Bring your own device — Security considerations for SMEs
Long before the Coronavirus pandemic, many organizations had a ‘bring your own device’ (BYOD) policy, through which employees could carry out their work on their own computer and/or phone.
Why do employers love BYOD?
This had plenty of advantages for the employer, not least because IT hardware is a big cost center. Procuring and maintaining every device centrally means continually purchasing, regularly servicing, and keeping track of expensive assets distributed across the enterprise. Even if this route is chosen to offer consistency — e.g.,
we all use Lenovo laptops running Windows XYZ at this firm — the practical reality is that people come and go, replacements get bought at different times, and every piece of hardware has a lifecycle and depreciation curve. So, that often means the more senior people are running the oldest devices still sweating out their falling value, while the latest hire gets a shiny new laptop. Software is easy to distribute as a service, but hardware — particularly for main devices like laptops as opposed to communications endpoints — is still lagging, in most cases.So for the employer, it’s great if the employee brings their preferred tools with them to the job. And while the organization might mandate a minimum specification of working memory and operating system, after that, it’s up to them. Most business software packages are sufficiently platform-agnostic today to run on pretty much anything a team member might choose to provide. You can even keep the Mac vs. Windows contingents equally happy, without suffering any productivity costs in making people work on setups they are not comfortable with — those moments spent searching for the @ key on an unfamiliar keyboard might be brief, but over time they add up, and if someone is using a different setup at home every evening they will never make that crucial muscle memory switchover — so why not simply let them use what they’re used to at work too?
Employees and BYOD
For employees, BYOD is often regarded as a perk, for exactly the same reasons. Being able to use your own familiar tools for work helps with adjusting to a new role and activities, and many people prefer the simplicity of only having to carry and keep track of one mobile phone, for example.However, it does put the cost and responsibility on their shoulders, and as such it needs to be negotiated as part of an overall employment package, with expectations on both sides made contractually explicit. Frequently a stipend for provision of appropriate tools to carry out the work will be agreed as part of an employee’s overall remuneration for tax efficiency, with them having the individual scope to upgrade the investment personally if preferred.
Go ahead and get the latest shiny thing, if you can afford it…
Assessing risk and implementing BYOD
On the face of it, it sounds exceptionally simple. However, BYOD policies today need to consider a wide range of scenarios and aspects, including:Servicing, uptime, and SLAsWhat happens if the employee’s machine develops a fault and needs maintenance? For a corporate device, it’s easy for a central service plan to be maintained and subcontracted, for on-site repair or replace within a tight window like 48 hours, ensuring that no-one is offline for long in any situation. Is it reasonable to expect an employee to replace a dead MacBook within that timeframe, for example? What if they can’t get an appointment to even have it inspected under warranty Within that time, and how about travelling to the Mac store on work time for the support session?
Software installations and updatesHow does the responsibility for this balance between the employee and their employer, in terms of keeping the employees personal device secure and up to date?In practice a solution involving a virtual desktop or account on the personal machine solves a lot of this, enabling the employer’s IT admin to have complete control of all software running on that virtual machine. Then they can maintain central responsibility for updates, patches, and protection.This also solves the issue of shared use. It would not be reasonable, in most cases, to require that an employee provides a laptop for exclusive dedicated work usage, because it’s a personal device, and may also have to be used by others in their household. It is however reasonable to require that the work activity takes place on a private virtual desktop, password protected from any other users — secured at an even higher level if required for the sensitivity of the work to be done, such as with a YubiKey. Furthermore, it is further reasonable to require that no business data assets or personal information ever moves out of this secure environment, to any drive (physical or virtual) outside this space.
Corporate access to a private deviceWith modern device management and the use of virtual desktops, the intervention of enterprise IT on a personal device can now be managed at a highly granular level. However, a lot of places have had BYOD in place for a while and may have older policy documents, or a heavy-handed contract in place, wherein the small print makes for a bit of a shock. It’s not unusual to find that if an employee wants to use their personal phone to access business email, for example, they have to sign away rights to the employer to view/access anything installed anywhere on that handset, personal or private. This is because malware can lurk in deceptive places, not because someone in IT wants to laugh at their selfies. They may also have to consent to the IT department conducting a remote wipe in the event that the phone is lost or stolen — and there is no reason why this cannot be done on a very precise level down to the specific app or data asset compromised, but again contractually the employee will usually be required to waive liability if all their photos are lost by this process, for example, or even the whole phone bricked…In line with this there will need to be a protocol for termination of employment, and also reporting of loss, in terms of timeframes. Compliance will depend on reasonable expectations here, because no one wants to get their whole phone reset only to find it behind a sofa cushion an hour later.
