(written by Mona Brunner, Maren Gräff and Verena Hofmann)
Bring your own device (BYOD) is a concept which enables employees to use their personal devices for work. The most poplular devices are smartphones and tablets, however, notebooks can also be included as well. Using their own device employees can access their work Emails, calendar as well as other company data on their own devices.
With BYOD employees can choose the device they want to work on themselves and do not need to pick from a mostly limited choice of hardware a company offers. This can increase the overall job satisfaction. Additionally, productivity improves significantly since people have their smartphones with them most of the time and are therefore likely to work in their free time as well. This is because they will immediately see when new Emails or calls come in. From a company perspective this has a great financial benefit as well since the employees are paying for the devices themselves.
Risks and Threats
While there are numerous benefits to BYOD there are also risks to consider. According to a survey conducted by Risikomanagement-Netzwerks RiskNet 46 per cent of the polled companies stated they see their own employees as the main risk. This is because they might download unauthorized applications, visit unsecure websites or leave devices unattended. Furthermore, the survey „IT-Sicherheit und Datenschutz 2014“ by NIFIS found that more than 29 per cent of German companies lost business critical data after allowing BYOD. Data privacy is another important aspect to consider. A company has to ensure that there is sufficient protection from theft, loss or cyber attacks. If they do not manage this they risk a contravension against Article 30 of the EU Data Protection Law. Moreover, BYOD can cause violation of copyrights. Many software programs must not be used for commercial purposes but only for private. In order to be compliant here the employer needs to arrange a software license to be able to legally exert the software for business purposes on the employee’s device.
The biggest threat that companies face is theft or loss of these devices. Moreover, connecting the device to open wireless networks possibly enables potential attackers to spy on their activity. Malware is also a significant threat that can cause a lot of harm to a business. Special malware can potentially log, steal and even publish almost everything an employee does on a mobile device. Additionally, companies have to watch out for other threats such as phishing attacks, insecure cloud-based storage services or other applications.
On the bright side there are also different approaches for solutions to ensure right usage of BYOD and for reducing risks and threats to a company. For example, the BYOD-Policy is one solution to manage the use of BYOD. It consists of the following four points:
- Authority rules: Who in the company has the authority for BYOD?
- Privacy protection rules: How will the privacy of the employees be secured?
- Financing rules: What does the financing program look like?
- Operating rules: How can employees use their private devices in the company as well as in their daily life?
Furthermore, there exist several security features for devices. For example the authority concept. Here all applications have to be authorized in advance for access to main functions of the operating systems. In addition applications offer different options and are unable to gain access to data of other apps or change important system files. Users can also encrypt a whole file system. Another highly important and simple security function is access protection. Access protection prevents unauthorized access to a device. There are different mechanisms for authorization, for example PIN, passwords or fingerprint scanners.
We defined guidelines for the company, its employees and the infrastructure on how the usage of BYOD can be managed.
Guideline for the company
- Define the aim of BYOD
- Evaluate the risks for the company
- Create transparency by defined rules
- Create technical and organizational conditions
Guideline for the employees
- Take on responsibility to ensure correct usage of the devices
- Provide for security for example by spam, malware and virus detection
- Accept agreements
Guideline for the infrastructure
- The private devices have to be integrated in the security concept and security standards
- A device and place independent access, data security and data detection have to be provided
- Define rules for the extent and security of the usage concerning all apps and services
These guidelines will help companies realize the BYOD approach for their employees and reduce the risks and threats of BYOD.
In Germany the BYOD approach is currently a big trend for companies. However, in America there is a decreased tendancy towards BYOD because of alternatives to this approach. For example Leave Your Own Device (LYOD) or Choose Your Own Device (CYOD). With LYOD the employee receives a company device which he can also use privately. Alternatively, with CYOD the employee can choose a device from a list of in-house devices. However, there is still no perfect solution handling security problems in using BYOD availablefor, therefore, it is highly unlikely that every company will offer the BYOD concept to their employees in the near future.
- If the employee gets suspended, what about the data and the devices? On private devices private as well as business data is stored. If an employee gets suspended the IT department has to choose an approach which ensures that only business data will be deleted. In most cases the device has to have two partitions, but an employee can potentially also save business data on the private partition.
- Who bears responsibility and who is liable in cases of loss, theft or a security attack? It is extremly important to define responsibility in case of a security attack. Would it be the company because of insufficient control or the employee because of insufficient security protection?
- If a company completely adopts BYOD will the employees be constrained to use their private devices in the business?
- Can a complete separation of private data and business data be guaranteed?
- In cases of loss or theft, who is responsible to erase the data? And will the whole data (including the private data) be deleted or only the business data?
- Is it even possible to develop a secure BYOD concept for the company and its employees? Microsoft has already developed and implemented a BYOD concept – Could this be the ideal approach also for other companies?
Bundesamt für Sicherheit und Informationstechnik (2013): „Überblickspapier Consumerisation und BYOD“, Internet: https://www.bsi-fuer-buerger.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Download/Ueberblickspapier_BYOD_pdf.pdf?__blob=publicationFile, Zugriff am 20.05.2016.
Trendlaps (2012): „BRING YOUR OWN DEVICE: TREND ODER BEDROHUNG“ , Internet: http://www.trendmicro.de/media/misc/byod-five-mobile-threats-to-smb-de.pdf, Zugriff am 20.05.2016.
E-Commerce Magazine (2012): „BYOD: Rechtliche Konsequenzen für Arbeitnehmer“, Internet: http://www.e-commerce-magazin.de/byod-rechtliche-konsequenzen-fuer-arbeitnehmer
Kohne, A.; Ringleb, S.; Yücel, C. (2015): Bring your own Device – Einsatz von privaten Endgeräten im beruflichen Umfeld – Chancen, Risiken und Möglichkeiten, Wiesbaden: Springer Fachmedien
BITKOM (2013): Bring your own Device, Internet: https://www.bitkom.org/Publikationen/2013/Leitfaden/BYOD/130304-LF-BYOD.pdf
Deutschland sicher im Netz e.V. (o. J.): Bring your own Device – Regeln für KMU und Nutzer, Internet: https://www.sicher-im-netz.de/sites/default/files/download/dsin_byod_20130227_web.pdf
RingCentral (2014): Bring your own device trends and benefits, Internet:
Microsoft (2016): Mobile device management at Microsoft, Internet: https://www.microsoft.com/itshowcase/Article/Content/588/Mobile-device-management-at-Microsoft
Survey Risikomanagement-Netzwerks RiskNet: http://www.computerwoche.de/i/detail/artikel/2510205/1/1855333/EL_13349325277423724783271/