Bring your own device - a model with prospects?

For some time now, the trend of using one's private devices for business purposes has been circulating in the corporate world. In addition to the much-discussed advantages and disadvantages of the so-called „bring your own device“ concept, questions about IT security also arise. This blog post will explain how well the BYOD concept can be secured and what possibilities are behind it.

BYOD – simpel erklärt

Bring Your Own DeviceBRing YOur Own DBYOD, or Bring Your Own Device, means exactly what it says: employees bring their own private devices from home to work with them at the company. This means employees have access to company emails, the corporate network, specific applications, and company data using their private devices. For the BYOD concept to work smoothly and securely, a company policy is usually formulated, which specifies the workflows and procedures for private devices.

Opportunities and risks of the BYOD solution

The BYOD (Bring Your Own Device) concept trend brings with it a number of disadvantages alongside some advantages. The following comparison is intended to clarify the extent to which a BYOD concept can affect your company.

Pro BYOD – The Advantages

Starting with your company's most important asset – the team – BYOD can increase the satisfaction of individual team members, as they can use their own, familiar devices, especially among tech-savvy employees. For workers, using their own system offers comfort and a certain user-friendliness, as they are already accustomed to the „look and feel“ and can customise their digital workspace individually. Another argument for the BYOD concept is the partially higher flexibility and mobility, as a portion of work can often be carried out on mobile devices such as tablets and smartphones. Likewise, there is an immediate economic effect for the company: the investment in end devices is eliminated, as are the associated ongoing expenses such as maintenance and repairs.

The advantages of the BYOD concept from a company perspective seem convincing, the costs for IT equipment are wholly or partially outsourced to the employees, and they are also more satisfied. Perhaps it sounds almost too good to be true? It possibly is.

Against BYOD – the disadvantages

Aspects such as security, maintainability and, if applicable, company or industry-specific compliance requirements should be carefully considered when implementing a BYOD concept. This is because a number of pitfalls and significant risk potential lie here.

Private devices are generally subject to the administration and therefore the authority of employees. This means that from a company's perspective, it is difficult or even impossible to enforce that all devices are up-to-date and at the same security level, for example, in terms of the operating system or application software used. Security functions, such as blocking USB ports to prevent malware from being introduced via USB sticks, are also not possible by default.
And what happens if the private device is lost? Was the corporate data on it encrypted? Or is the corporate data now unprotected in the hands of a thief? And who bears the consequences for this, and what do they look like? Another big problem.
Not least is the case where an employee leaves the company – because then there is no way to determine if company internal data may have remained on their private computer; with all the associated risks and also competitively problematic consequences.

Additionally, a completely heterogeneous system landscape arises with different security levels, which cannot be centrally secured and managed in any way. The solution would naturally be that the company is permitted to implement appropriate security precautions on the private end devices of its employees. However, employees, as owners of the devices, will generally not agree to the exclusive management of their private device by the company, meaning a highly problematic security vulnerability remains here.

A kind of middle ground can be found by setting up a kind of „sandbox“ on private devices using specific software provided by the company. This area then exists separately from private data and can be administered and secured by the company's IT department using software management tools.

However, it is important to look closely here too: The essential advantages of a BYOD option are thereby nullified. The licensing and administration costs are borne by the company again and, due to the heterogeneity of the devices, are significantly higher than in the case of managed, standardised company-owned devices. This also means that while employees „physically“ use their own devices, the applications and the operating system in the sandbox come from the company and are dictated by it - and thus the convenience argument no longer applies.

BYOD – sounds good, but it isn't

In conclusion, it can be stated that BYOD as a concept initially seems modern and in tune with the times. However, in a serious corporate environment, IT security dictates framework requirements, which must also be systematically implemented in a BYOD environment. If certification and compliance requirements are added, as often must be demonstrated to external clients, BYOD initiatives must quickly be shelved again, as the resulting liability measures are not justifiable for management.

It is by no means impossible to implement a good and secure BYOD concept in a corporate environment; however, enormous measures are necessary to make such an initiative secure. The initially strikingly convincing advantages are called into question by a whole series of challenges – ultimately, it is a detailed consideration at the individual company level that must take into account technical, security-related, organisational, and economic aspects.

Instead of BYOD – Alternative concepts at a glance

You like the „bring your own device“ concept, but the IT security aspect makes you doubt it? Understandable! That's why there are already alternatives in the BYOD sector that have made it their mission to circumvent the problems of the BYOD concept and mitigate them to an acceptable level.

COPE – explained simply

One of these alternatives is the „COPE“ conceptcCorporation oOwned, pPersonally e(enabled). The devices remain company property, but can also be used privately (usually within the scope of certain usage agreements). This eliminates the complexity of different operating systems and manufacturers, and IT security can be focused on one type of device.

CYOD – simply explained

Another option is the “CYOD“ timetablecChoose yOur own d(device). In this scenario, the devices are also owned by the company, but the type of device can be chosen by the employee(s) (usually from a pool of pre-defined options that comply with company policy). This way, you continue to benefit from user-friendliness without compromising IT security.

Ultimately, the right and forward-thinking path for your company must be considered individually and depends, in addition to the aspects mentioned, on a number of other conditions, such as the industry, the way of working, regulatory requirements, and much more. We would be happy to we to support you in defining and implementing your device strategy. Perhaps a hybrid scenario would be optimal for your company?