The pandemic has changed the working landscape, relocating employees from confined office spaces to their homes. Leaders may think that as long as employees have access to the internet, they can work from home (WFH). And that may be so, technically. Beyond the technicalities, however—and beyond the very real concerns behind preserving the employee experience—WFH is a logistical nightmare that exacerbates concerns over security and compliance.
At the conventional office, organizations spend a significant amount of time and budget to ensure that their infrastructure is secure and as regulatory compliant as possible; the office is, effectively, a highly controlled environment. The moment you send any employee to WFH, you introduce many variables that could have hidden consequences. Questions arise: How secure is the home network? How secure is a personal device? How do you keep corporate data secure on a personal device? How much control does a corporation have over a home network or personal device?
The list goes on. Covering some of these very issues is the following Q&A between Brent Skinner, director and principal analyst for 3Sixty Insights’ HCM practice, and Bill Oliver, a member of the 3Sixty Insights Global Executive Advisory Council and founder of Oliver Advisory Group:
Brent: Bring your own device (BYOD) has been around since the introduction of the Blackberry into the market. However, not all companies had adopted a BYOD policy prior to COVID. How has COVID impacted the perception and adoption of BYOD?
Bill: Right now, the global economy has more people working from their home residence than any time in history, and this is partly due to the global pandemic we are living in. Adding to that, the world is now connected via the internet, and with an estimated 30 billion devices connected, any company that has employees that are using their own devices like tablets, laptops, phones, and home networking equipment (modems and wireless routers) must make sure they have the correct BYOD policy in place to protect their data.
Brent: COVID has also now introduced personal laptops, tablets, and home networks into the picture. What are your thoughts on how this relates to BYOD and corporate control?
Bill: When any organization introduces employees and/or contractors to use their own personal devices and home networks, the organization—for the fact that it is not their device—loses some control. The key is to have BYOD policies that mitigate that loss to some extent. These policies should include the use of mandatory anti-virus and firewall protection, as well as guidelines for keeping up to date on patches for all devices including home wireless routers.
Brent: Lately, there has been a lot of debate around how much control an employer has over an employee. In regard to BYOD, how much is too much control over a personal device by an employer?
Bill: In theory (via policy and monitoring of the device), your employer could have a lot; but in reality, I would say they don’t. From 9 to 5, the employer can see what that employee is doing on that device while they are on company network, but at 5:01pm, the computer reverts back to the employee/contractor so they can go do whatever they want with it. And with all the “bad actors” in the world and with the computer not being on the company VPN, your control over the device greatly reduces. As for what constitutes as “too much control,” that one is still open for debate.
Brent: There has also been much debate on how to separate personal and corporate data and apps on personal phones and equipment, along with ensuring corporate data and apps are secure. What are you seeing as the trend? And where do you think the line is between too much and too little control over a personal device or network?
Bill: If it is on your devices, it’s hard to separate personal and corporate data from a breach risk perspective. A common workaround would be to use different apps. For example, if you have an iPhone, you could use the apple default app for your personal email and maybe Outlook for business. Most companies that allow employees and contractors to get their email on personal devices will require you to install a Mobile Device Management (MDM) application which would give your employer the right to check your phone’s security, and if compromised, to erase the entire phone.
Brent: Are you seeing BYOD as a replacement for corporate-sponsored devices?
Bill: For employees, we are seeing this for cell phones; however, the bigger trend a few years ago was employers handing out laptops for contractors. Now, we are seeing more and more companies not doing this and having contractors use their own laptops, making the employer/company rely on the vendors’ controls around laptops/BYOD.
Brent: Are there any industries whose governing regulations forbid BYOD outright? If so, what’s the rationale? Has COVID changed regulations/thinking within these industries?
Bill: There are some industries that make BYOD very difficult, if not impossible. This would include the defense and intelligence industries, as well as anything in the critical infrastructure space. This is primarily due to the fact that these areas are the most targeted for cybersecurity attacks.
Brent: What are some risks to the business inherent in BYOD?
Bill: The key risk to the organization is that the more you “push” the control to your employees/contractors, the less control you have.
Brent: How can a business mitigate these risks? What are some examples you’ve seen?
Bill: In most cases, a VPN from your device to the company network is a great way to mitigate risk; however, we also need to look at well-documented policies, employee training on what risks are out there, self-auditing and verification that the policies are working. I also suggest running “phishing testing” where you test your employees and contractors on how they implement your company policies on cybersecurity.
Brent: We see BYOD crossing many business units: HR for employee oversight, compliance for regulatory oversight, IT for deployments, and line of business being the end customer. When it comes to a corporate BYOD policy, who is really driving the bus and who really has the final say?
Bill: The overall policy should be driven by risk to your business and data. Your CISO and Audit Executive are the key to developing it and monitoring it. Your HR department is key to rolling it out, and if they are not on the same page, you will have issues.
Brent: What is next for BYOD and your thoughts on the impact between the employer and employee relationship?
Bill: Employees working from home is here to stay, and that will continue to drive BYOD (at least for home networks). The impact between employer and employee will not fully be known for a few years to come, however with clear expectations and training, the relationship will hopefully be a good one.
How has your organization overcome the BYOD challenge? We’d like to hear from you, so leave a comment below.