Dear Agile Aunt,
I run a small graphic design business just outside of Bristol. I decided to close my business at the start of the lockdown as it seemed like the safest thing to do at the time and we weren’t really equipped for remote working.
However, as the economy has begun to reopen, I want to try and get my staff back to work. The only issue is, while my employees can work remotely in theory, having all their specialized equipment sent out to them will be very expensive and risky.
Some of my furloughed staff members think I should start up a Bring Your Own Devices (BYOD) program as they all have personal devices they could work from, but I’m worried about the safety of my enterprise data if I do.
Am I just being a worrywart? Or am I doing the right thing in fighting BYOD?
- Unsure Manager
Dear Unsure Manager,
Since this pandemic begun, everyone has been using the phrase ‘the new normal’. Well, I’ve instead been using term the ‘accelerated normal’, because everything happening would have occurred over the next few years anyway.
And remote working and BYOD initiatives are perfect examples of that.
Even before Covid-19 made businesses everywhere a lot more remote friendly, BYOD had already become pretty established practice for many organizations, especially the more technically inclined ones. So this isn’t as controversial an idea as it may first seem.
There’re numerous benefits to BYOD that may not only change your mind on the topic, but how you decide to conduct business going forward.
However, it is equally important to understand how BYOD may compromise your security so you can put in the best possible measures to combat them effectively.
1. Understand and address the real risks of BYOD
The main worry when it comes to BYOD is the threat to the business from compromised devices and credentials (stolen passwords), these account for up to 70% of all breaches into businesses.
Once an employee starts using a compromised device to access enterprise applications, cybercriminals can use that entry point to move around the organization – this is known as ‘lateral movement’.
To get around this, many companies have adopted a ‘zero-trust’ approach to BYOD. It works by assuming every device that enters the business environment, whether it be personal or one managed by the organization, needs to first be tested to make sure it is at a sufficient level of security to access company assets.
This can involve looking to see if the device is up to date, whether it has any biometric controls, if it has anti-malware software on it, and so on.
The goal is to put a capsule of trust around every device before you let it into the organization. This means once you granted it access, you don’t have to create further roadblocks that impair the user experience for your workers.
At Cisco our approach to build a series of solutions that enable checks to be made on a device at the time the user logs on to the business network. For example, we check that the user is genuine, we look at whether the device is up to date with its operating system, often a weak point that is exploited by hackers; whether it is a BYOD device or a personal device; which country the user is in; the time of day of the login. These help us build a picture around the user and the device and we can set rules as to whether they can access our data or be blocked. In addition, we put an umbrella around the device just in case it has been compromised and we don’t know. This can tell us if the device is “talking” to a bad website and trying to download malware or send out data.
Workers also benefit from this approach as they know if they follow your instructions, it will ensure their device is protected – they’ll always have the right updates and patches. So, it’s a double win.
2. Freedom of choice breeds empowerment, engagement and agility
Now that we have talked about the risks BYOD poses, it’s equally important we talk about the many benefits that come with allowing your employees to choose the devices they want to use for work.
For one, simply giving employees that choice makes them a lot more comfortable and happier.
It also gives your organization more agility as you can have people start working a lot easier and quicker in a modern environment. This flexibility extends to the organization as you no longer need to do as many administrative tasks when onboarding a new starter, nor do you have to provide all the equipment, reducing your costs.
BYOD is as much a cultural shift as it is technological one. There needs to be clear messaging around your BYOD policy and it needs to be understood that the freedom you have given your employees now means they share in the responsibility of keeping the organization safe.
This way, you’re bringing in your workers into the IT team because when you give people responsibility, they become more engaged. They know you trust them with the keys to the castle – and they won’t want to let you down.
Don’t fight the future
The reasons for implementing a BYOD policy at work are very clear in my opinion – the flexibility it gives employees reduces stress and makes it easier for them to work. This is a big deal in these uncertain times.
BYOD is going to be a part of the future workplace, so don’t be an obstruction to the progress of your organization. Otherwise, your employees will just find ways around it and you’ll be in an even weaker position.
So instead, embrace it and let it underpin your strategies. Support them with security policies and controls that will help them achieve your business objectives.
Give them the education they need and regularly communicate with them so they can be their best possible selves and elevate your business in the process.
Read more from Agile Aunt in how to keep your small business running.