BYOD Is More Manageable Today
With a high percentage of workers out of the office more than they are in it, the ability for them to connect to corporate systems remotely is critical for most companies today. Whether working from home or on the road, these remote employees are accessing corporate systems with a growing number and variety of mobile devices, from the newest iPhone or Android phone models to older devices, and from a variety of laptops, tablets, smart watches, and everything in between. Many of these devices are employees’ personal devices, not provided by their employers, which presents a growing number of challenges for so many companies.
This bring-your-own-device (BYOD) trend is not going away anytime soon. Just the opposite: Market research firm Mordor Intelligence estimates the current BYOD market at $114.1 billion and expects it to reach $238.5 billion by 2029, growing at a compound annual rate of 15.9 percent.
For many companies, the reasons for allowing employees to use their own devices are largely financial, according to Mordor. BYOD, the firm says in its report, eliminates the need for companies to purchase and maintain devices for employees, reducing hardware costs and associated expenses. Instead, employees bear the cost of their own devices.
Another driver in the past few years is the increasing adoption and penetration of smart devices, as well as the growing availability of high-speed services, including 5G, by telecom firms.
Telecommunications giant Ericsson expects 5G subscriptions, which numbered 12 million globally in 2019, to top 4 billion by 2027.
THE HISTORY OF BYOD
BYOD’s roots go far back beyond just the past five years. In fact, it’s been nearly 20 years since BYOD was first mentioned in a research paper and nearly 15 since it was first introduced in a meaningful way in the workplace.
Chip and semiconductor maker Intel was one of the first companies to adopt BYOD. In 2009, its employees began using their own mobile phones, tablets, and mobile storage devices on the job. Rather than reject the trend, as many organizations initially attempted, Intel’s senior leaders were quick to embrace it as a means to cut costs and improve productivity.
The practice of BYOD grew steadily for several years as employers became more accepting of the idea and many of the security concerns were addressed. The practice exploded with the COVID-19 pandemic, when workers were blocked from going to the office and had to work from home.
Many of the challenges that first became evident in the early days of BYOD are still there today. They include improving collaboration, making sure that there aren’t silos of information on the various devices, and ensuring data security on devices and applications that aren’t behind company firewalls and network boundaries.
“The continued rise of BYOD has created a set of challenges for organizations in terms of balancing security with convenience,” says Nikolaus Kimla, cofounder and CEO of Pipeliner CRM. “To overcome these challenges, the first thing any organization needs to do is establish a formal policy around approved devices.”
“BYOD is ultimately a matter of clear policy, control, and consent,” adds Richard Sterling, sales director at Certero Software, a software asset management solutions provider. “Any employees wishing to use their own devices would need to agree for their device to come under a degree of corporate control. This is because the business must have visibility and governance over confidential company data, wherever it resides and however it is accessed.”
Another major problem for many organizations is the ability for employees to take corporate information and contacts with them when they leave the company for a job somewhere else. To safeguard against that, experts agree that it is always good to have nondisclosure agreements (NDAs) and noncompete clauses in place. These legal documents, they say, can restrict former employees from sharing confidential information and working with direct competitors for a certain period after leaving the company.
Also, the company should ensure that employees use company-owned accounts for email, calendaring, and other CRM software to collect and store information. This makes it clear that all data collected is the property of the company.
The company should also have clear policies on how collected data should be stored and managed, Kimla says. “Use a centralized CRM system where all information must be entered. This ensures that the data is accessible to the company regardless of employee status. Require employees to transfer any collected data to the company’s central system as soon as possible, ideally in real time or at the end of each day. This minimizes the risk of data remaining solely on personal or temporary devices.”
“The onus is on the enterprise to make sure that they have a robust CRM platform that provides a data repository and a means of collaboration,” says Anurag Lal, president and CEO of Infinite Convergence Solutions, a corporate messaging solutions provider.
Still, not all employees are going to work with company-controlled applications and systems. A salesperson might prefer to communicate with prospects over WhatsApp, for example, and management likely has no insight into what information is shared on that platform.
THE SECURITY STONEWALL
Security concerns were largely the main reason BYOD didn’t take off sooner. Some organizations were slow to add the necessary security to allow the iPhone to safely connect to their networks when the devices first rolled out.
While internal protections have been strengthened, the security of the devices themselves remains a concern to this day.
“As remote work continues to be the norm, companies are increasingly reliant on collaboration, document sharing, and messaging apps,” says Justin Rende, founder and CEO of Rhymetec, a cybersecurity, compliance, and data protection services provider. “Because of this, our workforce has become accustomed to using these sharing and communication platforms freely, but it’s important to note that they weren’t built to be secure at an enterprise level.
