BYOD stands for “Bring your own device” and is broadly used to describe an employer-led strategy that “lets employees use their personal device to work seamlessly across their user space and enterprise workspace” (Chang et al, 2014).
During a particular period in the author’s working career, he could use any device he owned and could operate from anywhere - particularly when working from home to access the corporate network through a software solution called Citrix Receiver installed on any of his devices. Another example of BYOD is when visiting a different university - he was able to bring his personal laptop and mobile to lectures and connect to the Wi-Fi to access and collaborate with course material etc.
Generally, it is often more convenient to use one’s personal device across workloads, making it easier and more flexible to be location independent, for example working from home using the same laptop that is used in the office is a useful incentive/option for employees.
Additionally, organisational costs can be reduced, as the responsibility of purchasing and maintaining their personal hardware falls on the employee. Furthermore, there is less need to educate employees on hardware and software configurations that are already familiar with. (Dower et al, 2016)
An interesting aspect to BYOD is its focus on employee empowerment, where it has implications for improving productivity, morale and commitment to work (Dower et al, 2016).
Furthermore, there is an increasing shift in some companies to capitalise on employees’ existing knowledge and experience, not only when making IT choices by managing their devices and applications, but also in developing and enhancing user-centric knowledge in general to the betterment of the organisational productivity. For example, BYOD has shown to improve innovation in the workplace, by promoting so-called “innovative behaviours”. (Koffer et. Al, 2015) and can also to distil trust between employers and employees (Cho et al)
However, with BYOD and its inherent usability comes increased security risk, as “BYOD users tend to choose usability over security” (Chang et al, 2014).
With increasing device diversity and uncertainty means that existing security mechanisms that control legitimate access, while preventing unauthorised access to networks, such as secure authentication, Firewalls, VPNs, Access Control Lists and identity management systems are as ever crucial (Dower et al, 2016).
With BYOD, there seems to be an increasing adoption of ‘outsourcing’ (Koffer et, al, 2015) of some the security burden of employers onto their employees. This is in exchange for the shared conveniences as described previously.
While this has shown that BYOD can have a positive influence on employer-employee trust relations (Cho and Ip, 2018) - it is in particular, the lure of the enhanced user experience and usability that is afforded by using IT consumables (Koffer et. Al, 2015).
There is a need to balance usability and security.
The outcomes of outsourcing security burden, however, is dependent on industry, regulatory requirements and type of “Knowledge worker” and where some industries may exhibit positive outcomes (Koffer et al, 2015), others do not, particularly where the proliferation of options in IT consumerization can be present serious security risks - for example in Hospitals (Wani et. Al, 2019).
Furthermore, BYOD can work against employers where “perceived ease of use (PEOU)” is a factor in BYOD adoption and the burden to follow BYOD policies can also be inhibiting, as described by their study of Perceived Severity (PE), Self-Efficacy (SE) and perceived cost (PC) for employees. (Cho et al, 2018)
The balance between security and ease of use is a slippery slope as access to poorly designed Consumer IT applications, can circumvent many of the previously mentioned “Identity, Authentication and Access Control Issues” (Wani, T et al, 2019, 3.1.1) where it has been further shown that in Hospitals in the UK and US, ”13% of devices owned by clinicians which contain patient data have no form of locking mechanism” and bad practises such as using shared passwords, using ‘save password’ to avoid repeated logins can “lead to PHI(Public Health Information) breaches”.
VPNs, firewalls and email filtering protect access to the network, though they are ‘biased’ to protect the internal network and miss other security threats such as malware, or leaked data from the insiders (Dower et. Al, 2016).
Alternatively, policies like banning access to public cloud storage providers through a social contract between employers and employees might be effective in the latter case but are limited by how strongly that is enforced and can often seem draconian though can often be essential (Wani, T et al, 2019)
Comprehensive security solutions like MDM/MAM/MIM while offer enhanced degrees of protection, risk alienating adoption due to risk to employee trust and privacy concerns (Cho et. al), particularly the difficulty in distinguishing infected data in corporate or private data on devices and these “improved security measures come with a cost, which is usability” (Wani et al, 2019l)
IT consumerisation has changed the way people work and security policies will need react, adapt and change over time which means that “employees also need to be constantly updated about the latest security threats and control mechanisms” just like software needs to be. (T Wani et al, 2019)
Utilising increasingly intelligent, always-connected and adaptive technologies that communicate between themselves such as seen in routers (STP/OPSF) and security applications like the WSA through its access to the Talos starts to behave a lot like to people do.
Having multiple varieties of devices owned by a user via BYOD, each with different security profiles and standards and originating offsite, potentially from insecure networks, makes access to internal network resources like routers and servers from these devices risky.
Enabling SSH on these devices, which by incorporating encryption, trust over an untrusted medium and allowing secure authorisation and authentication to take place can increases the security of the device and adds mobility, flexibility and convenience to the network administrators when wanting to connect and access network devices, for example from home on their personal device, in response to a network incident out of hours.
This, when coupled per-user, role-based access controls that limit the authenticated user’s resultant functionality to within the remit of employee role(authorisation).
References
Downer, K. and Bhattacharya, M. (2016) ‘BYOD Security: A New Business Challenge’.
Wani, T., Mendoza, A. and Gray, K. (2019) ‘BYOD in Hospitals-Security Issues and Mitigation Strategies’, in Proceedings of the Australasian Computer Science Week Multiconference. ACM, pp. 1–10. doi: 10.1145/3290688.3290729.
Cho, V. and Ip, W. . (2018) ‘A Study of BYOD adoption from the lens of threat and coping appraisal of its security policy’, Enterprise Information Systems. Taylor & Francis, 12(6), pp. 659–673. doi: 10.1080/17517575.2017.1404132.
Köffer, S. et al. (2015) ‘Innovation Through BYOD?’, Business & Information Systems Engineering. Wiesbaden: Springer Fachmedien Wiesbaden, 57(6), pp. 363–375. doi: 10.1007/s12599-015-0387-z.
Chang, J., Pao-Chung Ho and Teng-Chang Chang (2014) ‘Securing BYOD’, IT Professional. IEEE, 16(5), pp. 9–11. doi: 10.1109/MITP.2014.76.