BYOD — if you haven’t heard this acronym before it has nothing to do with a potluck or tailgating — but, then again, it could have implications there if the “D” rings.
BYOD stands for “Bring Your Own Device” and the practice has surged in popularity since the pandemic began. Today, nearly 75% of employees use their personal cell phones for work, according to April 2022 statistics from Zippia.com.
The market for BYOD devices — which include smartphones, tablets, laptops, and other portable, mobile devices — is currently valued at more than $366.95 billion and growing, up from $30 billion in 2014 according to Global Market Insights, an international market research and management consulting company.
Businesses often prefer BYOD instead of purchasing secondary mobile devices for employees to use specifically for work. Besides the cost savings and increased productivity, pushback by some employees about having to manage two devices of the same type have caused them to rethink. But there are risks involved.
“Mobile devices are a huge benefit for businesses,” said Carl Cadregari, CISA, executive vice president, FoxPointe Solutions, which is the information risk management division of The Bonadio Group, located in Pittsford. “Employees can work from the road and work from home, but if you’re allowing BYOD you need to be doing things to protect it otherwise you end up with BYODB – Bring Your Own Data Breach.”
Businesses should determine their mobile device policies by first figuring out whether they will allow BYOD or not. In both cases, businesses need to be extremely clear on the parameters of use and create a policy for mobile device use that spells everything out for their employees. Currently, about 83% of companies have a BYOD policy of some kind, Zippia.com reports.
“A lot of people misunderstand that if they’re using a company-provided phone there’s no expectation of privacy,” said David Wolf, vice president of Just Solutions, Inc., a provider of managed IT services with offices in Rochester and Buffalo.
Companies can put mobile device management software on company phones that will monitor them, control apps, geo-locate the phone, and allow for a complete wipe of the phone’s data from an off-site computer if it gets stolen or compromised. While it’s excellent protection, Wolf cautions against installing software on an employee’s personal phone that they are using for work.
“It’s completely intrusive and we won’t put that kind of software on an employee’s personally owned device if a company asks,” Wolf said.
How can companies protect themselves when an employee uses their own personal device? A lot comes down to education, cybersecurity professionals say.
“The human factor is the weakest link,” Wolf said. “Nowadays the networks and devices themselves are very secure, but downloading an app with malware, for example, still happens.”
Fred Brumm, co-owner with Sue Brumm of Computer Equipment & Technologies Inc. (CETech), a Rochester-based IT services and consulting firm established in 1998, notes that many cyberattacks begin as spear phishing emails, a type of cyberattack that targets specific individuals or organizations with the intent of procuring sensitive information, like account numbers.
Spear phishing is something an employee can fall victim to whether they are on a company-owned device or personal, therefor educating employees about suspicious emails and the importance of “trust but verify” is critical, Brumm says.
CETech regularly holds free cybersecurity seminars for the business community on a vast array of threats and how to protect yourself. Their next one on October 25, co-hosted with the Feltner Group and Secure Network Technologies, will address cyber liability insurance. Cyber insurance is an important tool for businesses should a breach of any kind occur and a form of protection companies don’t want to lose because of repeated, costly claims or not following the many policy requirements.
“Companies are having their cyber insurance policies canceled left and right,” Brumm said. “It’s really important not to lose your cyber insurance.”
It’s also important for businesses to remember that breaches can come from accidents like leaving a device at home or on the road open for others to see and via mobile devices one doesn’t typically consider, such as USB cards and portable hard drives, said Cadregari. He notes that the first thing companies should do to protect themselves from cybersecurity breaches of mobile devices is to have an accurate tracking system for all devices.
“A lot of organizations are good at asset management when a device is over $500, but oftentimes small devices don’t get asset tagged,” said Cadregari, noting that if an unaccounted-for flash drive gets in the wrong hands it too can have dire consequences depending on the information on it.
The second step for companies to protect their mobile assets is to create a data classification system of what needs to be protected and at what level, Cadregari said. He also stressed how to protect it, such as a BitLocker — a full volume encryption feature — on laptops and encrypted thumb drives, phones, and other devices.
“Encryption for mobile devices is a key safe harbor,” he said. “All mobile devices should be encrypted.”
Other tips from these local cybersecurity experts when it comes to mobile device management:
- Make sure your vendors are also maintaining high standards of cybersecurity. – Cadregari
- Utilize multi-factor authorization on mobile devices. – Brumm.
- Be sensitive and aware of other countries’ rules and regulations with mobile devices during international travel, as some counties will take mobile devices temporarily or permanently at the point of entry. – Cadregari
Caurie Putnam is a Rochester-area freelance writer.