With increased remote working during the ongoing pandemic, the use of private end devices has also become more and more established. Although this solution may initially appear helpful for companies and employees, the concept harbors some risks and dangers for IT security. We show you how the use of your own technical devices can be reconciled with maintaining data security and what companies need to watch out for.
“Bring your own Device” briefly explained
“Bring your own device” – BYOD for short – is a concept from the IT sector that allows employees to use their own technical devices such as laptops and smartphones in everyday business. It is up to them whether they want to accept the offer, for example because they prefer a different operating system privately, or whether they continue to use the hardware and software provided by the company. BYOD should therefore be seen as a supplement and does not represent an obligation; moreover, it is up to the employees themselves to bear the costs for the private devices. In order for both sides to benefit from BYOD and effectively reap the advantages for themselves, some security precautions must first be taken. These include installing the appropriate software on the devices, setting up secure access and adjusting the security settings. This ensures that the risk of shadow IT , i.e. software and hardware that is introduced into the company bypassing the IT department, is minimized and that all devices are adequately protected. It also prevents potential security gaps from the outset.
What you should consider when it comes to data security
Accessing sensitive corporate data from private end devices often poses a risk to a company’s IT security. In principle, any digital device that has a network connection can pose a risk to IT security – whether it is the hardware and software currently in use or legacy devices that are still part of the network. Private devices used in BYOD can only be controlled to a limited extent: After all, they are still used in non-company networks and for private purposes. This increases the risk of malware such as rootkits , and stored company data may be at greater risk of being accessed by cybercriminals. For this reason, companies should develop a comprehensive security concept even before they allow the use of third-party devices. This can include all the security guidelines for use, so that the “bring your own device” concept can be successfully introduced and all risks minimized as early as possible.
BYOD vs. COPE – Opportunities and risks from a corporate perspective
In addition to BYOD, there are other concepts such as “Corporate owned personally enabled” (COPE): Here, employees are also allowed to use the company’s provided end devices privately. With BYOD, however, there are some advantages for companies and employees that should not be underestimated.
Benefits of BYOD
- For employees: With their own device, employees are usually not only more familiar and more secure in their use, the private devices are often also more powerful than outdated company devices. Due to the fact that employees have their own devices at home anyway, mobile working according to the BYOD concept is particularly flexible.
- For companies: The biggest advantage for companies is the cost savings, since the acquisition costs for end devices are eliminated. The increased flexibility of employees also results in a more mobile working environment for managers: Meetings can be planned at shorter notice and can take place regardless of location, without having to provide a large number of required devices. Ideally, higher employee satisfaction through mobile working leads to long-term loyalty to the company.
Disadvantages and dangers of BYOD
Where different end devices and operating systems meet, the heterogeneity and complexity of the IT landscape increases. This gives rise to further risks in terms of cyber security. In addition to consequences such as data loss and hacker attacks, there are also legal consequences if companies violate the Basic Data Protection Regulation (DGSVO) applicable in Germany with their BYOD concept. According to the DGSVO, for example, no internal company data may be stored on private devices without ensuring their protection. Companies are therefore well advised to take appropriate measures to safeguard them. Setting up an encrypted cloud is therefore a sensible prerequisite for a successful BYOD concept, as is installing comprehensive virus scanner software on every end device.
Solutions for a secure BYOD concept
In order to develop a secure BYOD concept, there are some important aspects to consider when creating it:
1. Internal company security guidelines
By establishing an in-house security policy, companies can meet the growing demands on data security. The goal should be to clarify essential questions regarding the scope of “Bring your own Device” in the company:
- What types of end devices (smartphones, tablets, laptops, printers) may be used?
- What rules apply to passwords? How must they be structured?
- Which antivirus programs must be installed?
- How and where is data stored?
- Are all functions of the device permitted or must, for example, voice assistants be deactivated?
- Which apps may be used in the work context, are communication apps like WhatsApp permissible?
In order to sensitize employees to the relevance of the above-mentioned points and to the correct handling of confidential data, Security Awareness Trainings by experienced experts pays off. This enables companies to prepare and execute a secure implementation of the BYOD concept.
2. Creating the basis for safe systems
In addition to security guidelines, companies need a security concept designed for BYOD to ensure that private devices are used in the workplace in accordance with regulations. The IT department must have an overview of devices and applications in use at all times in order to be able to identify and close vulnerabilities in good time. In addition, system interfaces should be secured to ensure maximum security even in a heterogeneous IT landscape and to prevent unauthorized access.
When creating and establishing such a suitable concept, companies can benefit from the expertise of experienced service providers such as DGC . Within the framework of so-called Cyber Security Partnerships , they receive comprehensive support in the introduction of new security standards, which also include the topic of BYOD if required.
3. Encrypt data
To ensure data security, the separation of private and company-related networks must be ensured on the end devices. This can be achieved, for example, via VPN encryption. This enables access to the protected company network and allows users to retrieve and store data securely, regardless of the device’s location. Other encryption tools help to securely upload data to or download data from the cloud – without the risk of interception or viewing cloud content.
Conclusion of “Bring your own Device”
If implemented correctly, a “bring your own device” concept can bring companies more flexibility, cost savings and greater employee satisfaction. However, the company’s IT security must be constantly kept in mind, because the use of private devices also increases the requirements for comprehensive concepts for correct and compliant handling. In this respect, companies are not on their own. Experienced security service providers like DGC provide support in optimizing IT security – also with regard to BYOD.
We advise you on all questions concerning the security of your systems. Arrange an appointment for a free initial consultation right away.