The hybrid workplace, with workers switching back and forth from the office and remote locations, offers employees increased flexibility, but it comes with significant security challenges.
Whether or not it is officially allowed, employees often access work-related software and data using a wide range of personal devices, including smartphones, tablets and laptops. The IT department is typically responsible for evaluating and approving devices and software before employees are given the green light to use them. This can be frustrating for some employees who believe the approved devices and software have limitations.
This leads them to connect their own devices or install software on company devices, creating a "shadow" IT system made up of applications and devices installed by employees without approval of the IT department. Examples include accessing team-based productivity apps like Slack or Zoom on their phone, using messaging apps like WhatsApp and Snapchat, plugging in external drives or thumb drives, linking up cloud storage services such as Box or Dropbox, and using communication apps like Skype and Telegram.
Given the unsupervised nature of the remote or hybrid workplace, IT and information security departments have less control of what devices and software are being used to access company networks, software and data. The bring-your-own-device (BYOD) trend, alongside software, applications, cloud services and storage accessible from nearly anywhere, has created increasing concern in IT departments about security and data breaches.
Since the hybrid workplace is not going away any time soon, it is an appropriate time to look at the benefits and risks of BYOD.
The Benefits of BYOD
Research from Gartner revealed that companies that allow BYOD in the workplace are more likely to reduce content sprawl and be more resilient in a post-pandemic world. Employees that are able to use their own devices tend to be more productive and personally satisfied.
Other benefits of BYOD include:
- Greater flexibility and increased mobility.
- Increased efficiency.
- Alignment with current behaviors.
- More devices for employees to choose from.
- Greater trust in leadership.
- Decreased spending on hardware and software licensing.
- Increased employee engagement.
- Reduced device management for business-owned devices.
Through a BYOD approach, costs for hardware and software upgrades have largely been eliminated, said Andy Abramson, CEO at Comunicano, a Del Mar, Calif.-based strategic communications agency. “Most opt for iPhones and only a few buy Androids but the apps we use are available for both operating systems,” Abramson said.
The BYOD approach is also now much less complicated than a few years ago when there were four competing mobile operating systems. Microsoft Windows Mobile and Blackberry are now missing from the market. “Since the apps are also always updated by the developers to remain current with the OS upgrades we also tend to see less need to support our staff members as much as 10 years ago,” he said.
Abramson said with cloud services and high speed internet available in most locations, BYOD is now easier to secure and maintain. This approach puts control of files, data and information with the company, and enables IT to remotely wipe the company data without touching the employee’s personal data.
“This is also a big plus and a major change from 10 years or so ago. The ability to manage company data on someone's owned device now means one less concern about data leaks or information getting into the wrong hands,” said Abramson.
Related Article: Should You Allow Shadow IT and BYOD in Your Company?
The Risks of BYOD
The new hybrid work model has created or accelerated security concerns and challenges nonetheless.
Recent research from security provider Bitglass on the security threats companies face with BYOD showed the sudden and swift shift to remote work led to expanding attack surfaces that organizations are largely unprepared to secure.
“Enterprises aren’t only vulnerable to security gaps on BYOD devices, but also completely in the dark on potential security threats,” said Kevin Sheu, the company's senior vice president of marketing.
Sheu said the report was eye-opening because in spite of the fact that 82 percent of organizations actively enable or allow BYOD in some capacity, 51 percent said they have no way of knowing their vulnerability to malicious Wi-Fi on personal devices. Nearly half (49 percent) of companies indicated they are unsure or unable to disclose whether unmanaged devices had downloaded malware in the past 12 months.
Companies must establish security policies and procedures that cover various scenarios, said Avani Desai, president of Schellman & Company, LLC, an independent security and privacy compliance assessor. Given the flexible nature of the hybrid workplace, employees could be working at home, out of the country or even at a coffee shop. “The policy has to address different scenarios which would not ever be a concern if everyone was in the office with corporate assets,” she said.
The widespread acceptance of the hybrid workplace means that companies need to address security measures outside the office. They should inform their employees how to mitigate security risks based on controls in their home. “For instance, if the employee is using a Wi-Fi router at home with the password 'abc123' we need to not only encourage but mandate stronger security practices — practices that may go as far as changing the router passwords every 60, 90, etc. days,” said Desai.
