BYOD Security: Bring Your Own Device Strategy for SMBs

As employee devices become more common in the workplace, companies need to develop comprehensive BYOD security policies. Here's why—and how.

Blog Post

7 minutes

Sep 04, 2019

What BYOD Means And How To Equip Your Business For Its Challenges

There’s a lot of talk about what a good BYOD security policy includes. Without a doubt, BYOD—or bring your own device—policies are changing the way that SMBs think about and conduct security.

A significant portion of modern business functionality now relies on digital tools which are designed and tailored for smart devices. In addition, employees have their own laptops, iPads, and smartphones— devices they’re familiar with, which they enjoy using, and which in some cases may be more advanced than what a company can provide.

Therefore, rather than supplying every employee with a corporate laptop or work-issued smartphone, companies are finding it more convenient and cost-effective to harness employee device ownership in the workplace by implementing a BYOD policy.

However, the introduction of third-party devices creates an intricate security challenge. The threats unsecured devices introduce into an environment should be taken seriously—it’s become all-too-common for organizations to overlook the use of personal devices within their networks.

Companies need to retain the utmost security when it comes to their most sensitive and valuable information: who’s accessing it and from where?

Finding that perfect balance is tricky, and completely possible. Read on to develop a deeper insight on how to maximize productivity with a solid BYOD policy while keeping the company's office and data secure.

Network Threats Created by BYOD Policies

BYOD policies are a smart way to leverage the digital power of employees to grow a company, but it’s crucial to adequately prepare for the network threats which such strategies may create. Companies which implement BYOD policies need a security policy prepared to handle threats such as:

Decreased Local Control and Visibility

The more devices there are connecting to a network, the greater the chance that a device and its activities will go undetected or unseen. Configurations on either the device or the network itself may prevent it from appearing on the list of connected devices—or the sheer number of devices might cause it to disappear amongst the crowd.

Network Exposure

An SMB might invest in airtight cybersecurity for its company devices, but that means nothing if they can be circumvented. Vulnerable devices may introduce openings into a network which cybercriminals can detect and exploit.

Physical Theft

While the physical theft of company laptops represents a serious risk, employee-owned devices which travel with the employee at all times amplify this risk even more. A stolen smartphone with saved login credentials is all a malicious actor needs to access a secure network.


When a user houses personal and corporate information on the same device, the likelihood of sending material to the wrong contact increases. Coworkers may receive personal communications accidentally, and personal might receive sensitive information—two scenarios which may have dramatic ramifications.

Malware and Viruses

Malware targets phones, both to infect it and because the physical restrictions of such a small device make phishing attacks easy. Similarly, employee-owned devices are exposed to more opportunities to contract malware and viruses which may then transfer to an otherwise pristine network.

OS-Specific Security Concerns

With a BYOD policy, it’s harder to anticipate and configure a network for the myriad of operating systems which may exist on an organization’s network. In addition to iOS, Windows, and Android, BYOD security policy might need to prepare for unique proprietary systems such as Bada and Palm OS, as well as the constellation of open-source operating systems rapidly gaining in popularity.

Establishing a BYOD Policy For an Organization

A BYOD policy is a must-have for any company which wants to make the most out of employee devices in the workplace. A thoughtful policy balances the company’s need for security with the recognition that employees may already have preferred ways of using their devices. Consider these five steps for creating a BYOD policy which works for everyone.

1. Establish—and enforce—uniform security for all devices. Make sure that employees understand that a bring your own device security policy applies to all devices—and why.

2. Identify acceptable devices in the workplace. To prevent employees from seeing a BYOD policy as a free-for-all, clearly identify acceptable devices in the workplace.

3. Define acceptable uses of employee devices in the workplace. Develop a clear guide to acceptable uses of devices at work.

4. Clarify ownership of company apps and data. Help employees maintain a separation of personal and company data by clarifying who owns what data on an employee’s device.

5. Develop a plan to handle data on employee devices when they leave the company. Prevent company data from leaving with an employee with an “exit wipe” or other methodology to ensure that no company data remains on an employee’s phone.

10 Tips for Securing Devices and Reducing Risks

A strong BYOD security policy will unlock the potential of employee devices in the workplace while minimizing the inherent risks of unsecured devices. Here are 10 tips to maximize the security of a BYOD policy.

1. Make Passwords Mandatory

Passwords represent the first line of defense should a device fall into the wrong hands. Require users to have passwords or passphrases on their devices both for the safety of their own data as well as the company’s. Disallow saved or auto-filled passwords which create the opportunity for unauthorized access to walk right into a company app.

2. Control Connectivity

Although network connectivity is an important element of staying integrated, control the connectivity of devices. Disable Bluetooth, mobile hotspots, data, or any other form of connection which might open a device to outside threats. Require devices to connect to monitored networks only.

3. Mind the Apps

Restrict the permission of apps used for company purposes to allow them as little access to a device or its files as possible. Likewise, beware of “free” apps. These often come with ads or egregious permission requirements. Some are even malware in disguise—a Trojan Horse.

4. Help Employees Keep Devices Updated

Send out reminders when major OS updates occur or when an app releases an update. Many employees turn these off because they’re annoying—help employees understand the importance of keeping their devices updated.

5. Never Store Financial Data on Personal Devices

Expressly prohibit employees from storing company financial data or other sensitive information on a personal device. Doing so creates a tremendous risk should a device be lost or compromised. To help prevent this, create clear guidelines for where and when sensitive information may be accessed using a personal device.

6. Require Periodic Re-Authentication

Know what employees are using by not only requiring them to register their devices with the IT department but also requiring a periodic re-authentication or re-registering of devices. This keeps a company aware of what devices are accessing their information.

7. Use a VPN

A VPN helps hide traffic from eavesdroppers or individuals snooping on a public network. Companies with remote workers should strongly consider investing in a VPN and requiring its use when connecting to company resources via a personal device and a network that isn’t in the office.

8. Mobile Device Management Software

Mobile device management (MDM) services allows an IT department to install further security measures on a device. This may include stronger security settings regarding networks or ways to track a lost or stolen device—or wipe it entirely.

9. Use an Antivirus and Malware Protection

Antiviruses exist for nearly every type of internet-connected device that employees may bring to work—and many will have them already. Create a list of antivirus and malware protection software permitted under the company BYOD policy.

10. Keep Data Backed Up

Train employees on keeping their own personal data backed up in the event that a device is stolen or needs to be wiped. This helps employees maintain a separation between personal and company data. Furthermore, leverage cloud solutions to ensure that company data is never lost.

Key Takeaways:

  • BYOD is a viable and popular strategy to leverage employee devices. However, a company needs to prepare for the intricacies of BYOD security.
  • A thoughtful security policy which balances company security and recognition of employee ownership of the devices will create a productive, harmonious digital environment.
  • There are many ways to secure devices and reduce the risks inherent with BYOD.

Impact helps companies transform their workflows to create a competitive edge. Connect with our nearest location today to learn how we can help your company succeed.  


CybersecurityMitigate Cyber RisksPhishing


Impact Insights

Sign up for The Edge newsletter to receive our latest insights, articles, and videos delivered straight to your inbox.

More From Impact

View all Insights