Data Protection Despite
“Bring Your Own Device”
If employees are allowed to use their own electronic devices for work purposes, that’s a so-called “Bring Your Own Device” environment; company data is stored and processed on the personal devices of the staff. As far as instant messaging is concerned, BYOD provides financial and administrative benefits along with increased employee satisfaction.
However, BYOD also bears considerable risks in terms of data protection. Since the personal devices are usually not connected to the corporate IT infrastructure by means of an MDM system, the IT department has no way of managing such devices. For example, it’s therefore impossible to prevent the use of certain chat apps.
Table of Contents
What does “Bring Your Own Device” mean?
“Bring Your Own Device,” or “BYOD” for short, refers to the practice of using personal electronic devices for professional purposes. Employees not only use their own smartphones, laptops, or tablets to access the employer’s business network but also to store company data on hardware they own. Here’s how BYOD compares to other device policies:
- BYOD (Bring Your Own Device): Employees use personal devices for business purposes. The devices can either be managed or unmanaged.
- CYOD (Choose Your Own Device): Companies specify which devices may be used. Employees who own authorized devices can use them to join the corporate network. The company’s IT department manages the business part on the devices (not the users).
- COPE (Corporate Owned, Personally Enabled): The company compiles a list of approved devices, and the employees choose a device, which they may also use for personal purposes.
- COBO (Corporate Owned, Business Only): Employees use company devices for business purposes only.
Each of these strategies has advantages and disadvantages. In this article, you’ll learn everything important to know about BYOD in regard to instant messaging.
Advantages of BYOD in Regard to Instant Messaging
Not every company possesses the financial resources to equip all employees with a smartphone, and not all members of every department are required to own a business smartphone. However, from a company’s perspective, it can still be beneficial to integrate all employees into corporate communication channels (this allows everyone to call, or chat with, any colleague, for example). BYOD is the appropriate device strategy for this scenario.
The advantages of BYOD from both the company’s and the employee’s perspective:
- Expense reduction: With BYOD, there are no purchase costs since no business devices have to be acquired.
- Less administration: There’s no need to set up and manage company devices. Furthermore, there are no licensing costs for an MDM system (unless the BYOD policy requires personal devices to also be connected to an existing MDM system).
- Increased employee satisfaction: Employees can work with devices and systems they know and are already familiar with. Furthermore, there’s no time-consuming onboarding process.
- Greater efficiency and mobility: By allowing employees to use their personal mobile devices for work-related communication, they can complete tasks at any time regardless of their current location.
- Greater efficiency and mobility: By allowing employees to use their personal mobile devices for work-related communication, they can complete tasks at any time regardless of their current location.
- Easy integration of field workers and external parties: Even employees who aren’t present on site or external parties who don’t have access to the company network can become part of the corporate communication channel thanks to BYOD.
Managed vs. Unmanaged Mobile Devices
Unmanaged mobile devices are smartphones that aren’t connected to the corporate IT infrastructure by means of an MDM system. In this case, the company’s IT department has no way to enforce company policies on the device level (for example, it’s not possible to prevent the use of certain apps). Managed devices, on the other hand, allow the company’s IT department to define which apps and activities are permitted. As far as BYOD is concerned, personal smartphones are often unmanaged since managing devices the staff owns may not be in line with privacy regulations and is probably not to the liking of the employees. To find out how you can maintain a certain level of control on the app level, see How to Ensure Security Despite BYOD.Risks of BYOD in Regard to Smartphones
Allowing employees to use personal mobile devices for professional communication can have considerable consequences for companies, especially if there’s no MDM system in place and the devices are not managed.
Data Loss and Insufficient Data Security
In 2018, the cloud service-provider Bitglass conducted a survey of 400 IT experts which yielded the following findings:
-
30% think that BYOD is a major security risk:
- 61% of worry about data loss
- 53% are concerned about data theft and unauthorized access to company data
- 15% of the companies the experts work for don’t allow BYOD
It is a fact that personal smartphones can pose serious security vulnerabilities for companies. For example: If a personal device is infected with malware, it can read the user’s keyboard input, including usernames and passwords. This is how hackers gain access to sensitive company data. Outdated operating systems also increase the risk of successful cyber attacks because hackers can exploit vulnerabilities.
Violation of European Data Protection Regulations
“Bring Your Own Device” may also violate the General Data Protection Regulation (GDPR) if personal data such as contact details of customers or employees are processed and stored on personal, unmanaged devices.
For example, popular US messaging services such as WhatsApp access their users’ address book. Companies must be able to show that their handling of personal data is lawful, which requires considerable effort. In order to avoid legal penalties, a professional business messenger should be put in place.
All Important Facts About EU–US Data Transfer
Read this blog post to find out what companies need to consider to comply with the GDPR: 1 Year Since the Invalidation of the Privacy Shield Agreement: 5 Recommended Actions for Privacy-Compliant and Secure Corporate CommunicationLack of Administration Options
If the mobile devices in a BYOD environment aren’t managed, an important question arises: How can companies enforce their policies and protect corporate data?
Companies must prevent employees from sharing corporate data in apps that are used for personal purposes. Furthermore, employees must be prevented from accessing company data once the employment is terminated.
Extra Work for IT Departments
In a BYOD environment, unmanaged devices not only result in a lack of administration options, they also render it impossible to maintain a consistent IT system. The IT department is confronted with considerable effort due to the various device types that must be monitored for possible vulnerabilities.
How to Ensure Security Despite BYOD
In order to successfully establish the “Bring Your Own Device” policy for instant messaging without compromising security, your company should take the following measures.
Introduce a BYOD Policy
Employees must be made aware of the security gaps their behavior can lead to (for example, if they use Wi-Fi networks that aren’t secure or choose passwords that are easy to guess). An internal set of BYOD rules should cover the following topics:
- What software can/must be installed on the personal device?
- To what extent may the employer access employee devices?
- What actions are required in case employees stop working for the company or start using a company device instead of their own?
A Company Messenger Helps Separating Personal and Professional Communication
For companies, it’s important to make sure that corporate contact data doesn’t get leaked to third parties via personal apps of the employees. By providing an internal messenger, which is solely used for professional communication, companies can make sure that employees don’t have to resort to personal apps.
Shadow IT Poses High Risks
In this blog post, you’ll find out what risks the use of chat apps that haven’t been approved by the IT department can pose for companies: Messengers and Shadow IT: The RisksGood Practice: App Configuration in Threema Work
With Threema Work, your employees benefit from a company messenger for professional communication, and your company benefits from the BYOD advantages while maintaining maximum data security. If no managed devices are used and no external MDM or EMM system is in place, you can use the app configuration in the management cockpit to enforce corporate policies. Various configuration settings allow you to set up the Threema Work app for your users.
To learn more about the extensive configuration options, please refer to the overview of configuration settings and the Threema Work documentation. Or, better yet, try Threema Work yourself.