One of the most asked questions we get when working with our customers on their Modern Workplace strategy is how best to approach Bring Your Own Device - whether that be giving their employees access to email on their mobiles, or something more complex, such as an external partner or consultant.
As you can imagine, this is minefield of opinions, options, risks and issues that are unique to not only the industry they are in, but the types of data and organisation they are apart. They don't call it bring your own disaster for nothing!
So, I decided to write up an overview of risks, issues and various options you have available to you, with some guidance on which ones will help you meet your risk appetite.
Before I dig into the risks associated and what options you have to resolve, it is worth having a run through of the different patterns and use-cases for BYOD. As not all are created equal. The first one that comes to mind is one of your employees connecting their email to their mobile. Others such as third party consultancies who need access to your environments. Obviously, each have very different risk factors and should be treated and controlled differently.
The main ones we see 'out in the wild' are:
| Use Case | Description |
| Employee Mobile | Users wanting to access their email and teams while on the go. Usually Android or iOS. |
| Employee Own Device | Employees wanting to read their email or edit documents on their home PC or Mac. |
| Contractor Own Device | A freelancer who has their own device and software to deliver a set of outcomes, protected by a contract. |
| Partner/Consultancy Own Corporate Device | A corporate partner or consultancy who have an ongoing relationship to support and deliver work for or on behalf of your organisation |
As an organisations, no matter your size, you may have a mix and match of the use-cases above. The more you have, the larger your attack surface is to manage and the risks that will be faced. However, at the same time it is a risk based decision. You may find that the cost of providing laptops to several consultants at a partner firm would cost a considerable amount, and the risk may be lower as they are a cyber security company who are delivering a more robust security build for yourselves. Each one should be taken into consideration and a pattern chosen.
Using personal devices for work expands the attack surface that your organisation must put in controls to protect against. Personal mobile, tablets and laptops are often less consistently patched and can run consumer apps that can expose your corporate data, all of which increase the chance unwanted attention from things like malware, credential theft or unauthorised access to business systems.
Not only that, but human error and device loss can amplify this risk. Lost or stolen devices frequently contain your business user accounts and MFA configuration, and incident reports show that incidents involving lost/stolen devices commonly lead to breaches; Verizon’s reporting indicates more than 90% of security incidents involving lost or stolen devices resulted in an unauthorised data breach, with internal actors involved in the majority of those cases.
Real-world statistics show BYOD is a substantial contributor to breaches and operational incidents. Multiple surveys find around half of organisations (and up to ~48%) have reported a data breach linked to an unsecured personal device in the past year, and roughly 20–22% of organisations said employee BYOD devices downloaded malware.
Beyond technical compromise, BYOD raises compliance, privacy and legal issues. Personal devices blur boundaries between private and corporate data (which complicates GDPR obligations), create challenges when an employee leaves or is dismissed, and can produce difficult legal questions if employers need to inspect or wipe a privately owned device.
It isn't all doom and gloom though - there are obvious benefits to allowing your employees and partners use more than just their corporate device. I especially like having flexibility in the device i'm using for different tasks. There is nothing worse than being sat at a desk trying to listen to a Teams calls, when I could quite easily be walking around my living room listening on my mobile. Users often find they are more productive and able to work around their own commitments when they have the flexibility to choose a device. How many times have you been annoyed to sign into a 16:30 call when you could be en route to pick up your kids from after school club?
There is also the benefit of having your partners using their own tools and devices. Not only can they be more productive by using their own IP and software - but you as an organisation don't have to manage a complicated joiner/mover/leaver process across several organisations and have to buy and manage an inventory of stock for what is typically a shorter lifecycle than one of your employees.
Now this is where the fun part of the blog comes in. What are your options and how can you approach protecting your BYOD estate. Lets get into it!
Option 1: Don't allow it:
This is probably the one we see the most - and to be fair, a lot of your financial service organisations have your hands tied behind your back from regulators on this. Appreciate this is only secure as much of your overall security posture - but you provide the same device and build that you do to your employees. All your tools, protections and processes work well together and you have a good baseline on what your users can and can't see.
The overhead to this quickly becomes apparent. Having to manage differing lengths of access, locations and third parties can quickly become a cottage industry. However, with a robust framework in place, IT teams have a known attack surface and single pane of glass to manage as their internal employees.
Now, when it comes to users working remotely, whether they are running for their train or catching up on some emails over the weekend, giving them a way to connect and work the way they want can be a big productivity boost for them. With the use of Mobile Application Management, a set of secure policies can be applied to supported applications such as Outlook, Teams and OneDrive. These controls let IT admins enforce secure pin, remote wipe (without getting access to your employees personal data) and the ability to stop files being transferred out of the secure container.
