Should you let employees use personal devices for work? Not before you read this post on BYOD vs CYOD and the impact on your IT security. BYOD is Bring Your Own Device and CYOD is Choose Your Own Device, and the difference between the level of control and security your small business can have with each is night and day.
You’re using BYOD if your employees use their personal phones or personal computers for work.
You're using CYOD if your company purchases, secures and manages the devices your employees use to work remotely.
As IT Consultants focused on cyber security services and IT compliance solutions, we regularly help business owners understand the security gaps present when they allow employees to work off personal devices. This post will help you gain an overview of BYOD.
What Are Common Problems With BYOD?
The BYOD problems are many but in a nutshell, if your organization doesn't secure and manage devices that employees use at home, you increase your risk for viruses and breaches. Here’s why:
- You can control your IT security in the office (or in the cloud using cloud security and management services), but once a user takes their computer home and connects to their personal network, the computer and files are vulnerable because chances are high that their home network security is insufficient.
- User behaviour at home can be more high risk such as using the device for social media, online games, downloading files from various peer to peer networks, or just accidentally clicking malware while browsing entertainment websites where they are commonly found.
- The user can inadvertently or intentionally download client files or contacts that belong to your business. This means that confidential data your business gathered is now available outside your secure domain. It also means that a user could use that data for their own purposes. Most employees are good and harbour no ill will, however insider threats account for nearly one third of data breaches and leaks. These issues occur intentionally and accidentally.
- There is an increased risk of data theft if the user is transporting this device daily and is not using lock screens, strong passwords, or remote data wiping software.
How Is CYOD Better Than BYOD?
Rather than BYOD where a user owns and manages security on a device they use to connect to your business network, with CYOD, your small business owns and manages security on devices which you assign to employees for home or remote use.
By using Identity & Management tools on devices your company owns, you are able to explicitly authenticate every device that attempts to log in to company email or file storage. This greatly improves your IT security. You can also assign permission and conditional access policies to authenticated users to control which resources each employee has access to. This allows you to control who has access to HR files or sensitive client files.
With CYOD, you can also enforce certain computer security measures via policies and improve total IT Security. For example, you can set a policy that requires the device maintain a lock screen to safeguard against unauthorized access and data loss. While this may be possible with some BYOD setups, it most often is not, or very difficult to manage.
Another example - an important aspect of protecting your company’s network is to safeguard it against malicious attacks from malware. With a CYOD setup you can set policies to control the anti-malware software used on all devices. With BYOD, your devices may have no or poor anti-malware installed, or decent anti-malware but a user who forgets to update, all which leave you open to more risk.
CYOD also allows you to apply data loss prevention policies to all your company documents. You can also use digital loss prevention policies whereby you classify and label documents and apply rules to them (i.e never delete files labelled X, or delete all files labelled Y after 6 months etc).
These types of IT security controls are considered best practices for protecting against threats and loss, and are what clients and vendors are looking for when they ask for proof of NIST compliance or other IT security screening measures. Investing in IT security reduces risk and increases opportunities.
Tips To Switch From BYOD to CYOD
If you don’t have any policy in place, setting up CYOD from a clean slate will be easier for your small business. If you are presently using BYOD and are switching to CYOD, here are some tips to help you make the switch.
- If you decide that your users do need to work remotely, then decide on the type and make of devices you need to purchase for your CYOD program.
- Explain to users why CYOD is being adopted and why personal devices will no longer be allowed on the network.
- Create a CYOD agreement which users sign and which outlines security expectations and device care expectations. This document should also include the name and serial number of the device being assigned to the user.
- Set strong password policies for the entire team.
- Set a firm cutover date and advise all employees BYOD devices will no longer be allowed access after that date.
- Consider using professional grade platforms such as Office 365 which allow you to set policies on CYOD devices (i.e. remotely changing the password or access to a device or documents).
- Consider hiring an IT Consultant to help you with your project.
We hope this article helped you decide on if you need employees to be able to work from home or remotely. And we hope it helped you to better understand why CYOD is a better option, even when BYOD looks so much "cheaper" because employees can just use their own devices which they already have.
Toronto IT Consultants: TUCU is an IT Services Company located in Toronto ON, offering SMB IT solutions, including network security assessment, remediation and support, as well as data security solutions such as Mobile Device Management and Identity Access Management to help you control every user account and device that accesses your company data. Contact us to schedule your free consultation. We'll be happy to discuss your needs and help you protect your business from data loss and breach.