For some time now, there has been a trend in the corporate world to use personal devices for business purposes. In addition to the much-discussed advantages and disadvantages of the so-called “bring your own device” concept, questions about IT security also keep coming up. In this blog post, you can find out how well the BYOD concept can be secured and what options are available.

 

BYOD – simply explained

BYOD (Bring Your Own Device) means exactly what it says: employees bring their own private devices from home to work with them at the company. Employees therefore have access to business emails, the company network, certain applications and company data on their private devices. In order for the BYOD concept to function smoothly and securely, a company policy is usually formulated in which the work processes and procedures for private devices are specified.

 

Opportunities and risks of the BYOD solution

The trend towards the BYOD concept brings with it a number of advantages as well as disadvantages. The following comparison should make it clear to what extent a BYOD concept can affect your company.

 

Pro BYOD – the advantages

Starting with your company’s most important asset – the team – BYOD can increase the satisfaction of individual team members: The reason for this is the use of their own and already familiar devices, especially for tech-savvy employees. For employees, using their own system offers convenience and a certain user-friendliness, as they are already used to the “look & feel” and can customize their digital workplace. Another argument in favor of the BYOD concept is the greater flexibility and mobility, as some of the work can often be carried out on mobile devices such as tablets and smartphones. There is also a direct economic effect on the company side: The investment in end devices is eliminated, as are the associated ongoing expenses such as maintenance, repairs, etc.

The advantages of the BYOD concept from the company’s point of view seem convincing, the costs for IT equipment are outsourced in full or in part to the employees and they are also happier. Sounds almost too good? Maybe it is.

 

Contra BYOD – the disadvantages

Aspects such as security, maintainability and any company or industry-specific compliance requirements should be carefully considered when implementing a BYOD concept. This is because there are a number of pitfalls and a significant risk potential here.

Private devices are generally subject to the administration and therefore the sovereignty of the employees: in. This means that, from the company’s point of view, it is difficult or even impossible to ensure that all devices are up to date and secure, for example with regard to the operating system or application software used. Security functions, such as blocking USB ports to prevent malware from being introduced onto USB sticks, are also not possible by default.
And what happens if the private device goes missing? Was the company data on it encrypted? Or is the company data now unprotected and in the hands of thieves? And who bears the consequences and what do they look like? Another major problem.
Last but not least, the case that an employee leaves the company – because then there is no way of determining whether any internal company data has remained on the private computer, with all the associated risks and problematic consequences in terms of competition.

In addition, this creates a completely heterogeneous system landscape with different security levels that cannot be centrally secured and controlled in any way. The solution would of course be for the company to be allowed to implement appropriate security measures on employees’ private devices. However, the employees, as the owners of the devices, will generally not agree to their private devices being managed exclusively by the company, leaving a highly problematic security gap.

A kind of middle way can be found by setting up a kind of “sealed-off area” (sandbox) on the private devices using specific software provided by the company. This area then exists separately from the private data and can be administered and secured by the company IT department using software management tools.

But here, too, it is important to take a close look: This negates the main advantages of a BYOD option. The licensing and administration costs are again incurred by the company and are significantly higher than in the case of managed, standardized company-owned devices due to the heterogeneity of the devices. This also means that although employees “physically” use their own device, the applications and operating system in the sandbox come from the company and are specified by it – and therefore the convenience argument no longer applies.

 

BYOD – sounds good, but it’s not

In conclusion, it can be said that BYOD as a concept appears to be modern and in keeping with the spirit of the times. In the serious corporate environment, however, the topic of IT security formulates framework requirements that must also be systematically implemented in the BYOD environment. If certification and compliance requirements are added, as often has to be proven in external relationships with customers, BYOD efforts must be quickly shelved, as the resulting liability measures are not justifiable for the management.

It is by no means impossible to implement a good and secure BYOD concept in the corporate environment, but enormous measures are required to make such an initiative secure. The initially strikingly convincing advantages are called into question by a whole series of challenges – ultimately, it is a detailed consideration at individual company level, which must take into account technical, security-related, organizational and economic aspects.

 

Instead of BYOD – an overview of alternative concepts

You like the “bring your own device” concept, but the IT security aspect makes you doubt it? That’s understandable! That’s why there are already alternatives in the BYOD sector that have set themselves the task of circumventing the problems of the BYOD concept and mitigating them to an acceptable level.

 

COPE – simply explained

One of these alternatives is the “COPE” concept (corporate owned, personally enabled). In this case, the devices remain the property of the company, but may also be used privately (usually within the framework of certain usage agreements). This eliminates the complexity of different operating systems and manufacturers and allows the company to focus on one type of device in terms of IT security.

 

CYOD – simply explained

Another variant is the “CYOD” timetable (choose your own device). In this case, the devices are also the property of the company, but the device type can be determined by the employee (usually from a pool of predefined options that comply with the company policy). This allows you to retain the benefits of user-friendliness without sacrificing IT security.

What is ultimately the right and forward-looking path for your company must be considered individually and, in addition to the aspects mentioned, depends on a number of other conditions, such as the industry, working methods, regulatory requirements and much more. We would be happy to help you define and implement your device strategy. Perhaps a hybrid scenario is ideal for your company?