The three biggest business risks of BYOD (and why you can’t ignore them)

The bring your own device (BYOD) revolution begun long before the first pandemic lockdown. Still, Covid-19 changed everything. Before, the IT department had a choice: outright ban the use of personal devices or lock them down tight with management software.

Then, overnight, the lockdowns forced many office workers into a home-working environment. Even today, we we find ourselves in a hybrid-working one.

These changes to how and where people work have brought the subject of using personal devices for work purposes firmly back into the spotlight. And with it, many associated risks.

The goal of this article: to reveal the three biggest risks of BYOD to your business. Ignore them at your peril.

What is BYOD?

Bring your own device (BYOD) is often the term applied to the relatively broad sweep of using personal technology devices for work-related purposes. This could involve bringing a personal laptop into the office or using a personal tablet or smartphone at home but connected to the business network. Where such devices are being used without permission or knowledge of the employer, this is often referred to as shadow IT.

But BYOD isn’t defined by the devices but by the policy. When personal device usage for work-related purposes, in or out of the workplace, is both known and approved within a policy framework, that’s BYOD. And it’s the biggest business risks that such a BYOD policy framework can bring that we are talking about today.

1. The security and privacy risk

Security and privacy are likely the first thing you’ll think of when it comes to BYOD risk. And rightly so. Most security issues on a personal device will be similar to those on a work one: malware, social engineering, credential theft, etc.

Be it a laptop, tablet or smartphone, these devices should be considered endpoints and secured as such. That’s easy for business-supplied devices. It becomes much more complicated when it’s someone else’s device.

There’s another problem too. Every personal device used grows the attack surface for your business. That is, cybercriminals have even more opportunities to look for weaknesses that can be exploited.

For yet more complication, consider that security and privacy issues intersect when it comes to personal devices used for work. The risk of unauthorised access to corporate data, in particular, increases exponentially. Everything from malware to carelessness – even device loss or theft – can lead to significant privacy issues.

Most users won’t want their employer to have full visibility of their personal devices, so a compromise must be found. And compromises are never ideal in security terms.

Your BYOD policy needs to address this and, as a bare minimum, outline an acceptable use policy that applies to any enrolled device. You will need a zero-trust stance of “never trust, always verify” when connecting to the business network.

The use of identity & access management tools to authenticate users and devices, then authorise what data and resources they can access, is highly recommended.

2. The compliance risk

It’s easy to dismiss the compliance risk; only regulated industries need worry, right? Of course, wrong. At least, not always.

Certainly, any organisation involved in a sector such as finance or healthcare that requires regulatory compliance will need to make BYOD policy decisions very carefully indeed. But so should those who need to comply with, for example, requirements of a cyber insurance policy provider.

It’s possible to implement a BYOD policy and stay compliant, but it will require additional thought and prudent management of a mature BYOD policy.

To start, this policy should encompass allowed devices and operating systems. It should lay down the law on multi-factor authentication. It should cover privileged access management tools, remote wiping and/or data encryption capabilities (in case of device loss).

The use of mobile device management solutions combined with a strong security policy and mandatory employee training should also be on the to-do list.

And if you are working within a regulated industry? It’s still possible to have a BYOD policy, especially as many of the risks will be the same that affect workplace devices, networks and data. But be aware of the additional resources and cost of doing so before embarking down this road.

3. The liability risk

The third biggest business risk of a BYOD policy is all about the money. Not the cost of implementing the policy in the first place but the potentially larger cost of legal liability across numerous scenarios.

We’ve already mentioned regulatory compliance. If there’s a data breach that could have been prevented through a more robust BYOD security policy and processes, the resulting fine will likely be painful. That’s before considering any action from customers or partners impacted by the breach.

Breaches aside, BYOD can throw potential liability curveballs. Does your policy cover your access to an employee’s device, and is such access legal in the relevant jurisdiction? The chances are high that the answer is no. What if your remote management software wipes a device prematurely, wiping an employee’s personal data? Is the business liable to pay damages to the employee?

The takeaway here is that BYOD adds a layer of complexity to the issue of corporate liability, so there should be buy-in from legal teams throughout the BYOD policy creation process.

byod: what you must do next

  • Carefully consider if personal device use will benefit your business before determining a BYOD policy framework. Your best option could be to disallow such usage. 
  • Any BYOD policy requires careful planning, with buy-in from all relevant parties, including legal, and by necessity, must bring clarity rather than confusion, simplicity and not complexity, to the personal device use table. 
  • User education and awareness should form part of your BYOD framework.
  • BYOD policies are there to protect not just your business but your business partners, customers, clients, and your employees. Do not lose sight of this. 
  • Think in terms of security and privacy, compliance, and liability. Your policy must be robust enough to mitigate all three risks to your business. 
  • A robust BYOD policy is not a magic pill; it must be used alongside and integrated with existing security and business policies.
Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.