7 Unspoken Rules of BYOD Security in the Workplace

Image source: Made with Canvahere

45% of office workers told Cybsafe that cybersecurity warnings and alerts aren't their top priority. Explore seven not-so-obvious rules you should add to your BYOD security policies

Bring your own device (BYOD) programs have become extremely popular as employees increasingly use their personal laptops, smartphones, or USB drives to do their jobs. Now, let’s consider what this potential threat landscape looks like for businesses:

• 97% of Agency survey respondents say they access work accounts on their personal devices. This stat is even higher (99%) for C-suite executives.
• 7 in 10 employees polled by SlashNext store sensitive work information on personal devices. 43% of survey respondents indicated they were victims of work-related phishing attacks.
• 80-90% of the ransomware-related compromises stem from unmanaged devices. In its report, Microsoft indicates that this eye-opening range is likely because these devices have “fewer security controls and defenses.”

The upside of BYOD is that it saves companies money by not having to invest in new equipment, and it's convenient for the staff because they don't have to manage personal and company devices. The downside is that it can negatively impact your organization’s cybersecurity.

Unfortunately, not all organizations have clearly written BYOD security policies and shared use of a device leaves them open to dangerous loopholes and increased cyber risks. Here are several rules that go without saying and should be included in your BYOD security policy. Share them with your employees to protect your organization's sensitive data and reduce the risk of attacks.

7 Unwritten Rules of BYOD Security in the Workplace

Simply assuming that your users won't intentionally or unintentionally expose your organization to security risks because of unspoken rules is a dangerous game. For example, personal devices often don't have the same security standards as company-owned ones. After all, employees tend to use them for more than just work-related purposes, which opens the device up to malware and other threats.

Moreover, users might not be proficient with security practices. On one hand, it's no coincidence that 68% of breaches analyzed by Verizon involved non-malicious human elements, such as a mistake or ignorance. On the other hand, there are devious threat actors who’d love to exploit insecure credentials and do other things to gain access to data on your device or connect through it.

Don't leave anything unspoken. Add the following not-so-obvious best practices to your BYOD security policy.

Utilize Only Approved Devices (And Forbid Jailbroken Devices)

BYOD gives employees more freedom on what device to use for their daily tasks. However, this shouldn’t mean that anything goes. For example, devices should be registered with the company to avoid rogue/shadow IT related issues. Jailbroken devices should be forbidden to avoid the security risks associated with removing certain manufacturer restrictions.

For Employees

We get it. Replacing a smartphone that still works only because it's too old is expensive and harmful to the planet. Doing without that free app that all your friends have because you're using your phone for work isn't fun, either. However, sticking only to approved hardware and software has its advantages. It’ll boost your BYOD security and protect your personal data from breaches.

For Employers

Imagine if your IT support team had to monitor, update, and support every single type of BYOD hardware in addition to their other responsibilities for company-owned equipment. It would be unrealistic and lead to complete utter chaos. Furthermore, giving access to your network to legacy devices with older operating systems and outdated security features would open the floodgates to attackers.

Outline the approved hardware and operating systems limited to the newest generations. Forbid unauthorized software or hardware modifications. Standard and required updates are OK, but downloading custom themes and screensavers from dubious sites is not.

2. Only Use BYOD Devices as Permitted by Company Policies

The BYOD and Acceptable Use policies aren't only a formality. To be effective, they must be known, understood, applied consistently, and enforced.

For Employees

Just because you can access something doesn’t mean you should. For instance, visit only https websites, even for personal use. There's a reason why major browsers display a big warning message when you open an http-only page. (Spoiler: http is an insecure protocol, whereas https is a secure one.) Treat your BYOD device like it’s owned by the company and avoid risky behaviors. It’ll pay off.

For Employers

Don’t take anything for granted regarding security. What’s obvious for you might not be so for others. Clearly define in your policies what is or is not permitted. The National Institute of Standards and Technology BYOD Security Guide includes several useful implementation examples and recommendations.

3. Install Security Software (and Keep It Up to Date)

In 2023, Kaspersky identified over 33 million attacks on mobile devices. This makes it almost a 52% increase year-over-year. Security software will protect your BYOD devices from these attacks.

For Employees

Free antivirus solutions can be fine for strictly personal equipment (though not recommended) but are a big no-no for your BYOD security. This type of software lacks effective advanced threat detection to protect devices, your employer’s network, systems, and data from sophisticated attacks. Invest in paid antivirus software, keep it up to date, and run regular scans.

For Employers

Free antivirus could introduce additional data privacy and security risks due to some providers collecting user data and/or including unwanted adware. Shield your network with firewalls and anti-malware solutions.