This is a great pace to start, as you can control which data your employees can access, while having a level of control on how it is accessed.
With Option 2, you create a secure container for your business applications. Policies protect what data goes in and what can go out. However, as we all know, mobile phones are more than just a productivity device into your corporate environment. Not only do you have productivity apps installed, but social media, entertainment and parking applications may be installed and have a mixture of complicated privacy policies and tracking data that causes mayhem. This is where Mobile Device Management comes in.
Therefore, if you purchase and own these devices and give them to your users, you need to be sure they are protected. With this, you manage the overall device, by enrolling it into your configuration management tool of choice. In this model, administrators have full control of all software installed, what can and can't be synchronised to which cloud services and monitor key usage patterns.
To ensure full control over this, integration into tools like Apple business manager and Managed Apple Accounts, you can integrate and utilise cloud services while ensuring they integrate with your JML processes.
This pattern isn't without it's downside however - as there are limitations to the services available and the usability. However, it is one to consider when you need the complete control of the data going in and out. You also have the risk of your employees storing personal data such as contacts and photos, which can cause governance headaches when employees leave or loose their device. Make sure you have a decent set of policies and user training in place to set the scene and ensure everyone knows the risk and what is expected of them.
Want to build on this? Add MAM on-top for a containerised and managed environment.
The next option is an interesting one, as CASBs aren't new technology, however they are gaining popularity. In this pattern, you add a policy management layer as part of your identity workflow, which will evaluate the user context and apply policy appropriately. An example we deploy is Microsofts Defender for Cloud Apps. Using APIs and reverse proxying capabilities, administrators can apply policies such as alerting for strange activity (such as mass downloads), block copy and paste and even inspect documents and apply Data Loss Prevention (DLP) controls to manage how they are protected.
The other capability here is plugging into supported third party SaaS applications such as Salesforce, and being able to report on what data is being uploaded and where.
Add to this, the integrations with Microsoft Edge, in-line data controls become part of the browser experience - providing a seamless process for your end users.
Where this becomes most powerful is the ability to fine grain your policies to protect data and applications differently. One example is to allow access to Outlook Web Access and allow opening of non sensitive files in the browser and not allow download or native applications. The other is blocking access to sensistive Teams sites based on their sensistivity label. With a little thought, administrators can become creative with how they protect data.
In this option, you have a level of trust with your consulting/business partner organisations who you regularly work with to deliver value to your customers. In these instances, there is often a master services agreement in place, where there are several engagements live over the years with many employees on both sides working together. These organisations have dedicated support engineers, processes and their own software and IP that can be used to deliver your projects in the most efficient way.
How this is usually managed is you follow Option 1 - where you give consultants an account within your environment, ship them a device and manage them as one of your employees. Not only does this make their lives more complicated, the overheads to manage can be significant. Something as simple as a consultant leaving your partner can be a nightmare for your IT teams to deal with.
Therefore, in this pattern, we often recommend a level of trust and audit accountability to keep both sides honest. This is usually managed using comprehensive audit and commercial contracts to protect from a legal stand point. However, with modern technologies such as EntraID Business to Business accounts, Cross Tenant Compliance and integration to tools such as Defender for Cloud Apps and conditional access, you are able to recieve a compliance state from your trusted vendors device management platform.
This also works nicely when it comes to user account access, as you can rely on your partners JML and HR processes to disable access as required. Bonus points for using Identity Governance for self service approvals and you are moving to a comprehensive access and compliance strategy where everyone wins.
As with any architecture decision, it requires careful planning and requirements gathering to make sure you not only meet your regulatory requirements, but can align it with the data classification and user experience needs which are truly tailored for your user base and business strategy. There isn't a one-size fits all, and most organisations we work with will deliver a mix of each solution listed above.
The key take aways are to keep it as simple as possible, and align to your key user personas.
| Use Case | Recommended Technology |
| Employee Mobile | Mobile Device Management |
| Employee Own Device | Mobile Application Management |
| Contractor Own Device | CASB for Limited Applications |
| Partner Own Device | EntraID Business to Business |
When you start building out the capability, don't run before you can walk. We often start by recommending Option 2 and MAM policies to a subset of users and productivity applications. While you and your team explore this as an option, you will build out the confidence, policies and processes to move towards a more agile and secure team.
So, with all that said, hopefully you have a good grasp on the options available to you. Don't be afraid to test the different options with small subset of users and build out a governance framework that works for your business.