This morning most of us woke up and followed a very similar routine, grabbing our mobile phone, tablet, and/or laptop as we headed out the door to work. Who owns those mobile devices - you, your company, or a bit of both?
Chances are the phone and the tablet are your personal devices loaded with personal information, while the laptop is provided by your company - even though you routinely use all of them for work purposes.
In most cases, only large enterprises supply their employees with all of their hardware, which might include mobile devices, laptops, workstations and maybe even wearables.
However, today the most common scenario is for employees to purchase, own and control smartphones and tablets that are used for both work purposes and personal use. This is referred to as BYOD (Bring Your Own Device.)
Remember when there was a big push back from IT departments about supporting personal devices?
That was circa 2009 when many businesses went so far as blocking personal devices from their networks and mail servers. Fast forward to today. It’s expected, if not mandated, that the IT department support personal devices, using Mobile Device Management (MDM) software to allow employees access the company's sensitive data all hours of the day and night from anywhere.
BYOD is entrenched because companies quickly realized that it boosts employee productivity, and can potentially save on capital expenditures to boot.
Here are some of the latest BYOD statistics in the U.S.
- 87% of companies rely on employees using their personal smartphones to access mobile business apps and services
- Almost 50% of businesses require their employees to use their personal smartphones
- Employees use their smartphones for work purposes outside of normal working hours about 7 hours per week
- About 70% of companies say that they reimburse their employees in some fashion for BYOD, while only 29% of employees reported that they receive BYOD reimbursement for their data plan (interesting!)
So while we could debate who is benefiting the most from this, there is one huge pitfall that has surfaced with the BYOD movement - lack of security training, practices and policies.
The biggest concern businesses have is the risk of compromising company data, whether by lost/stolen devices or by cyber-attacks and threats.
BYOD security risks need to be taken very seriously, and it's an unfortunate fact that most companies do NOT have a mobile device access policy in place.
Key Challenges You Should Know About
Anticipated cost benefits. If BYOD is implemented correctly, the security measures that are necessary to comply with best practices for security will add to the cost of BYOD. This typically is done through mobile device management (MDM) software, which allows companies to remotely manage end user devices
Employee privacy. Most employees have not been told about the risk of using personal devices at work. If the organization they work for is sued, their personal data may be at risk as well. Additionally, in many cases the company may have access to everything on the employee’s device, even private information, depending on the type of mobile management the company has deployed.
Increased cyber-attacks. With the explosion of mobile device usage, hackers now have many more “attack surfaces” than before, such as introducing untrusted mobile apps that may be vulnerable or malicious. Personal devices are also very attractive to hackers because not only do they contain company data, but also personally identifiable information (PII) about the user.
Employee non-compliance. How many of us have avoided rebooting our devices after being prompted to update? Keeping mobile devices updated with patches and operating system upgrades is imperative for security reasons, but it’s difficult to enforce this without some sort of MDM solution.
Physical loss or theft. Now that our devices are not tethered to our desks, it’s incredibly easy to lose track of your smartphone, laptop or tablet. The true cost of a lost mobile device goes far beyond the price of replacement, thanks to lost productivity, loss of intellectual property, data breaches and legal fees. It’s been estimated that the average loss to a company exceeds $49,000 per lost or stolen device!
Getting Started with a BYOD Policy
Implementing a BYOD policy to protect both the business and their employees is basically a requirement today. Don’t rely on informal conversations and assumptions.
There is NO case where BYOD should exist without the following three components:
- A software application for managing the devices that are connected to the company network
- A written policy that outlines the responsibilities of both employer and user
- An agreement that users must sign acknowledging that they read and understand the policy
To help get you started with your mobile security planning, check out this BYOD policy that outlines the requirements for BYOD usage, and establishes the steps that users and the IT department should follow.
There are many other layers that are needed for robust cyber security protection across an organization, but a BYOD policy is a great place to start. As always, reach out to us if you need IT consulting assistance as you move through the ongoing journey of protecting your business!