While most security professionals have come to embrace — or, at least, accept — bring-your-own-device (BYOD) policies, leadership still often lacks confidence in the data security of employees’ personal phones, tablets and laptops.

In a recent study from Bitglass, 30 percent of the 400 IT experts surveyed were hesitant to adopt BYOD due to security concerns such as data leakage, shadow IT and unauthorized data access. As the General Data Protection Regulation (GDPR) and other data privacy mandates go into full swing, it’s more important than ever for organizations to monitor and protect enterprise data on mobile devices. However, BYOD may still be the Wild West of network access, especially given the rapid proliferation of new endpoints.

All these moving parts beg the question: Is BYOD security any better today than it was when personal devices first entered the workforce?

The Ten Rules of BYOD

Growing Acceptance of Personal Devices in the Enterprise

It wasn’t long ago that corporate leadership balked at the idea of their employees using personal devices for work. While workers had been using their personal computers and laptops to access company networks, it wasn’t until smartphones and digital tablets were introduced that the concept of BYOD caught on. Security for these devices wasn’t very mature back then, and IT and security decision-makers had well-founded concerns.

Over the past decade, of course, phones have evolved into personal hand-held computers. According to Comscore, only 17 percent of consumers were using smartphones in 2009, compared to 81 percent in 2016. That irreversible trend, along with the rise of the internet of things (IoT) and wearable devices, linked personal technology inextricably with enterprise networks.

Employees believe they are more productive and efficient when using not only their device of choice, but also their preferred software and apps. Apparently, leadership agrees: The same Bitglass study found that 85 percent of companies now allow not only employees, but even contractors, customers and suppliers to access enterprise data from their personal devices. Despite this shift, more than half of those surveyed believe mobile threats have gotten worse.

Mobile Threats Are Rising, but Security Hasn’t Changed Much

Given the ubiquity and relative insecurity of mobile devices in the workplace, it’s no surprise that criminals are targeting them. Threat actors can gain access to both corporate data and personal data from one easy-to-breach device. Basic mobile security protections, such as remote wiping and mobile device management tools, are deployed in just over half of the organizations surveyed by Bitglass. In addition, many security teams lack visibility into apps used on personal devices.

Most threat actors who attack mobile devices are after passwords, according to mobile security expert Karen Scarfone, as quoted by Wired.

“A lot of email passwords still go back and forth in the clear,” she said. “That’s a big problem.”

Passwords remain the keys to the data castle, and they are largely unencrypted and unprotected on mobile devices. This, coupled with the password reuse epidemic, means that threat actors can gain virtually unlimited access to corporate networks through personal devices.

Clearly, there’s plenty of room for improvement when it comes to mobile security. A U.S. Department of Homeland Security (DHS) study mandated by the Cybersecurity Act of 2015 found that while the federal government’s use of mobile technology is improving, “many communication paths remain unprotected and leave the overall ecosystem vulnerable to attacks.”

Similar security holes exist in the private sector. According to SyncDog, mobile devices are the most dangerous point of intrusion to corporate networks. In large enterprises in particular, “mobile devices are looked at as toys with games on them, and protecting them comes last in line to application management, network security, mainframes and other larger IT concerns.”

BYOD Security Starts With Smart Policies

How can chief information security officers (CISOs) and IT leaders ensure that employees use their personal devices in a smart, secure way? First, determine whether the employee needs to use personal devices for work at all. If there are jobs within the organization that don’t require regular access to networks, or if employees are working remotely, these users should not be allowed to participate in a BYOD program because their devices are neither authorized nor consistently monitored.

Second, employees should be required — or, at least, highly encouraged — to update their device software, especially operating systems and any security software. Consider requiring all employees who use personal devices to install the corporate security software and use the company’s security protocols if they are connecting to enterprise networks.

Third, communicate BYOD policies to employees and implement effective measures to enforce them. Policies should include the most basic data security best practices, such as implementing multifactor authentication (MFA), creating strong and unique passwords, using virtual private networks (VPNs) over public WiFi, and locking devices with biometric controls. In addition to protecting enterprise networks, these steps will help secure employees’ personal data on devices. But remember, a policy is useless if you don’t enforce it. People will break the rules if they know there are no consequences to pay.

When it comes to worker productivity, the embrace of BYOD has been a good thing for businesses. But in a world where cyberthreats loom large and data loss could result in huge fines and reputational damage, enterprises need to prioritize the security of their critical assets — and that of the thousands of endpoints that access them.

To learn more, read the IBM white paper, “The Ten Rules of Bring Your Own Device (BYOD).”

Read the white paper