The days of spending 40 hours per week using a 15-year-old computer with a blinking monitor are long gone. Office workers around the world no longer have to endanger their health or their sanity. Most forward-thinking companies are happy for their employees to bring and use their own devices.
But for every winner, there’s a loser. While your eyesight might benefit, you could gravely compromise your safety and security by enrolling on a “Bring Your Own Device” (BYOD) scheme. And the dangers don’t stop for you as an employee — your company could be putting itself at risk as well.
What are the security pitfalls of BYOD? In this article, I’m going to discuss why the idea of BYOD is gaining traction, then explain what problems could arise.
What Is BYOD?
BYOD is a catch-all term for a company policy that allows employees to use their own devices to access company data, email, infrastructure, and networks.
The devices can be everything from smartphones and tablets to laptops and projectors. Typically, it refers to any employee-owned device with an internet connection that is connected to a company’s internal network.
Note to all: "BYOD" (bring your own device to work) aka Consumerisation of IT DOES NOT MEAN you bring ur XBox to the office.
— Not Happy, Gladys (@NickHodgeAU) February 10, 2012
The term entered general use in 2009 thanks to Intel, and since then the policy has exploded. The vast majority of the world’s largest companies now offer some form of BYOD, as do thousands of SMEs.
Data suggests uptake of BYOD has been most prevalent in the Middle East where more than 80 percent of the office workers now have access to the policy. Brazil, Russia, India, UAE, and Malaysia are the world’s five leading countries — all boast rates of more than 75 percent. In North America, the rate stands at about 44 percent.
Why Do Companies Like It?
Companies have been quick to adopt BYOD for two key reasons: cost-cutting and productivity.
Cost-wise, companies are be able to save money on hardware, software, and device maintenance. Theoretically, it eases the strain on IT departments that already struggle to keep up with the rapidly changing pace of technology.
From a productivity standpoint, repeated research has shown employees who have access to BYOD policies are happier, more comfortable, and typically work faster.
But everything isn’t rosy. There are potentially some serious security pitfalls both employees and companies need to consider.
Security Pitfalls for Employees
Companies frequently use remote mobile device management software to manage BYOD schemes, but the software is more intrusive then employees might believe. Here are three things you should watch out for.
1. Data Collection
How much data would you be willing to share with your company? For example, would you be happy if your boss knew your entire browsing history? Would you be eager to share your location with your IT department?
The answer to these questions is probably “No,” but according to a report by Bitglass, you might be exposing yourself to these profound invasions of privacy.
“The intent of mobile device management solutions is not to spy on employees but to monitor for things like malware and general security.
But these tools do a lot more. That includes seeing where the phone is located, what apps are on the phone, and even what websites the user was accessing. We could see that some of our employees search for health information on the web.”
— Salim Hafid, Product Manager at Bitglass
Ask yourself this question: do you know what data your company holds about you? Under both U.S. and U.K. law, you have a legal right to see it all. Go and ask your HR department. The results might surprise you.
2. Intercept Personal Communications
While you might not be thrilled at the idea, most of us accept our employers have a right to access and monitor our company email accounts. But what about personal email accounts? Or messages sent via Facebook Messenger? That’s a different matter entirely.
And yet, researchers at Bitglass were able to see all these communications using remote device management software. The report even claimed passwords and bank details were visible.
Of course, companies probably aren’t collecting this data as a matter of course (unless you gave them permission to in the small print of your contract). However, the potential risk should set alarm bells ringing. Would you trust every member of your company’s IT department not to snoop on you? Do you have faith in your business’s security systems ability to prevent hackers from gaining access to the data?
3. Loss of Personal Data
Almost all mainstream remote device management software that companies use can remotely wipe data from a device.
Companies need these safeguards in case you leave the organization. Your employer has to be able to delete sensitive data on managed apps and any database content you might have on your device.
But the device management software doesn’t just have the ability to wipe company-managed apps. It can also delete entire apps and even wipe the whole phone.
As an employee, this means your data is permanently vulnerable to the whims of your company. If you’ve signed a BYOD contract, even something as innocent as accidentally downloading a company file to a non-managed app could give your employers reason to wipe your phone.
Bottom line: Your photos, music, files, and messages are all at risk of being deleted without your consent.
Security Pitfalls for Companies
While most employee risks are mostly privacy-based, the employer risks mainly revolve around security. Here are the three top ways companies are at risk from their BYOD policies.
1. Lost Devices
A company can spend thousands of dollars on the latest security software, but can’t do anything to prevent simple user error.
People lose things, and things get stolen. And if the lost device happens to contain highly sensitive information, it can be devastating for the company in question. Indeed, data suggests more than 60 percent of all enterprise network breaches are due to stolen devices.
A company will argue this is why it needs remote mobile device management software on BYOD gadgets, but employees are likely to push back for reasons I’ve already discussed.
The problem can lead to a stalemate in which neither the employer or employee are happy with the situation.
2. Unsecured Networks
People are going to use their devices on a wide range of networks. And although your home Wi-Fi might be largely safe from criminals and hackers, the same cannot be said for public Wi-Fi in hotels and airports.
Such networks are rich hunting grounds for cyber-criminals. Hackers can lurk in wait for a poorly secured device to log on, then wreak havoc as soon as a connection is made.
Again, the data supports the theory. Estimates suggest hackers target as many as 40 percent of all BYOD devices on a public Wi-Fi network within four months of use.
Companies can protect against these problems with robust security profiling, but do non-tech SMEs have the budget, time, or knowledge to take such steps?
3. Software Updates
The disparity between how different companies release updates can cause problems from companies. For example, look at the difference between Apple’s centralized update process and the fragmented Android approach.
Employees will be using a wide variety of devices, and IT departments have no way of forcing them to upgrade to the latest releases. The same thing applies to third-party apps: how can companies be certain that the app’s code isn’t vulnerable?
Sure, companies can prevent employees with out-of-date software from accessing the networks, but then the employee is going to be unable to do their job. It defeats one of the key original tenets of BYOD: improved productivity.
Are You Worried About BYOD?
I’ve shared the three biggest BYOD security concerns from both and employer’s and employee’s viewpoint.
Of course, there are lots of benefits to the policy, but both parties need to be aware of the risks they are exposing themselves to. At the moment, not enough of the stakeholders possess sufficient knowledge.
Are you an office worker with an unsavory BYOD story to share? Have you encountered a BYOD horror show at your SME? As always, you can leave all your thoughts and opinions in the comments below.
Image Credits: Ryan Jorgensen – Jorgo/Shutterstock