Leverage the power of mobile device management software (MDM). It lets administrators remotely update and troubleshoot devices, enforce security protocols and configurations, and regulate access permissions. Mandate the installation of remote-wipe software. This way, if a device is lost or stolen, the organization’s data can be remotely deleted with a click.

4. Use Only Secure Authentication Methods

Specifying strong password guidelines and requirements, along with secure authentication mechanisms, forms the basis of robust BYOD security policies.

For Employees

While recycling is great for the planet, it’s a bad idea for BYOD security. Reusing the same password across multiple accounts is a big no-no because it can be easily “brute forced” if it gets leaked or breached on another account. Also, no matter how much you love your cat, refrain from using his name as a password as it can be easily guessed.

You can't remember all those passwords? Writing them all down isn't necessarily the solution. Use a company-approved password manager instead. Browser password managers aren’t secure enough.

For Employers

Do some of the rules we’ve just listed sound a bit too obvious? You might be surprised how many would prioritize convenience over common sense and security. Add a layer of security and remove the pain of remembering hundreds of passwords with passwordless authentication. Alternatively, implement certificate-based or traditional multi-factor authentication (MFA) whenever possible.

5. Securely Connect Outside the Office

In the last few years, remote and hybrid work has increased dramatically. People are working from literally anywhere, often while using unsecured public internet connections.

For Employees

Sending a confidential presentation to your boss while you're on the train or sipping a cappuccino at your favorite coffee shop can be handy. Still, it isn't a good BYOD security practice if the network isn’t encrypted.

The data could be stolen or modified through a man-in-the-middle attack or cookie poisoning (i.e., session hijacking). Moreover, public Wi-Fi is never secure, not even the one available in the airport’s VIP lounge.

For Employers

Your BYOD security policy should clearly explain how the staff should connect to the firm's resources outside the office. Connections must be encrypted via virtual private network (VPN) when connecting to third-party networks, and employees could use certificate-based Wi-Fi authentication when on your company network. This approach will remove the hassle of remembering yet another password for employees while offering more secure communications all the way around.

Last but not least, remind your employees that transferred files must be encrypted and password-protected. Even the most known software can hide new vulnerabilities. The MOVEit file transfer app's flaw, exploited by attackers in 2023, impacted over 1,000 organizations and 60 million individuals.

6. Download and Install Only Safe Software

Free software can be tempting, but using it often comes with a steep price that isn’t discovered until it’s too late: malware infection risks.

For the Employee

The latest trendy app you've just found on that unofficial site can be fun. Yet, it might contain malicious software. Above all, if downloaded from a dodgy website. Do you only download software from reputable sources? Very good. Beware though. Even trustworthy websites aren’t immune to malware. Further, ramp up your BYOD security by scanning all software apps for viruses before installing them.

For the Employer

Don't let dangerous downloads jeopardize your BYOD security and put your organization at risk of costly data leaks. Allow only company-approved applications signed with a trusted code signing certificate and only from internal and/or reputable sites protected by secure connections (i.e., https).

7. Follow Industry Requirements and Regulations

The European European Union’s General Data Protection Regulation (EU GDPR), the U.S. Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS) are just a few of the privacy and security regulations businesses must comply with on a daily basis. And if they don’t, depending on the regulation, there may be costly fines or penalties to pay for noncompliance.

For Employees

Why should you care about these regulations? You are just an employee, after all. Nevertheless, when you're using the same device for both your work and personal life, your sensitive personal information (e.g., online banking credentials and credit card details) is at stake, too.

All a cybercriminal has to do is find one tiny gap in your BYOD security armor and, boom, they hit the jackpot. Exploiting even the smallest vulnerability gives an attacker access to your private and work-sensitive data in one go. Those privacy and security regulations might not be the most exciting topics but knowing them will help keep you and your company out of hot water.

For Employers

Often organizations handling sensitive data assume that once their staff has attended privacy and security regulations training, they've done their bit. Wrong. During their careers, employees participate in all sorts of workshops and training sessions. But many of those lessons sink quickly into oblivion as other priorities and information inundate their minds.

This is why it’s important to spell out these regulations, requirements, and expected practices in your BYOD security policy, and require encryption of all data at rest. It'll help your company avoid hefty fines or penalties for non-compliance, along with avoiding many other security concerns.

Final Thoughts About 7 Unspoken Rules of BYOD Security in the Workplace

A comprehensive BYOD security policy can help you mitigate potential risks by enabling your organization to control access to your systems and data, no matter if the device used is company-owned or employee-owned.

Make sure your BYOD security policy covers the rules you’ve just learned. Educate your employees about these policies and enforce them. It’ll allow you to leverage the benefits of BYOD while keeping your sensitive data and business secure.