Bring-your-own-device (BYOD) policies were some of the many things that changed when the COVID-19 pandemic hit. A study from Palo Alto Networks by ONR found 60% of companies expanded their BYOD policies to help employees manage the shift to remote work at the beginning of the pandemic. However, the convenience that the new BYOD policies provided often came at the cost of security. The study also found that employees at companies that expanded BYOD use were over eight times more likely to ignore, circumvent or disable security than those who restricted BYOD.

Many companies are looking at either full-time remote work or offering a hybrid model for the long term. In the past, the solution was often to restrict uses or implement more controls for how employees use their BYOD devices. However, placing more restrictions on employees often leads to them figuring out how to get around those rules.

How Employees Use Their Devices

In the past, BYOD policies focused on what companies did not allow employees to do on their devices. This approach overlooked how employees could use their devices to more efficiently and accurately perform work-related tasks. For a BYOD policy to be effective today, companies must address the security issues with a solution that works for both employees and the employer.

Leaders should start by fully understanding how employees currently use personal devices. In what other ways can they use devices to improve work/life balance and be more productive? Survey employees in a range of roles and departments to learn how different employees use their devices for work tasks. Questions to ask include:

  • What types of devices they use
  • How often they use them
  • Specific tasks they perform with the devices
  • What applications they use.

The New BYOD Challenges

Before coming up with a solution, organizations must first understand their current digital defenses and what challenges they’re facing. Here are four common challenges.

Employees Using Non-Secure Networks

Work and home life are blending more and more. Employees have more chances and temptation to access sensitive data on public wireless or unsecured home networks. Many employees turn to virtual private networks (VPNs) as the answer for BYOD, but the technology wasn’t designed for today’s complex needs and threats.

VPNs create a very large surface area with so many devices and locations that it’s challenging to protect. Because breaking into a VPN provides access to the entire network, VPNs are big targets for cyber criminals. What’s more, a VPN only provides protection if the employee uses it every time they connect. Because VPNs often slow down the speed and performance of devices, many employees bypass the VPN for faster connections.

Lack of Security Software

Many companies have required employees to use Mobile Device Management (MDM) software on personal devices used for business. Many MDMs allow the partition of work and personal data. However, employees often worry that their company has access to their personal data, such as GPS data on their physical location. Employees often remove or attempt to circumvent MDM software, which then leaves their devices without protection. Organizations often move to Unified Endpoint Management instead. This is a more holistic approach that is not as intrusive to employees’ personal devices and data.

Unpatched Software on Devices

Employees need to install updates or patches on their BOYD devices for work. If they don’t, they create an opening for cyber criminals to gain access to the corporate network, applications and data. MDMs can allow companies to remotely install software and updates on personal devices. However, many employees view this as intrusive and pushback. You need to find a balance. Weigh the company’s need for all devices accessing their networks to have the latest OS against employees’ right to privacy.

Authenticating Personal Devices on Network

Authenticate every device that accesses the network. Employees now use multiple devices even in the same workday. So, the volume of devices connected to networks is now much higher. Many companies have turned to Multifactor Authentication (MFA) to make sure only authorized devices gain access. However, cyber criminals have responded by creating attacks designed for bypassing MFAs. These include SIM swapping, technical loopholes, social engineering and phishing. While MFA is a key component of the right approach for BYOD, many groups use MFA as their entire strategy for authentication.

Change Your Approach to BYOD

It might seem tempting to look for more ways to control and restrict employees. Instead, take a step back and change the approach. The issue with many BYOD policies and restrictions is mainly that they no longer make sense for either security or workflow. Employees need processes and tools that make it possible for them to get their work done efficiently. At the same time, organizations need processes and security tools that keep their networks secure. With many employees remaining remote or hybrid for the long term, the use of BYOD is going to be a constant challenge for the short- and long-term.

Organizations can turn to a zero trust approach to improve security with the expanded BYOD use. With zero trust, the framework starts with the assumption that every access request is not authorized. Everything (device, user, data) must prove authentication. The benefits of using zero trust include protecting customer data, decreasing breach detection times, visibility into traffic, a less complicated security stack and a better user experience.

What Is Zero Trust?

Instead of a single process or technology, zero trust is a collection of the following six principles:

  • Ongoing monitoring and validation
  • Principle of least privilege
  • Device access control
  • Preventing lateral movement
  • Multi-factor authentication (MFA)
  • Microsegmentation.

Because zero trust starts with assuming every access request is unauthorized, the framework solves many of the challenges that the increased use of BYOD has created, such as authenticating multiple devices and increased volume. By using microsegmentation, which means that users and devices only have access to the data, applications and networks they have a business need to access, organizations reduce the impact of an attack or breach. Additionally, MFA combined with other technology — including the principal of least privilege and device control access — improves the security of multiple devices.

Over the past two years, organizations made many decisions quickly as situations changed. Now it’s time to pause and create a plan for the future regarding BYOD. The pandemic has changed many aspects of work forever, and organizations need processes, technology and a framework designed for our future reality. By moving to a zero trust approach, organizations can create an approach that provides two things at once. It offers both the security the organization needs and the flexibility that allows employees to be productive and engaged.

More from Data Protection

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…