As the pandemic lingers, comprehensive research from McKinsey has found that the rise of remote work in advanced economies is an enduring disruption. Not only can it exist without a loss of productivity, but McKinsey estimates that 20-25% of workforces “could work from home between three and five days a week” and that “this represents four to five times more remote work than before the pandemic.” Further, their sample of surveyed executives revealed that, “on average, those leaders planned to cut office space by 30%” now or in the immediate future.
Even before the pandemic, businesses have been refining their use of the technology that’s driving remote and mobile workforce trends. There has been a shift from company-controlled, single-purpose devices to powerful, employee-owned, multi-purpose devices. But businesses wanting to capitalize on the expansion of mobility into work processes and to give employees more digital flexibility face significant challenges.
Rapidly evolving cyber threats and software vulnerabilities have mirrored the explosive growth of work-oriented mobile apps and capabilities on smartphones, mobile devices, wearable technology, tablets, and laptops. Small and medium-sized businesses with few cybersecurity resources are forced to balance inherent risk (or compliance requirements) with exciting new workflows, opportunities, and savings that mobility can bring. Both the benefits and the risks are heightened when employees use their own devices to access company data and systems — that is, when a BYOD (bring your own device) policy is in place.
At least six considerations are fundamental to properly managing BYOD in a work-from-anywhere world. Let’s take a look.
Determine environments and acceptable levels of BYOD access
Balancing employee flexibility and company security starts with considering the user environments and how they may change throughout the day. Who’s using what kind of device, where employees are located physically, what work they’re conducting, and whether their circumstances will change as the day goes on must be considered in determining access levels. Some employees require unlimited access to company data on their personal devices, while some may require minimal access to sensitive data. IT may need to control the apps and stored data employees use and determine to what degree local storage on personal devices is permissible, if at all.
IMPORTANT NOTE: A BYOD policy may not be suitable for all companies; especially those with unique compliance or InfoSec (information security) requirements.
Leverage VPN and anti-virus as a first defense; Get a complete view of connectivity
Approaches to cybersecurity are increasingly shifting from a focus on the network perimeter to a focus on robust authentication and authorization for devices, apps, and individual users. A protected network nevertheless remains critical as a first defense in the mobile arena for safeguarding sensitive data. SMBs and mid-sized customers can easily leverage virtual private networks (VPNs) and anti-virus tools to extend protection across BYOD at employees’ home Wi-Fi and public Wi-Fi connections. Employees that access work resources through a VPN, and leverage anti-virus tools, have fewer opportunities to expose data.
Conversely, IT teams need a complete view into all of their infrastructure, application, and data connectivity. Clearly understanding how and when devices are connected to systems is a baseline necessity to prevent attacks and prepare for disaster. Therefore, reviewing configurations of infrastructure beyond the network (such as compute instances or servers, databases, storage, and web app firewalls) is also highly recommended.
Trade-off: VPN and anti-virus are critical security elements that an IT organization may insist upon for a BYOD. To the owner of the device, it may require providing the company IT with full access (via agent) to the device to manage security and data loss prevention activity.
Use tools and cloud services built to protect mobile work
Called “Enterprise Mobility Management (EMM)” solutions, “Mobile Device Management (MDM)”, or “Unified Endpoint Management (UEM)” solutions, these tools and services have been built specifically to manage and secure work on mobile devices essential for SMB and mid-sized business’ — allowing for BYOD success. In this category, services like Microsoft Active Directory enable administrators to create rules to centrally manage users and groups for access and policy control. These rules include:
- Single sign-on
- Multi-factor authentication (MFA)
- Password requirements/bolstering
- Data encryption
- Roll-out of updates and emergency patches
- Policy enforcement for both personal and corporate devices
Microsoft InTune can be integrated with Active Directory to provide mobile device management (MDM) and mobile applications management (MAM). This helps organizations control how devices are used, including mobile phones, tablets, and laptops , and ensure that data on personal devices stays protected and isolated from personal data.
Per the trade-off note above, VPN, anti-virus, and all the access & policy controls provided by a UEM will require an agent that permits the solution to work. If there are any privacy concerns on behalf of the device owner for allowing IT to access/control applications on their device it is likely the adoption of the UEM tool, as applies to this BYOD opportunity only, will fail and the company will need to issue hardware/tooling to compensate. Without the UEM tooling on the BYOD, an IT department will simply not allow access to company resources from the device. Despite the evidence that BYOD can save costs, before undertaking a BYOD policy, analysis should be undertaken to understand user reaction to IT policies on BYOD endpoints and whether the costs can actually be realized.
Make sure education and training are ongoing and effective
Every bit as important as adopting the best infrastructure services and tools for BYOD management and security is teaching people how to properly manage security. It’s easy to forget procedures on a machine or within an application, even if a person has successfully executed them in the past. The importance of ongoing education and training to safeguard data and systems cannot be overstated.
Far fewer security incidents are likely when everyone at work:
- Knows the basics of different cyber threats and how they operate
- Knows how to use the tools implemented by the company
- Complies with rules
- Is properly authenticated
- Isn’t leaving laptops and tablets unlocked
- Isn’t sharing work data
- Isn’t afraid to ask questions immediately as they arise
Effective training should occur regularly throughout the year and be reinforced frequently with booster exercises.
Codify it all in a robust, living plan
All the considerations here should be codified in a BYOD implementation plan that is used and reviewed regularly. Clear, procedures for mandating data encryption within certain systems, monitoring devices in real time, and so much more must be part of that plan. Existing information security and disaster recovery protocols should include and/or cross-reference the BYOD implementation plan.
One of the most obvious expressions of the depth and power of digital transformation is found in our use of personal mobile devices. Their sophistication and ubiquity is part of the here and now — and essential to the future of work. The level of work mobility they enable can feel like a double-edged sword, but, as with much in life, binding flexibility and security together is where we’ll find the sweet spot of optimal business performance.
For more information on how to optimize safe and productive BYOD approaches for your organization, please schedule an appointment with an Infrascale expert.