Authenticating Personal Devices on Network
Authenticate every device that accesses the network. Employees now use multiple devices even in the same workday. So, the volume of devices connected to networks is now much higher. Many companies have turned to Multifactor Authentication (MFA) to make sure only authorized devices gain access. However, cyber criminals have responded by creating attacks designed for bypassing MFAs. These include SIM swapping, technical loopholes, social engineering and phishing. While MFA is a key component of the right approach for BYOD, many groups use MFA as their entire strategy for authentication.
Change Your Approach to BYOD
It might seem tempting to look for more ways to control and restrict employees. Instead, take a step back and change the approach. The issue with many BYOD policies and restrictions is mainly that they no longer make sense for either security or workflow. Employees need processes and tools that make it possible for them to get their work done efficiently. At the same time, organizations need processes and security tools that keep their networks secure. With many employees remaining remote or hybrid for the long term, the use of BYOD is going to be a constant challenge for the short- and long-term.
Organizations can turn to a zero trust approach to improve security with the expanded BYOD use. With zero trust, the framework starts with the assumption that every access request is not authorized. Everything (device, user, data) must prove authentication. The benefits of using zero trust include protecting customer data, decreasing breach detection times, visibility into traffic, a less complicated security stack and a better user experience.
What Is Zero Trust?
Instead of a single process or technology, zero trust is a collection of the following six principles:
- Ongoing monitoring and validation
- Principle of least privilege
- Device access control
- Preventing lateral movement
- Multi-factor authentication (MFA)
Because zero trust starts with assuming every access request is unauthorized, the framework solves many of the challenges that the increased use of BYOD has created, such as authenticating multiple devices and increased volume. By using microsegmentation, which means that users and devices only have access to the data, applications and networks they have a business need to access, organizations reduce the impact of an attack or breach. Additionally, MFA combined with other technology — including the principal of least privilege and device control access — improves the security of multiple devices.
Over the past two years, organizations made many decisions quickly as situations changed. Now it’s time to pause and create a plan for the future regarding BYOD. The pandemic has changed many aspects of work forever, and organizations need processes, technology and a framework designed for our future reality. By moving to a zero trust approach, organizations can create an approach that provides two things at once. It offers both the security the organization needs and the flexibility that allows employees to be productive and engaged.