For more than a decade, the explosive popularity of smartphones and mobile devices has had a direct impact on where and when employees perform work tasks. Before, when employees only accessed corporate information on designated work devices, enterprise security meant protecting the perimeter. The perimeter, however, has shifted from a clearly defined and hardened space to being nearly non-existent, in large part because of the expansion of personal mobile devices.

As more employees opted for the convenience of working from their own devices, they became more productive. The problem is that enabling bring-your-own-device (BYOD) practices has also changed the threat landscape. Given the challenges of securing employee-owned devices, it’s worth asking whether it’s time for enterprises to bid farewell to BYOD programs.

Bring Your Own Risk

According to research from Bitglass, 85 percent of organizations now enable BYOD for employees, contractors, partners, customers or suppliers. Unfortunately, at the same time, only 56 percent of companies have basic remote wipe capabilities for removing sensitive data from endpoints.

The risks posed to each organization differ drastically by not only the size of the company, but the industry as well. Certainly, a university professor working from his or her own mobile device doesn’t pose the same level of risk to the institution that a financial adviser would pose to his or her company. Each device, database and user poses different risks, which is why an unequivocal ban on BYOD productivity isn’t necessarily the best solution for every company.

As it stands, most companies permit the use of personal devices because doing so offers a wide range of benefits, including enhanced flexibility, mobility, employee satisfaction and reduced costs, according to Anurag Kahol, chief technology officer at Bitglass. Yet the report also found that 42 percent of organizations rely on ill-suited, agent-based tools to secure corporate email on user devices, while 24 percent don’t secure email at all.

“Operating in the cloud and allowing non-corporate devices is a fundamentally different style of conducting business that requires a fundamentally different type of security. If companies allow personal devices, they must also adopt the appropriate tools and policies; they cannot rely upon solutions that are only designed to secure corporate devices or protect data on premises,” Kahol said.

Short of taking proper security measures, companies are putting themselves at risk. They are at the mercy of the cyber hygiene of the mobile user that is constantly connecting to their network.

Implement Best Practices for Securing BYOD

Given that BYOD is now a critical reality for so many organizations, devices shouldn’t be treated as separate or isolated components of the business. Instead, “organizations must adopt a security posture with a comprehensive segmentation strategy to adequately secure mobile devices and internet of things (IoT) devices on their networks,” said John Maddison, senior vice president of products and solutions at Fortinet.

An organization’s security architecture needs to provide broad visibility across all environments to identify and track all devices on its network. In addition, companies need “security tools that segment devices to better control attack surfaces through heightened inspection of applications and other traffic. Ultimately, organizations that incorporate user-owned devices must leverage a security framework that consists of integrated tools that can automatically apply advanced security functions to any device anywhere across the network,” Maddison said.

A mobile device management (MDM) tool has to be the first level of defense. Without MDM, companies are running a huge risk of having their sensitive information compromised. There is a big difference in risk among companies, so each organization has to look at how they’re ensuring security in areas such as emailing of sensitive information, and there has to be a policy in place for what happens if that data leaks out.

11 Best Practices for MDM

How to COPE Without BYOD

As much security as these strategies offer, there are organizations that can’t run the risk of allowing work transactions on anything other than corporate devices. Their data is far too sensitive and the cost of a compromise is far too great. For these reasons, corporate-owned, personally enabled (COPE) devices could be the future.

Securing an employee-owned device is always a challenge. With a corporate-owned device, however, the employer has full run of the assets and direct control to install software and functionality. The challenge with corporate-owned devices is one of upfront cost, but COPE practices may ultimately save organizations the regulatory and reputational costs of a data breach down the road.

The Pandora’s box of mobile devices has been opened, and closing the door on BYOD could ultimately result in even more security issues for some, as users will likely continue to engage in the convenient practices that have been established. Another option is to enable employees to work on their own devices, but treat each personal device as a guest so that users are granted very limited access to corporate data.

Since the precedent has already been set, mobile carriers are now leveraging the chance to help their customers enable BYOD programs, according to Mike Pagani, chief evangelist at Smarsh. “The idea is to get down to a single phone. The problem with the dual phones is that it’s all too easy to answer a business issue using a personal device. In our world, that’s a huge problem.”

Technology has advanced so much that companies can create a very secure set of containers that create two distinctly different environments on the same device. “With the right containerization, you can run a personal environment and a business environment, and in many cases even have two different numbers on the same device,” Pagani said.

As technology continues to advance, the hardware to enable COPE will further develop and the software will support it. The convenience of a single, corporate-owned device that enables personal functionality could gently ease personal devices out of the equation.

More from Endpoint

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…

3 Ways EDR Can Stop Ransomware Attacks

Ransomware attacks are on the rise. While these activities are low-risk and high-reward for criminal groups, their consequences can devastate their target organizations. According to the 2022 Cost of a Data Breach report, the average cost of a ransomware attack is $4.54 million, without including the cost of the ransom itself. Ransomware breaches also took 49 days longer than the data breach average to identify and contain. Worse, criminals will often target the victim again, even after the ransom is…

How EDR Security Supports Defenders in a Data Breach

The cost of a data breach has reached an all-time high. It averaged $4.35 million in 2022, according to the newly published IBM Cost of a Data Breach Report. What’s more, 83% of organizations have faced more than one data breach, with just 17% saying this was their first data breach. What can organizations do about this? One solution is endpoint detection and response (EDR) software. Take a look at how an effective EDR solution can help your security teams. …