How can businesses redefine their BYOD IT strategy in 2022?

BYOD strategy


Pandemic “quick fix” BYOD strategies are simply not enough in 2022.

BYOD Policies have been a hot topic for a while now, even pre the pandemic. But now that the new working environment norm of hybrid and out of office working is here to stay, BYOD strategies need to be reconsidered.


Specific examples of BYOD/IT strategies and how these have worked practically, including benefits and drawbacks:

BYOD (Bring Your Own Device) strategies usually work best for organisations when they are limited to mobile phones. After all, the days when employees had a company mobile phone are coming to a close, and for good reason. Most people have their own personal mobile device that can be used for work tasks, so why have two phones?

Indeed, the rise of ‘soft phones’ means that giving out a mobile number over a business number is no longer necessary when dealing with corporate calls or texts. This allows businesses to keep better control of its telephone numbers which are, in effect, company assets.

Also, some employees might feel reluctant to use their phone data for business activities. Although, this issue has started to progressively fade, as most phone contracts now include unlimited calls and data bundles. Whilst businesses don’t need to cover the whole cost of data and calls, providing a nominal allowance can be a good way to deal with any reluctance.


Is there a flexibility versus security consideration to be had, or is this a false dichotomy?

With a large percentage of workloads, security that can be implemented on company devices is often significantly greater than a personal device. However, if businesses want to find a balance between flexibility and security, one option is to choose a CYOD (Choose Your Own Device) strategy, which gives employees a feeling of choice but one that is balanced by the secure controls required by an employer.

That said, we would expect BYOD strategies to be more widespread across businesses in the coming years. This is because more and more applications and systems are becoming either web or cloud-only solutions, particularly as interoperability and usability improves to support a hybrid workforce. Until then, the application stack in organisations isn’t quite where it needs to be.


Why are pandemic “quick fix” BYOD strategies not fit for purpose in 2022?

When the pandemic first hit, many organisations rushed into a quick fix by making BYOD arrangements in a bid to keep their staff and their business operating. However, a substantial number of companies simply haven’t re-evaluated their risk profiles since implementing these systems, nor have they evaluated the technical and policy-based controls that are required.

This is a significant concern that organisations should look to address urgently, alongside other measures they should consider taking, such as a review of methodology and ideally bringing in a formal IT security governance framework, such as ISO 27001 or IASME.


How can attackers take advantage of vulnerabilities and misconfiguration in devices and networks?

Any significant holes in an organisation’s security will be found and exploited by attackers in the current cyber threat landscape. These vulnerabilities may be as small as a simple missing security patch. Or an insecure home or public WiFi, misconfigured local firewall, or even an employee who is unaware of current threats. Whichever gap in security it is, a hacker or one of their automated systems will find it. Especially as they are incentivised by financial gain. Indeed, the global cybercrime industry is now worth over £6 trillion – three times the size of the crypto market, so companies have everything to gain from investing in their IT security to protect them from cyber threats.


If you’d like to talk IT Security or Consultancy with us, get in touch here.

Where are we with Remote Access?

where are we with remote access?

Remote access to internal IT systems is still a big enabler for any sized business. Business is no longer 9-5, and staff are no longer just sat in the office. The world has changed, so surely remote access has as well? Well, not as much as you’d think, but bandwidth has dramatically improved, as has its cost and ease of access. You can get a decent internet connection virtually anywhere in the world; this has made remote working productive and cost-effective.

What remote access technologies currently exist?

In reality, the technologies haven’t really changed much over the last 10 years. There’s a lot of hype surrounding numerous technologies, but at their root, they aren’t particularly new.

I’d say that we are generally seeing the decline of traditional client-VPN technologies (SSL and IPsec) to access files and folders, where you have an application loaded onto a PC/laptop/tablet and you connect to a corporate network. They are typically cumbersome and problematic to support. I would ass that this has changed a little with the rise of WAN accelerators and solutions such as Microsoft One Drive, but it still can be a little cumbersome to manage.

You will find that a large percentage of corporate applications have web-based front-ends these days. These are often more or less indistinguishable from applications installed on the desktop, feature-rich and simple to support. They typically lend themselves well to being published over the internet for roaming workers to access the internet. A typical example of this would be Microsoft’s Outlook Web Access.

