Bring Your Own Device or BYOD, the policy that allows employees to use their own computers or gadgets for work in the office, has become commonplace in many businesses because of the many advantages it offers.
Surveys cited in a Deloitte paper say that 67 percent of employees in 13 countries use their personal devices at work to some degree, and 57 percent of IT managers think that their employees use their own computers or devices at work without permission from their employers. “A significant and influential group of employees demands the right to use personal devices at work,” the paper writes.
What many may not realize is that BYOD comes with risks. Companies would prefer letting their employees use their own devices at work, since the arrangement means reduced outlay for office equipment and maintenance. However, there are serious cybersecurity implications that merit careful evaluation.
THE SECURITY RISKS
A research on the security and privacy risks of BYOD published in the International Journal of Advanced Computer Science and Applications identifies five primary problems.
- Installation of malicious software
- Use of untrusted mobile OS and apps
- Use of untrusted networks
- Absence of physical security controls
- Possible leak of information
These problems are mostly interrelated. Personal devices with un-updated operating systems that are used to access untrusted networks are prone to catching malware. This malicious software can then be passed to other devices in a company’s network. A malware-infected personal laptop, for example, can introduce viruses, spyware, ransomware, and other anomalous software to the devices in an office.
Even in the presence of antiviruses and other security measures, it is possible for malware to spread from a device that has just been introduced to an office’s network. Some malware is designed to be extremely difficult to detect. Employees who are fond of installing apps from unverified or unknown sources particularly pose critical danger.
Add to these the possibility of employees creating their “shadow IT.” It may sound harmless, but it would be highly risky for any organization to have employees operating their own virtual IT department, which is not being overseen for safety and security. Shadow IT can become a major source of vulnerabilities and exposure to attacks.
It would be unwise to downplay these cyber threats as they can become the Achilles’ heel of a supposedly adequate security system. Since personal devices are not under the control or oversight of a company’s IT department, it would be difficult to ascertain that they are sufficiently protected, updated, and not become instrumental to data theft.
ADDRESSING THE RISKS
The good news is that the dangers of BYOD are not impossible to resolve. With the right security controls, organizations can reap the benefits of BYOD while plugging vulnerabilities and keeping cyber attacks at bay.
While it may not be viable to oversee all of the personal devices that connect to the enterprise network, companies can prepare for the risks and mitigate emerging vulnerabilities by conducting simulations. This process does not have to be painstaking and excessively time-consuming. Deploying an advanced security validation platform, for one, can get the job done with relative ease.
There are security testing solutions that can undertake thorough breach and attack simulations (BAS) to evaluate the effectiveness of existing security controls and policies. BAS enables the comprehensive testing of a security ecosystem to identify defects and determine weaknesses, so they can be remedied as soon as possible.
Security testing has advanced significantly over the years that it can provide excellent evaluations of security controls. It also benefits from the development of the MITRE ATT&CK framework, which provides a comprehensive compilation of up-to-date cybersecurity tactics and techniques to help IT departments ensure that their security systems work as they are intended.
WILL COMPANIES DO PROPER TESTING?
The question, however, is will companies do proper security testing? According to an eSecurity Planet survey, around three in every 10 organizations are not prepared for security attacks. In particular, companies fall short when it comes to security testing. Around four in every 10 companies say that they conduct security testing infrequently or they do not do any at all.
There are effective solutions in addressing the security flaws attributable to BYOD. However, not many organizations actively employ these solutions. The reasons for this failure range from the lack of resources to the inadequacy of expertise and experience in testing the effectiveness of security controls. Many companies also say that they willingly forgo security measures to do away with processes and protocols that are perceived to have a negative impact on productivity.
The pandemic has forced businesses to make adjustments and take cost-cutting measures. This can include work-from-home arrangements, wherein employees either bring home company equipment or use their own devices to do work. Unfortunately, many organizations cut corners with their cybersecurity measures hoping to save resources for other priorities.
Along with remote working, BYOD has seen increased adoption during the pandemic. Cautious employees prefer using their own devices to minimize contact with things shared by many users. The advantages of BYOD, however, go beyond hygiene.
One of the most common reasons why employees favor BYOD is the flexibility that comes with being able to have full control over the device used for work. Employees can work on pending tasks with their laptops, for example, without worrying about the device to use as they go home or to other locations. Additionally, the policy allows employees to potentially use better devices, ones with superior technical specs, so they can work faster and better.
The flexibility and access to preferred devices result in improved employee efficiency and productivity. In turn, these benefits help raise employee satisfaction. These are arguably enough reasons to consider BYOD. Even companies also benefit from the arrangement, as they reduce device management and maintenance costs including the price paid for software licenses.
ACHIEVING THE PRODUCTIVITY AND SECURITY BALANCE
The answer to the question in this post’s title does not have to be either of the options. It is not necessary to choose only one between security and productivity. The two can and should co-exist. It is just a matter of putting in place the right security controls and solutions.
Productivity boost is not more important than security, just like how security should not be the sole focus of an organization. It is only logical for companies that plan to adopt BYOB to make sure that they are ready for the risks that come with it.