Financial news

By Suzan Sakarya

The concept of Bring Your Own Device (BYOD) is hardly new. In the last decade, it has gained immense traction as businesses started to enable employees to work seamlessly from anywhere using their personal laptops, smartphones, and tablets. The premise is simple: empower employees with the flexibility they need while reducing overheads for the company.

Yet, despite this apparent win-win, nearly half of European enterprises are alarmingly unprepared. A recent survey from Jamf reveals that 49% of enterprises across Europe have no formal BYOD policy in place. The lack of such a fundamental element in the post-Covid modern digital workspace begs the question — why are so few effectively monitoring for threats? 

The rise of the deskless worker

The 21st-century work environment has significantly evolved from the traditional 9-to-5 office setting. With rapid cloud adoption facilitating work-from-home and remote working arrangements, the “deskless worker” is on the rise. 

As COVID-19 swept across the globe, companies had little choice but to adapt quickly to a remote working model, further accelerating the BYOD culture. However, this new-found convenience and flexibility come with their own set of challenges. Whilst employees enjoy the autonomy of choosing their devices and working from comfortable environments, organisations are grappling with how to maintain the same level of security oversight that existed in the physical office.

Employees are no longer tethered to a specific location, embracing the freedom to work remotely from cafes, co-working spaces, and even overseas. This shift towards remote work isn’t just a fleeting trend; it has become a fundamental change in how businesses operate. Recent reports suggest that 16% of full-time employees in the UK are currently working from home, while 28% work a hybrid model. These numbers are rapidly escalating.

So, as remote and hybrid working is becoming the norm, lax or non-existent BYOD policies are opening up a Pandora’s box of cybersecurity vulnerabilities for organisations. The absence of stringent BYOD policies means that companies are essentially flying blind. They are likely unaware of what devices are accessing their networks, where they are doing it from, and what level of security those devices adhere to.

In the era of escalating cyber threats and increasingly strict data protection laws, such as GDPR, this laissez-faire approach to BYOD is a ticking time bomb. According to Jamf’s survey, 53% of businesses are already focused on cutting IT and security costs. So, the need for an effective, cost-efficient, and widely-adopted BYOD policy has never been more critical. 

What are the security risks of not having a BYOD policy?

While BYOD offers a plethora of benefits, ranging from cost savings to increased employee satisfaction, the absence of formal policies turns these assets into liabilities. One dangerous risk is data leakage or data theft. With employees accessing sensitive company data from their personal devices, the risk of this information being mishandled or falling into the wrong hands is magnified. To add fuel to the fire, we found that 43% of organisations are already grappling with more compliance-based security concerns compared to last year.

The lack of a robust BYOD policy also gives rise to the issue of shadow IT, where employees use unsanctioned applications to perform tasks. Not only does this practice place an organisation’s data at risk, but it also makes it significantly harder to comply with data protection regulations.

Beyond that, an unregulated BYOD environment makes it difficult to ensure that devices are updated with the latest security patches, adding yet another layer of vulnerability. In our survey, 41% of respondents were concerned about the growing number of vulnerabilities in Apple operating systems.

Also, uncontrolled device access to corporate networks poses the risk of introducing malware or ransomware into the system. It’s not merely about the financial impact, which can be crippling; it’s about the incalculable damage to a company’s reputation and the erosion of customer trust.

The lack of a BYOD policy also increases the likelihood of human errors. Without specific guidelines and policies, employees will not be aware of how to maintain and manage the fundamental security responsibilities of their devices. Also, the absence of a policy means that employees cannot be expected to follow a certain standard of cyber hygiene in their daily activities. This will increase their chances of falling prey to attacks like phishing and social engineering, extending the risks far beyond a single endpoint. 

Implementing an effective BYOD policy 

To combat the extensive security risks posed by an unregulated BYOD environment, organisations must take a multi-faceted approach:

• Develop a comprehensive BYOD policy: Clear guidelines on the use of personal devices should be defined, communicated, and strictly enforced. This policy should cover data access, data segregation, and data deletion protocols for departing employees.
  
• Implement Mobile Device Management (MDM): An MDM solution allows IT teams to manage devices remotely, ensuring that each one adheres to company security standards before gaining network access.
  
• Regular cyber hygiene training: Employees need to be regularly educated about the latest cybersecurity threats and trained on how to avoid common pitfalls, such as phishing scams.
• Invest in Zero Trust Network Access (ZTNA): Organisations should invest in ZTNA solutions, which only allows access to specific applications based on real-time evaluation of risk factors, rather than giving blanket access to the network. ZTNA can be dynamically adjusted to consider the user’s role, device, location, and other contextual information, providing more granular security controls. Additionally, businesses can incorporate advanced endpoint protection that provides on-device monitoring and analysis of suspicious threats and vulnerabilities
  
• Regular audits and Compliance Checks: IT should periodically assess devices for compliance with the BYOD policy, and non-compliant devices should be immediately disconnected from corporate resources.
  
• Cost-Benefit Analysis: Considering that 57% of organisations have separate teams for device management and security, merging these roles could streamline operations and make it more cost-effective to tackle BYOD challenges.

By acknowledging the potential hazards and implementing a well-rounded strategy to manage them, companies can enjoy the benefits of BYOD without jeopardising their security posture. 

The reality is that the BYOD phenomenon isn’t just an option; it’s an inevitability. The longer organisations delay in adopting stringent BYOD policies, the wider they open the door to cybersecurity risks that can result in catastrophic consequences.

About the Author

Suzan Sakarya is the Senior Manager for EMEIA Security Sales at Jamf. Suzan is responsible for Jamf’s security portfolio in EMEIA. She leverages her experience and expertise to provide customers with an end-to-end security offering that is simple to manage and robust in design.