The dangers of BYOD: how can you protect your organization?
An increasing number of companies have bring your own device (BYOD) programs. While BYOD has many benefits, there are serious cybersecurity concerns.
Over the last few years, organizations have increasingly begun to allow or require employees to supply their own devices as part of BYOD programs, including laptops, tablets and smartphones.
But while BYOD has often been eagerly adopted in the name of cost savings, productivity gains and higher employee satisfaction, it can also pose serious legal and cybersecurity threats to organizations.
Balancing risk and reward
The risks introduced by BYOD tend to be an expansion of the current risk landscape – rather than introducing completely new risks, it has the potential to amplify and increase certain risks by introducing new areas of uncertainty and lack of control.
A holistic and methodical approach should be used to define this risk and help to ensure that controls exist to maintain both the security and usability of all devices in the enterprise, not just those owned and operated by the organization.
The real cost of cyber attacks
Given that BYOD reduces an organization’s control over its IT infrastructure – and therefore its data – it also increases cyber risk. The sheer diversity of devices, apps and operating systems means basic security controls may not be consistently and effectively implemented across an organization.
With the severity and quantity of cyber attacks on the rise, organizations must undertake a very thorough risk assessment to assess the costs and benefits of BYOD.
The cost of a catastrophic cyber attack should not be underestimated or forgotten. Ponemon Institute estimates that the average maximum probable damage of a cyber attack from theft or destruction of information assets could be US$617 million. The average cyber attack cost US companies an estimated US$6.5 million in 2015.
While BYOD may save on short-term IT infrastructure costs, will it really save your organization money in an era of increasing cyber attacks?
- Create a strategy for BYOD with a business case and a goal statement: building a smart, flexible mobile strategy can allow companies to explore innovative ways to empower their workforce and drive greater productivity, but change without proper planning is unlikely to drive improvements. Ensure that hidden costs, such as increased data bills and support expansion, are considered, together with potential advantages, such as increased recruiting success rates with younger demographics.
- Involve stakeholders early through the formation of a mobility group: this could consist of executives, HR, legal, support, IT and, potentially, representatives of key user groups. Establishing key success factors will help the group to measure the success of the implementation and mold it moving forward.
- Create a support and operations model: a key hidden cost is lack of access caused by poor technological integration. Just because your organization is no longer supplying the IT equipment doesn’t mean you no longer need an IT support function – in fact, BYOD may make this more important than ever.
- Analyze the risk: assess the data stored and processed in the devices, as well as the access granted for the devices to corporate resources and apps. Paying special attention to scenarios that are more likely to affect mobile devices, such as loss or theft, will help focus the effort. Incorporate geographically relevant data and privacy laws, and consider the impact of the mobile workforce traveling to countries with data import and export restrictions.
- Create a BYOD policy: creating a flexible but enforceable policy is key to ensuring that it effectively limits risk to the organization by making the users’ rights and responsibilities clear.
- Secure devices and apps: implementing a mobile device management solution, or other container-focused management utilities, will greatly help the organization in managing and securing devices.
- Test and verify the security of the implementation: assessments should be performed using an integrated testing approach combining automated tools and manual penetration testing, preferably using a trusted third party that has a proven track record of assessing mobile deployments.
- Measure success, ROI and roll-forward lessons learned: measure key performance indicators of the BYOD program, and use this as a means to improve it continually. Use direct user feedback extensively to identify areas for improvement.
Why the advantages of BYOD may still outweigh the risks
After undertaking a risk and cost-benefit analysis of BYOD, some organizations may decide to ban employees from using their own devices. However, excessively restrictive cybersecurity policies can actually increase your organization’s cyber risk.
How? Some employees will inevitably continue using their own devices. Without technical support and expertise from a sanctioned BYOD program, their device usage will pose a greater security threat.
So, by all means, strengthen your policies, but also provide employees with alternative options that give them the flexibility and access they have come to expect.