A favourite technology for remote access and general working is thin client. There isn’t really much difference in the method of access to internal IT system cloud-based based ones.

Is it all about the cloud?

The cloud is generally remote computing, and thus remote working. However, corporations have been working to this model for decades, satellite offices accessing systems in remote headquarters on the other side of the world. Now because somebody put a shiny new cover on in, everything thinks cloud technology is all new. It’s not new, neither is cloud always the answer. If you have systems internally that you want to access remotely, it’s usually quite a straightforward exercise. That’s not to say that the cloud isn’t the answer to many business requirements, it’s just unlikely to be justified on remote working alone.

The risks of BYOD

We hear about BYOD (Bring Your Own Device) daily – accessing corporate systems with a user owned device. However, generally it will typically incur greater IT management, integration, administration and IT security costs – well it should do if implemented correctly (at this point in time) to remove any security risks: you aren’t going to accept significant risk within your business. If a business doesn’t own a device they can’t really control it. Then you can’t stop third parties from accessing the device, or from dangerous software being installed on it and circumventing corporate security, it’s as simple as that. Yes you can get encapsulation technologies that act like a secure operating environment on a device, but I’m still cautious. I’d still use these technologies, but with a corporate owned device.

I’m a bit more of a fan of CYOD or Choose Your Own Device. This is where an employee can select a device from a pre-authorised list, easing support overhead and ensuring productivity. Have you ever actually really tried to use an iPad productively? It just doesn’t compete with, say a laptop. However they are fine as additional devices for intermittent emailing and reading on the fly, etc. I also find that CYOD does help staff morale – it’s nice to have a choice, and computing devices bring up similar emotions to getting given a company car.

Also, I should note that it was only a few years ago that everyone was talking about increasing productivity within the workplace through IT. Can you really do that when everyone’s walking around with their own mobile devices hooked up to the internet with a 3G card? I understand there are always exceptions, but generally the money saving case will not stack up under scrutiny.

In the press: How breaches are paving the way from BYOD to CYOD policies

BYOD breaches

Cyber-security has returned to national front pages again this last year. Heartbleed & CyberVor are now common terms, whilst high profile breaches of the likes of major digital retailers eBay and Apple raise very big questions about security in the digital age.

What does this mean for field service companies who not only hold vast amounts of customer data, making them prime targets for hackers, but are also moving their mobile workforces swiftly to a digital environment where they can reap the rewards of better productivity.

As news broke of the World’s largest-ever data theft conducted by the Russian cybercrime group dubbed CyberVor we once again turned our attention to the question, “are our companies safe from cybercrime?”

All businesses with a digital presence waited with baited breath to learn if their users were affected by this reported attack. In some quarters people denied that an attack of this magnitude was even possible and questioned the validity of the claims, others saw it as a defining moment demarcating the size of risk we all face today.

“It’s a nasty reminder of the cyber risk threat which organisations face in 2014 and the need for boards to be prepared for attacks such as this.” Commented James Mullock, Partner at law firm Osborne Clarke.

Daniel Hedley, solicitor and technology specialist at Thomas Eggar LLP agrees, “From a business perspective, the key issue here is simply this: Who has your data? How much do you trust them to keep it safe? Businesses can face significant legal and reputational risks when they lose data, both under data protection legislation and under contractual confidentiality obligations such as NDAs. It’s therefore very important for businesses to know where their data is.”

Of course, perhaps the highest profile security breach in recent months is the failure of Apple’s iCloud, which even left a dark shadow over the launch of the latest iPhone.

Robert Rutherford, CEO of IT consultancy QuoStar commented: “The theft of personal photos from celebrity accounts has focussed the spotlight on the company’s approach to security, and has raised concerns”

“The problem is that whilst dispensing token security improvements with one hand, Apple has denied any responsibility for the breach with the other. The resulting image is one of a company that deliberately avoids transparency around its security practices and glosses over its mistakes.” Rutherford continued.

But whilst leaked photographs of naked celebrities doesn’t instil confidence, Apple’s iCloud is a consumer based storage so how does this impact the business community?

Businesses can control these risks, while still maintaining many of the benefits of cloud storage services and BYOD, by deploying a combination of technical measures preventing unauthorised uploading of business data.

