While most security professionals have come to embrace — or, at least, accept — bring-your-own-device (BYOD) policies, leadership still often lacks confidence in the data security of employees’ personal phones, tablets and laptops.

In a recent study from Bitglass, 30 percent of the 400 IT experts surveyed were hesitant to adopt BYOD due to security concerns such as data leakage, shadow IT and unauthorized data access. As the General Data Protection Regulation (GDPR) and other data privacy mandates go into full swing, it’s more important than ever for organizations to monitor and protect enterprise data on mobile devices. However, BYOD may still be the Wild West of network access, especially given the rapid proliferation of new endpoints.

All these moving parts beg the question: Is BYOD security any better today than it was when personal devices first entered the workforce?

The Ten Rules of BYOD

Growing Acceptance of Personal Devices in the Enterprise

It wasn’t long ago that corporate leadership balked at the idea of their employees using personal devices for work. While workers had been using their personal computers and laptops to access company networks, it wasn’t until smartphones and digital tablets were introduced that the concept of BYOD caught on. Security for these devices wasn’t very mature back then, and IT and security decision-makers had well-founded concerns.

Over the past decade, of course, phones have evolved into personal hand-held computers. According to Comscore, only 17 percent of consumers were using smartphones in 2009, compared to 81 percent in 2016. That irreversible trend, along with the rise of the internet of things (IoT) and wearable devices, linked personal technology inextricably with enterprise networks.

Employees believe they are more productive and efficient when using not only their device of choice, but also their preferred software and apps. Apparently, leadership agrees: The same Bitglass study found that 85 percent of companies now allow not only employees, but even contractors, customers and suppliers to access enterprise data from their personal devices. Despite this shift, more than half of those surveyed believe mobile threats have gotten worse.

Mobile Threats Are Rising, but Security Hasn’t Changed Much

Given the ubiquity and relative insecurity of mobile devices in the workplace, it’s no surprise that criminals are targeting them. Threat actors can gain access to both corporate data and personal data from one easy-to-breach device. Basic mobile security protections, such as remote wiping and mobile device management tools, are deployed in just over half of the organizations surveyed by Bitglass. In addition, many security teams lack visibility into apps used on personal devices.

Most threat actors who attack mobile devices are after passwords, according to mobile security expert Karen Scarfone, as quoted by Wired.

“A lot of email passwords still go back and forth in the clear,” she said. “That’s a big problem.”

Passwords remain the keys to the data castle, and they are largely unencrypted and unprotected on mobile devices. This, coupled with the password reuse epidemic, means that threat actors can gain virtually unlimited access to corporate networks through personal devices.

Clearly, there’s plenty of room for improvement when it comes to mobile security. A U.S. Department of Homeland Security (DHS) study mandated by the Cybersecurity Act of 2015 found that while the federal government’s use of mobile technology is improving, “many communication paths remain unprotected and leave the overall ecosystem vulnerable to attacks.”

Similar security holes exist in the private sector. According to SyncDog, mobile devices are the most dangerous point of intrusion to corporate networks. In large enterprises in particular, “mobile devices are looked at as toys with games on them, and protecting them comes last in line to application management, network security, mainframes and other larger IT concerns.”

BYOD Security Starts With Smart Policies

How can chief information security officers (CISOs) and IT leaders ensure that employees use their personal devices in a smart, secure way? First, determine whether the employee needs to use personal devices for work at all. If there are jobs within the organization that don’t require regular access to networks, or if employees are working remotely, these users should not be allowed to participate in a BYOD program because their devices are neither authorized nor consistently monitored.

Second, employees should be required — or, at least, highly encouraged — to update their device software, especially operating systems and any security software. Consider requiring all employees who use personal devices to install the corporate security software and use the company’s security protocols if they are connecting to enterprise networks.

Third, communicate BYOD policies to employees and implement effective measures to enforce them. Policies should include the most basic data security best practices, such as implementing multifactor authentication (MFA), creating strong and unique passwords, using virtual private networks (VPNs) over public WiFi, and locking devices with biometric controls. In addition to protecting enterprise networks, these steps will help secure employees’ personal data on devices. But remember, a policy is useless if you don’t enforce it. People will break the rules if they know there are no consequences to pay.

When it comes to worker productivity, the embrace of BYOD has been a good thing for businesses. But in a world where cyberthreats loom large and data loss could result in huge fines and reputational damage, enterprises need to prioritize the security of their critical assets — and that of the thousands of endpoints that access them.

To learn more, read the IBM white paper, “The Ten Rules of Bring Your Own Device (BYOD).”

Read the white paper

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…