BYOD in the new normality
Of course, while the whole world worked from home during the coronavirus pandemic, lost devices were less of an issue, or at least you knew it probably was somewhere in that sofa anyway.But as the world returns to at least some degree of use of shared workspaces, BYOD is likely to come into its own for a number of reasons. Hybrid workingIf you are working a few days at home and a few days in the office, then BYOD makes total practical sense. Rather than try to duplicate work and communications across multiple locations, you can just take it with you. For those returning to business travel, or visits to client sites and meetings, It’s much easier to work from a single phone and keyboard. Even the most cloud-enabled worker is bound to end up with some file stuck on the wrong device and being unable to retrieve it for days, which will have a negative impact on productivity.However, the data protection and cybersecurity risks are highlighted here, as people may have become less aware of these issues during enforced shelter-in-place. Far fewer thefts and losses took place during this time, and it will be essential for everyone to upgrade their personal situational awareness and attention, as they rejoin the commute.Biosecurity and shared spacesAs teams come together again to collaborate face-to-face, they will nonetheless want to maintain hygienic practices and social distance in the workplace. This need will be sharpened by a possible greater shared and flexible use of centrally located offices and facilities going forward, with lots of organizations planning to downgrade their overall real estate footprint over the longer term.What this means is your computer on your exclusively used desk will become a thing of the past for growing numbers of mid-level knowledge-workers, with hot-desking and activity-based collaboration being the way forward.For reasons of sanitization, most people will be a lot more comfortable using touch-screens on their personally owned phones and keyboards, than sharing with other people. So, it makes sense that they will be bringing with them the same devices they use to work from home on other days, whether or not those are supplied by the employer.We will also see personal devices being used to control shared installed resources, such as meeting rooms — enabling and activating everything from lighting arrangements to recording and captioning, via apps on their phones. These phones can also engage with beacon enabled applications used to control numbers and occupation density in shared spaces, to ensure distancing is safely maintained.
Cybersecurity as a service, in BYOD
Above all, it will be essential for organizations to opt for cloud-based software as a service, for secure consistency in collaboration and communications management, as we move towards a hybrid future.This is simply the easiest way to outsource risk and compliance, while ensuring every colleague has effective support, the latest updates, and total secure access on any device.For example, the Ringover business cloud phone app can be installed on every phone or laptop the employee wants to use, to enable seamless call handling and performance. No corporate IT admin has to worry about how calls will be routed, or where data is stored, because that is all taken care of within the transparent per-user-per-month subscription: Passing calls in real time via the best operator, with all content stored on GDPR-compliant data centers based within the EU, even when the executive making the call is back to seeing clients all over the world.This subscription model also outsources regulatory compliance by ensuring registration with appropriate bodies, like OFCOM (the Office of Communications in the UK) and ARCEP (the Regulatory Authority of Electronic Communications and Posts in France.)The peace of mind this brings means that within teams, information security awareness training can focus on the human risk elements, the social engineering we can all fall victim to, or the shortcuts. This is important, because although we use sophisticated tools every day for our personal and business communications, we don’t necessarily understand exactly how they work, or what bit of information goes where, why this matters...
(Why shouldn’t I BCC that sensitive email to my personal account, so I can read it again later? Well, it might cost you a presidential election, or your employer a data protection breach penalty…)When Ringover and a network of other secure providers are handling the Data pass-through side of things, your employees don’t have to worry about user training on DTLS-SRTP encryption and regulatory compliance, because that is all taken care of. They can focus on things like, is this enquirer who they say they are — have I authenticated them adequately? Is this message really from the company it says it is, and how can I check that before I respond to the urgency it triggers in me?
The future for BYOD — Will the device matter at all?
At the present time we live in a transitional period, from local to cloud-based working. Some enterprises are wholly cloud-enabled, but most of us still personalize the way we interact with the services they provide — from our keyboard preferences and localizations to our storage of things like our photos and passwords.While manufacturers will continue to entice us to invest in the latest sexy hardware innovations, however, the truth on the software side is that less and less will actually be stored on those devices. EVERYTHING will live online, and it will matter less and less, whether you use a phone your employer bought, or a virtual desktop, or a conferencing system in a shared business center — you’ll have access to all your data assets, Logins, preferences, and settings wherever you are whatever you’re using. And we will soon move beyond requiring individual devices for authentication too, trending towards biometric identifiers: This evolution has suffered setbacks as it was previously focusing a lot on touch-based scanning, but soon we’ll get beyond that, to scanning retinas etc. in a safe touch-free way.Maybe then our devices will become pure fashion items or personal statements, in the way that many already see them. BYOD will be the only approach which makes sense, but access to business applications will be 100% software controlled.Until that time, applications like Ringover will help us all navigate the frontiers of the ever-changing hybrid space.
If you're looking for a safe and secure phone system then why not get in touch?
Contact our experts to help guide you step-by-step at +44 20 3808 5555 or send an email to firstname.lastname@example.org. Start your free trial today.