What even is BYOD?

BYOD stands for “Bring Your Own Device,” and it essentially means utilizing your electronic device (as in your personal iPhone or Android phone) to access corporate (you’re employer’s) network resources and assets. Most of the time, it’s referring to an employee’s smartphone, but not always.

When you remotely access organizational resources over a VPN, you introduce your organization to risks when the remote network the employee is connecting from may not be safe or may even be compromised (a home network). The attacker/malware can “ride” the VPN connection into your corporate network leading to disastrous scenarios. Since those remote networks more than likely don’t have the same protections that your enterprise network does, it makes those home and remote networks (and your remote devices) a “softer target” and a much more viable way for an attacker to breach your organization. BYOD is similar in that regard, but instead of having first to breach a remote corporate laptop (which would hopefully be hardened and have modern endpoint security tooling on it), then ride the connection in, a personal device is more than likely not going to have those protections (unless you force it to).

MDM has entered the chat

This is where something called Mobile Device Management or “MDM” comes into play. Forcepoint (2021) has an excellent, simple quote on how this works:

"Mobile device management (MDM) is security software that enables IT departments to implement policies that secure, monitor, and manage end-user mobile devices. This not only includes smartphones, but can extend to tablets, laptops, and even IoT (Internet of Things) devices.

MDM helps ensure the security of a corporate network while allowing users to use their own devices and work more efficiently (Forcepoint, 2021)."

MDM as a technology allows you to force end-user devices to maintain certain device protections if they keep wanting to utilize corporate resources from their personal devices. It can also typically remotely wipe a device, track it down if it was lost or stolen, enforce passcode/password length and strength, and many other things. If you’ve ever worked for a company that allows you to access your email from your personal device, and when you’re setting it up, it uses words like “enroll your device” or “install a profile,” this is what’s more than likely happening.

MDM + written policy?

This type of remote access and device management is crucial in terms of authentication. If an employee’s personal device can access your organization’s assets and information remotely, an attacker can too. Employing MDM, proper authentication, Multi-Factor Authentication, and end-user “soft policies” help ensure your organization stays safe and limits exposure both from a technical as well as legal perspective. One of the most critical “soft policies” or written policies is an end-user agreement. This states that the company can remotely wipe the device if it’s lost or stolen, and the employee has to agree and sign it before they can enroll. This prevents the liability an organization would have if they remotely wiped the device when it was reported stolen, and the employee goes after the organization from a legal perspective. Agreements reduce this legal liability and enforce appropriate use of company assets while accessing them from a personal device.

Personal devices and social media?

In terms of Social Media, as it relates to BYOD, this also appears to fall into the category of policy and law. According to Beygelman (2019), there are some complex intricacies in labor law and protections, especially in terms of unionization and concerted activity. For example, in some instances, a group of employees posting potentially sensitive information to a Facebook group could be considered a type of concerted activity. Much like forming a group or union to tackle an issue with an employer together. Where other times posting confidential information to social media could be a legally fireable offense. Beygelman (2019) goes on to say that it’s crucial for companies to include a social media and confidentiality policy in their BYOD policy but to make sure to specify what’s ok to share and not to share and provide examples of confidential information so that you protect your company from potential labor law violations.

References:

Beygelman, M. (2019, December 29). SOCIAL MEDIA SECURITY RISKS WITH BYOD. CIO Story - Chief Information Officer Story. https://ciostory.com/cxo-perspective/social-media-security-risks-with-byod/

Forcepoint. (2021, May 6). What is Mobile Device Management (MDM)? https://www.forcepoint.com/cyber-edu/mobile-device-management-mdm#:~:text=Mobile device management (MDM) is,manage end-user mobile devices.&text=MDM helps ensure the security,devices and work more efficiently.