With the rise of smartphones and tablets, IT managers have a new reality to face, and possibly fear: “Bring Your Own Device,” or BYOD.
Since picking up steam in 2009, BYOD has only grown in popularity in the last six years. According to a study conducted by Tech Pro Research in November 2014, 60 percent of businesses surveyed allowed BYOD of some kind for workers, while plans to adopt BYOD policies within the next year were in place at another 14 percent. Just 26 percent of businesses surveyed did not allow employees to use work devices.
That’s an increase from a previous total of 44 percent of businesses having a BYOD policy in a February 2013 study, and 18 percent of stating they had intentions to allow BYOD within a year.
The trouble is, even with its positive elements, part of what BYOD entails is losing complete control over what technology – hardware and software — people in a company are using. That can also create issues that range from irritations to disasters. The following five are some of the toughest issues for IT departments to deal with when it comes to BYOD.
1. Getting a new phone
Letting any device have access to a company network carries risks, but the risks are much bigger with devices employees bring from home — and which aren’t controlled by the company’s IT department.
“Data breaches to sensitive data would be a major concern,” said Louis Weber, a software developer at Defy Media. “This can range from programs that can look for sensitive data, like credit card numbers, social security numbers, and plaintext passwords, and send them home, to software that will encrypt your network drives and hold them ransom.”
Devices brought from home can bring things along with them — like malware and spyware that users don’t know have infected their devices. Connecting those devices to a company’s network creates a security hole through which malware can infect a network or suck up valuable data.
2. Losing your phone
Losing your phone is bad enough, but when you lose a phone you downloaded company data onto, it’s entirely possible that you lost that data too. As noted by data security companies Druva and BitDefender, a lot of employees have access to employer data on their personal devices. BitDefender reported that 71 percent of U.S. employees who have personal devices can link them to employer networks, and half of U.S. employees have employer data on their devices right now.
And, as Druva noted in its studies, of the 70 million personal devices lost or stolen each year, only about 7 percent are ever recovered.
So when a device like a smartphone goes missing, chances are good a company’s data goes with it. Druva reports 65 percent of companies can’t remotely wipe employees’ phones if they’re misplaced, and 76 percent of companies don’t encrypt their employees’ devices. That’s a big gap in the armor. In total, some 60 percent of data breaches are from lost devices, according to Druva.
3. Making bad decisions
Tried-and-true tactics like phishing — malicious attempts to get sensitive data such as passwords by tricking users with something that looks trustworthy — are just as effective on personal devices like smartphones as they have been on computers.
Weber said that when it comes to protecting a company’s data, fraud issues still rank high.
“Smartphones are ‘new’ to the common user, and most phishing or fraud tactics rely on the user’s weak knowledge of the device or programs within,” Weber said. “They (employees) also leave themselves open to receive many types of communications, like SMS, Bluetooth and wireless, with new software protocols that may have vulnerabilities.”
IT staff can combat at least some of those issues by spreading knowledge to less tech-savvy colleagues, Weber said. A good tactic: memos that warn of phishing dangers and other fraud problems, on anydevice.
“Ultimately you have to trust your users to be aware of common fraud and phishing tactics, and that they will practice safe browsing habits whether they’re at home or at work,” Weber said.
4. Falling short on privacy protection
In the U.S., at least, technology is advancing well ahead of the laws meant to govern it, and that can create an ever-changing landscape for businesses to navigate. Druva reports some 25 percent of IT professionals at companies supporting BYOD are confident their organizations are complying with all privacy and data protection laws.
Because workers are using the same devices for personal reasons as well as professional ones, data like health care or human resources information can get passed along with company data. By law, much of that information has to be protected, and that can open up a company to serious liability it might not even know about. As Privacy Rights Clearinghouse points out, the number of laws and their different applications that companies need to be aware of is pretty extensive.
5. Not knowing how your phone actually works
Popular as smartphones, tablets, wearables and other devices might be, it’s probable that many or even most people who own them don’t really know much about them. In fact, a big part of the rise of tablets and smartphones can be attributed to the fact that they “just work” without requiring much technical knowledge on the part of the user.
That lack of knowledge can lead to all sorts of problems. Device software updates can be key to defusing potential security risks as they arise, Weber said. Those updates are useless if the person who owns the device never thinks to download the update. Meanwhile, BitDefender found that approximately two-thirds of employees with smartphones in America don’t know about remote wipe or remote locking functionality on their devices, which are major security features.
A trend that’s here to stay
Whether IT likes it or not, however, the prevalence of the BYOD environment is only going to increase as more powerful technology becomes more useful, cheaper and easier to obtain. The upsides – increased productivity and familiarity with devices – mean businesses will continue to find BYOD useful as it becomes unstoppable.
It seems the best defense is education: Businesses that adopt a clear, comprehensive BYOD policy with useful rules can help employees avoid security issues and protect themselves and the company better.
Interview with Louis Weber, software engineer, Defy Media.
Research: BYOD booming with 74% using or planning to use,” Tech Pro Research, April 2015, http://www.techproresearch.com/article/research-byod-booming-with-74-using-or-planning-to-use/
“The Rise and Risk of BYOD,” Druva.com, April 2015,http://www.druva.com/blog/the-rise-and-risk-of-byod/
“Survey: BYOD security remains spotty, with users unaware or unmotivated about risks,” PC World, April 2015,http://www.pcworld.com/article/2690359/survey-byod-security-remains-spotty-with-users-unaware-or-unmotivated-about-risks.html
“Fact Sheet 40: Bring Your Own Device… at Your Own Risk,” Privacy Rights Clearinghouse, April 2015, https://www.privacyrights.org/bring-your-own-device-risks