Related Article: 4 Collaboration Habits That Open the Door to Security Breaches
BYOD Security Challenges in the Hybrid Work Environment
Overall, there's a need for companies to more closely monitor network activity and device access, especially when employees are allowed to use their own personal devices remotely or on site.
“In the hybrid workplace, security is no longer tied to a specific location or headquarters, but to employees wherever they are working,” said Sagi Gidali, co-founder and chief product officer at Perimeter 81, an Israel-based secure access service edge platform provider.
In the remote or hybrid workplace, the IT department has to know who is accessing which networking resources 24-7, 365 days a year. This digital transparency must apply to employees who are accessing company data through the cloud, at home or in the office.
“Without complete visibility, it will be very challenging to identify suspicious activity and stop potential data breaches," Gidali said. He recommended using a Device Posture Security approach that ensures employees can only connect with authenticated devices that comply with security policies.
"This will prevent malicious access and attacks by automatically denying access to insecure or unknown compromised devices on login,” he said.
Because of the flexible nature of hybrid working models, companies have had to reconsider the security aspects of their mobility program, said Joe Boyle, CEO of Chicago-based TRUCE Software, a contextual mobility management provider. Employees want to use their mobile devices professionally, which typically enhances their productivity.
“We know the ubiquity of smartphones continues to influence the way workers want to do their jobs, especially as the way we use our mobile devices personally influences how we want to use them professionally,” said Boyle. “Whether a company allows workers to bring their own device or they issue them, the need to secure endpoints in a hybrid work environment can be a challenge."
In the Verizon Mobility Security Index published in April, many companies said they felt they were forced to relax their mobile security policies to get employees online during the pandemic, Boyle said. "A big piece of that pertains to getting teams connected on mobile,” he said.
Fluidity is a must when it comes to the dynamic nature of mobile devices, whether they are BYOD or company-issued. Boyle said the modern workforce needs a new contextual model for device management.
"By that, we mean the content and acceptable use of a device matches the employees' situation as it changes throughout their shift based on factors like who is using it, for what, where and when," he said. "Their permissions and functionality adjust dynamically based on how their movements change and what's happening around them at a given time.”
Don't Overlook Physical Security and Training
Over the last year-plus, companies have learned they can keep business running with remote workers. Now that many workers are coming back to the office, the physical security of BYOD devices must be taken into account.
“One of the most critical and often overlooked complications with BYOD or even hybrid work with a corporate device is the actual physical security of the device,” said Jerry Gamblin, director of security research at Kenna Security, a Santa Clara, CA-based vulnerability management company. “With people commuting and socializing again, the likelihood of lost or stolen equipment becomes a real risk that IT teams should prepare for.”
Other challenges include the facilitation of secure communications and system tracking. All BYOD and corporate systems should, at a minimum, require full disk encryption, system tracking should be enabled and verified, and multi-factor authentication should also be required to log into the organization’s system, Gamblin said.
"On the policy front, employees should be given clear guidance on what they can and cannot store on the device, as well as best practices for accessing systems remotely or on personal devices,” he added.
That focus on the human element of security should not be overlooked. There's a real need for BYOD training and specific guidelines for employees, especially when so many employees use their mobile devices for both personal and business functions, said Chandrashekhar Basavanna, CEO at SecPod Technologies, an endpoint management, information security and compliance technology solution provider in Bangalore, India.
IT teams must take securing BYOD as seriously, if not more seriously, than they do when securing company-owned devices.
“As hybrid work becomes the norm, BYOD will become even more commonplace," Basavanna said. "However, this puts a significant strain on IT since it increases the number of endpoints in an organization’s network that could be potentially exploited by attackers.”
That strain can be at least alleviated, if not minimized, by educating employees. Basavanna suggested educating employees on cybercrime, carrying out hygiene measures like continuous vulnerability assessment and patch management to secure systems from new threats, and ensuring systems follow security compliance policies.
Although the risks of allowing BYOD in the workplace are great, the benefits are greater. With appropriate measures in place, companies can rise to the challenges that BYOD presents and help to create a better employee experience that includes greater flexibility, loyalty, trust, productivity and personal satisfaction, whether employees are working in the office, a remote location or a hybrid of both.