“It’s crazy to even imagine, but more than 23 million people still use the password ‘123456’ for online logins. This may seem like such an easy fix, but it’s still a major issue,” he continues. “Compromised credentials are the No. 1 cause of breaches and account for 61 percent of all cyberattacks.”
But it’s not enough to just lay out a set of security protocols. Once a policy is in place, the next step is ensuring that everyone in the organization knows and understands it, Kimla stresses.
Employees should be regularly trained on data protection policies and the importance of handling company data securely, he says. Ensure they understand the procedures for collecting, storing, and transferring data and the consequences of violating these policies.
“This should be coupled with security awareness training highlighting to employees the risks that BYOD can carry and the importance of following the company’s security guidelines,” Kimla adds.
The training should include items like secure passwords and other authentication methods, what phishing is and how to recognize it, and general guidelines about how company data should be handled on personal devices. This could include restricting the downloading of company data onto unmanaged devices.
Companies with particularly sensitive data can implement more rigid conditional access policies that only allow company-managed and -compliant devices to access proprietary data. Companies can also establish policies and configure networks to control and document any remote access to make sure it meets security standards. In addition, they could also consider segregating business information from personal information using containerization or virtualization technologies. Companies could also decide to enforce encryption on personal devices so that sensitive information is still protected if the device is lost or stolen.
MOBILE DEVICE MANAGEMENT
Technology is available to help companies manage their employees’ mobile devices. This includes an entire category of solutions, called mobile device management, with companies like VMware, IBM, Microsoft, Checkpoint Software Technologies, Soti, Scalefusion, Citrix Systems, ManageEngine, Miradore, Hexnode, and Codeproof Technologies among the industry leaders, according to Fortune Business Insights.
The market for MDM solutions is also seeing unprecedented growth, according to Fortune Business Insights, which valued it at $9.4 billion last year and expects it to grow to $12.2 billion by the end of this year and $85.4 by 2032. That growth is expected at a compound annual rate of 27.6 percent.
Despite these numbers, though, these solutions have yet to take hold at many companies. This is due in large part to high implementation costs that are prohibitive for smaller companies, according to Fortune. But with the growing availability of these solutions through cloud deployments, costs and other barriers to implementation are coming down.
“All organizations, regardless of size, should ensure that BYODs are regularly audited and their activity monitored,” Kimla says. This will help with both compliance and early identification of risks.
Another reason that companies and some employees still struggle with BYOD is that while corporate security is certainly critical, employee privacy also needs to be part of the BYOD equation, says Jared Shepard, CEO of Hypori, providers of a secure workspace delivering zero-trust access to enterprise apps and data from any smartphone or tablet.
Since the devices are the personal property of employees, there are times they will be using them for personal purposes, like paying bills, making phone calls and exchanging text messages with friends and family, checking personal emails, and visiting social media sites, all of which have nothing to do with the employer. That information should not be available to the enterprise, Shepard says.
“In the old days of dumb terminals and mainframes, the idea was to reduce costs by not having a completely separate set of compute and storage on edge devices but to allow and enable access to enterprise resources from a point of access,” Shepard explains. “We decided to do the same thing with remote devices.”
While companies like VMware offer virtual desktop infrastructures without requiring additional hardware, many of these weren’t built to work with mobile devices, according to Shepard. Hypori, by contrast, uses a virtual environment with a virtual device that users can access from any edge device. Any communications, including emails, web searches, and connections to corporate systems, are conducted in the virtual environment. The company doesn’t have access to the edge device, and the edge device only has access to the corporate environment through the Hypori platform.
It’s certainly no easy task to keep track of all employees and all devices, but Rhymetec’s Rende offers the following advice:
- Require employees to use a password manager.
- Provide cybersecurity training.
- Remind employees not to open spam emails (yes, this is still a problem).
- Keep devices up to date and pay attention to security alerts.
- Require multifactor authentication for device and corporate system logins.
- Use endpoint management tools.
- Protect personally identifiable information.
Infinite Convergence Solutions’ Lal further suggests the following:
- Educate employees on cybersecurity best practices, potential risks, and different types of phishing scams.
- Deploy fully encrypted communication and collaboration tools to ensure messages and exchanged files are secure at every possible entry point.
- Consider a zero-trust model that limits employee access strictly to the data they need to perform their duties.
While having NDAs, noncompetes, security rules, and other policies in place for personal devices used for work might seem a little heavy-handed and invasive, without it you’re putting the security of your business at risk, Certero Software’s Sterling explains. “Cyberattacks impact share prices. If you’re in a regulated industry, compliance is essential. We would therefore recommend making sure you’re able to manage your devices and software everywhere and [that you have] a clearly communicated BYOD policy that prioritizes the business. If users want to use their own devices badly enough, they can agree to the policy.”
Phillip Britt is a freelance writer based in the Chicago area. He can be reached at spenterprises1@comcast.net.