As Hedley explains “While it is true that businesses will not generally choose a consumer-focused cloud service such as iCloud, in this age of staff using their own devices for both work and personal use, it is very easy for confidential business data to end up being uploaded to these services, without the IT department or senior management finding out about it until it’s too late. iCloud, in particular, can be problematic in this area because Apple’s devices will often back up everything on the device to iCloud by default.

“From a hacker’s point of view, a failure of iCloud brings richer pickings. There would be a lot of work involved in hacking into many individual machines whereas a security hole in iCloud would mean that millions of pieces of information would become available at once.” Professor Mike Jackson from Birmingham City University stated.

“Whenever you place information on a computer, that information becomes less secure. If you connect a computer to the Internet then the security risk grows. If you store information on a cloud service then you rely completely on security measures of the service provider. Once in the cloud, it’s these security measures which make the difference between privacy and the whole world being able to access your documents and pictures.”

Unregulated BYOD is an issue facing IT professionals the world over. As Matt Newing CEO of unified communications provider, Elite states “IT teams worry about losing control of IT, as employees all over the business connect personal devices to the company network, download software and applications and turn to cloud services”

Hedley added, “Businesses can control these risks, while still maintaining many of the benefits of cloud storage services and BYOD, by deploying a combination of technical measures preventing unauthorised uploading of business data (using technologies such as MobileIron) and user education.”

Recent research from Samsung found that 47% of UK companies had a work handset lost or stolen in the last 12 months. Almost a third of CTOs were however unaware of the number. Alongside this, a global survey of CIOs by leading analyst Gartner found that as many of 38% of companies plan to stop providing their workforce with devices at all by 2016.

“Laptops, mobiles and tablets can cost many hundreds of pounds per year for each employee, so BYOD has become very attractive. However, far from enjoying the flexibility and lower costs, companies that rush into BYOD without a strong policy face considerable risks,” said Hardeep Singh Garewal, President – European Operations, ITC Infotech.

“For unprepared companies, a lost or stolen device represents a catastrophic security risk, with the potential cost to their business far outweighing the savings. There are many solutions available, but we see many companies failing to implement a clear policy on keeping track of work devices. This hinders them from acting quickly to prevent breaches,” adds Garewal.

However, the new movement towards Choose Your Own Device (CYOD) offers an alternative solution that addresses both security and personal data concerns. This approach ensures the company retains full ownership of the device, removing uncertainty in safeguarding information on the device, yet still providing user freedom.

Garewal concludes: “While CYOD means the company must ultimately foot the bill for the device overhead and support, the level of control and assured visibility vastly simplifies issues around privacy and security. However, whether they use BYOD or CYOD, companies encouraging flexible working must ensure they are prepared to deal with imminent risks or spend all of their time fire-fighting to avoid major crises.”

Source: Field Service News

NEXT>> 10 quick ways to stop BYOD from being a burden 

10 quick tips to prevent Bring Your Own Device policies from being a burden

IT strategy - How to stop Bring Your Own Device (BYOD) being a burden

If you are considering a Bring Your Own Device – or BYOD – policy for your business then there are several considerations you need to keep in mind.

Don’t just announce the policy and let employees start using their personal device for all work-related tasks. Sure there are benefits, but you will only realise these will a well-thought-out policy, which is openly shared with all.

1. Understand and measure the business benefit. Don’t just do it because the devices look nice.

2. Don’t store any data on the devices if possible. If you have to then ensure it’s encrypted.

3. Think about Internet controls within the business. You need to ensure that people remain productive.

4. Understand what you will do if the device has a fault or fails. How will that employee work for a day or two?

5. Keep installs on the device to a minimum. The more you install the more you have to manage, secure and support.

6. Make sure your wireless will support the additional devices. Many existing wireless solutions won’t cope with the load.

7. Isolate the devices from your network, even when in the office. You can’t control their security so zone them off.

8. Know which devices you will support. Don’t just allow anyone to use any device to connect.

9. Update your acceptable use policies. Employees need to know what their responsibilities are.

10. Plan your infrastructure first. Don’t just allow devices access, and then identify risks and controls as you go along.

If you are not sure if BYOD will work for you, then you could consider CYOD instead. Choose Your Own Device gives employees’ a level of freedom whilst still allowing the business to retain central control.

NEXT>> Going beyond the security basics