BYOD Guidance

For organisations considering or currently making use of a Bring Your Own Device (BYOD) approach, this article discusses the key security and maintenance issues that you’ll need to consider in order to maximise result while minimising risks. For many companies BYOD has become the norm with many staff using personal devices in an increasing prevalent amount.

The benefits of BYOD

Staff often prefer the convenience of using their own laptops, smartphones and tablets to work. This allow greater flexibility along with better familiarity of the device and not needing to carry both a work and personal device. There are also some capital cost savings for businesses as the business does not need to procure extra devices if staff already have a device they can and want to use.

While at first glance this can seem like a great solution, there are some notable issues that can arise around security, provisioning and data management that need to be considered and managed.

The risks of BYOD

Data loss

It’s easier for accidental user data loss or leakage, with staff cutting or copying data from work services onto their personal devices. If that data is not stored correctly, there is a chance that that data can be lost. In the event of staff offboarding, if not done correctly and the staff member decides to “clean up” a synchronised folder, this change will propagate to the work storage, resulting in the detection and required restore of large amount of data.

This can be addressed by making sure there is clear separation of work and personal data, staff are adequately notified about data storage requirements and their BYOD devices are offboarded, if they leave the organisation.

Unauthorised data access

Many home devices are shared devices, and while Windows and MacOS can provide separate logins for different home users, more often than not multiple users share the same account. If that account is used to access work resources, family of the staff may inadvertadly have access to the organisational data.

Having separate profile logins for devices (such as one for work and one for personal), along with clear policies and expectations communicated to staff around shared home devices.

Weak or incorrectly configured security

It is very common for older home devices to have weak or poor security configurations, while generally you can expect most staff personal device to run windows 10, some will run older insecure version of windows. Some may not have an antivirus and may have had security features disabled in the past.

IT support needs to have a method to verify devices are reasonably secure. This can be supported with a policy that requires a minimum security configuration or perhaps requiring BYOD devices to have a security monitoring/maintenance tool installed or a company mandated antivirus solution.

Staff privacy implications

Mandating certain IT management software or antivirus tools installed may come with certain privacy implications, staff need to be aware of these. To provide protection, antivirus software needs to intercept website requests, these may be visible to IT support if a malicious site is accessed and it is flagged to IT for investigation.

If staff use a personal device for work it is fairly easy for them to unintentionally store personal(and private) documents, photos in the business storage system. A good example would be the OneDrive desktop backup feature, which stores all desktop, document and photo documents on OneDrive automatically. If enabled and a staff member is unaware of how it works, any documents they store on their desktop will now also be contained within the work account. Both staff and IT need to be aware of these implications.

Increase maintenance and support costs

While BYOD can often reduce capital costs, it can trade this saving off for increased IT support costs. Most businesses standardise to specific computer models to guarantee performance and suitability for task. With BYOD staff may end up with devices poorly suited, resulted in drastically higher amount of support calls and notably inhibited productivity.

Preparing for BYOD

Evaluate types of BYOD

There are many different ways to approach BYOD but below we’ve specific some of the more common types.

Personally owned, completely managed

This involves onboarding a personal device and treating it almost the same as if it was a work device. This may involve joining the device to the correct Active Directory domain (or Azure AD tenancy), installing all work related software and enforcing certain security requirements.

Personally owned, compliance managed

Devices require managed software to be installed, that confirms devices are secure, up to date. Organisations might mandate that any personal devices need to have certain software installed, such as security monitoring or antivirus software. Often IT will check if a device is suitable before allowing the device access to organisational resources.

Personally owned, limited or informal support

The most common setup, with the least amount of controls and often highest risk. Risk can be managed but certain standards around what level of support IT provides and what services and devices are supported is important. This often works fine for things like mobile phones that only access limited services such as email, but can be more of a challenge for laptops and tablets.

Consider technology challenges

If your current system is heavily dependant on features and solutions that are not easily adaptable for BYOD more planning may be required. Many traditional systems have resources only internally accessible(you need to be within the organisational network), with large amount of configuration changes being made through things such as group policy. Enabling remote access and setting up BYOD devices might become a very manual and time consuming task if current IT tools do not support it. Shifting from Group Policy to MDM, minimising default operating system configuration changes and focusing on enable self service can help reduce the issues around this.

Developing a BYOD policy

A good policy should set clear expectations and requirements for staff, be easy to understand, practical to implement and enforce. Consider the following questions when developing your policy.

1. What are the minimum standards for a supported BYOD Devices (Operating System, Performance, Software Versions)?
2. What level of support will your provide to staff? If their devices has an hardware or software fault, is this the responsibility of organisational IT or the staff member to resolve? If the staff members devices requires changes to make it suitable, will organisational IT services provide support?
3. What minimum security requirement will you have? Does a business antivirus solution need to be installed?
4. What is the process for handling situations where the staff members devices is not suitable or requires notable amount of labour to make it suitable?
5. What are the training implications for staff, do they understand how the services work and any privacy implications?
6. How will you manage and support all of the above on an ongoing basis?

It’s important the final policy is easy for staff to understand, and that it matches the reality of the current BYOD scenario. For example requiring by policy all staff have a paid antivirus product is not helpful unless there is some way to monitor and enforce it.

Further Reading

Below are some useful articles with further useful information on the topic of BYOD:

• Bring your own device for executives – Australian Cyber Secure Center
• Mobile Device Guidance – National Cyber Security Center (UK)
• Bring your own device – Wikipedia