Craig McDonald 07 February 2019 15:33:22 AEDT 9 MIN READ

Why personal phones at work are risky business

Does Bring-Your-Own-Device (BYOD) make sense for your business? With the potential for cost and time savings becoming increasingly evident, the chance for your staff to use their own devices to do work (especially away from the office) may be an exciting prospect.

Plus, the rapid evolution and proliferation of technological devices today has, in any case, increased employees’ reliance on these devices.  

A 2018 Samsung-commissioned study showed that almost 80% of respondents couldn’t do their job effectively without a mobile phone.

What’s more, according to a 2016 study from Crowd Research Partners that I came across, 72% of employers offer BYOD to some or all employees, with a further 9% expected to roll it out within the next 12 months.

As cybersecurity professionals and leaders, it’s prudent to take a minute to consider that with BYOD comes increased risks to our business cybersecurity. For example, the Samsung study may have found a staggering number of people are reliant on mobile devices, but this one states that users of mobile devices are up to 18 times more likely to be exposed to phishing attempts.

To effectively manage the risks you’ll need a strong BYOD policy in place - or another option. Here’s some food for thought when you’re writing that policy (or updating your existing one) to ensure you’re implementing BYOD in the safest way possible.

First, identify your business needs and business risks

Start by outlining your business need/s for BYOD, the “why” behind your decision. Some examples may be to allow your team:

  • To access email offsite
  • To do work via tablet/phone in the office
  • To be able to work from personal devices from home
  • Flexibility while cutting your hardware spending, or
  • Choice, because many employees today want the option

Categorised your needs in terms of impact, urgency, and priority, perhaps on a scale of 1-5.

Then do the same for the risks to your business. Are they:

  • Data leaks
  • An increase in spam and viruses within your network
  • Legal obligations
  • Terminated employee access
  • Internal policy compliance
  • Costs and complexity of implementation and ongoing management

Assessing risks and needs

Many of you will already have a risk management framework in place, for instance, one developed using the ISO 31000:2018 risk management framework. I’ve certainly found that solid risk assessment frameworks can effectively help businesses assess whether the risks to their company that BYOD brings are acceptable.

If you ultimately decide that you can accept the risks and that the benefits of BYOD are deemed worthy enough to warrant a trial, then it’s time to move ahead. I’m guessing if you’re reading this that you’re probably at that point.

Which approach is best for your business?

Once you have decided that yes, BYOD is the right fit, then you’ll need to decide which approach is the best fit for your needs.

Mobile Device Management vs Mobile Application Management or Mixed?

There are a few different approaches that you can take when it comes to BYOD.

Mobile Device Management (MDM) refers to taking control of devices themselves: being able to create standard mobile operating environments and to control devices remotely, such as being able to initiate system and security updates, and wipe devices.

Mobile Application Management (MAM) is a different approach that means you control the enterprise apps only.

A ‘Mixed’ environment would be where you have some MDM devices and some MAM devices.

MDM gives your organisation the most control over the devices and can make management of BYOD devices easier for business security; MAM can be more difficult to navigate securely.

It stands to reason that some employees are wary of a MDM policy on their own device. Having your workplace being in complete control of your personal device can be a scary prospect. This is why MDM is perhaps best suited to company-owned devices, and MAM is a better fit for BYOD.

There is no right or wrong. Every company is different, and you’ll need to decide which approach is the best fit for your organisation, balancing productivity gains and employee satisfaction, against the security risks and operational overheads of maintaining the program.

In our case, we have a ‘Mixed’ environment that means we can maintain the highest levels of security in mission-critical environments while enjoying the employee and productivity gains elsewhere.

BYOD and software/system updates

With MDM, software and system updates are more simple; updates are triggered on devices when they’re ready to roll out. With MAM, while you can update the apps themselves, you’ll need to prompt the user if you want them to do a system update (and remove app functionality until it’s complete).

You’ll need to note that both apps and systems need to remain up to date in your BYOD policy, to comply with security bug fixes.

BYOD, data wipes and data locking

You will need to include in your policy the rules surrounding data wipes for staff terminations, and potential data locking for suspected security events. Examples might be in the event of unusual system access, if a device is lost, or could be as simple as extended employee leave.

BYOD identity management

As a business, you’ll also need to take even more care with identity management for BYODs than you do with user accounts in the office.

Controls like 2FA should be mandatory, and like us, you may find your implementation will be different in some environments, and for certain users or groups where the risks may be too great. This is likely to mean in certain circumstances, functionality is only enabled when connected to office networks.

On-premise vs cloud

One of the allures of BYOD is that your employees can do work from anywhere. However, you’ll need to assess what functionality can be accessed offsite (in the cloud) vs. when connected to internal networks (on-premise). There may be a need to make this distinction within your policy, although it’s safe to say that most organisations have now resolved their fear of cloud. Even the US Air Force is moving 555,000 users to the cloud with Office 365.

Should mission-critical functionality be available via BYOD?

Plenty of companies have BYOD policies that allow employees access to mission-critical functionality offsite, via their own device. For instance, a developer may need to work on a critical bug fix while they’re at a conference abroad.           

The only difference between the developer doing this onsite, with a company-owned device, is that you know the security controls on the networks, machine, and apps are already in line with company policy. With a strong BYOD policy, you may also know the state of the machine, apps, and incoming/outgoing network connections of the off-site employee, too.

So yes - mission-critical functionality can be available via BYOD, so long as you have clear security policies in place.

Utilising strong existing enterprise BYOD management tools

Creating your own BYOD infrastructure, systems, and management tools is a redundant activity when there are plenty of commercial products available to help streamline the process. There’s help out there, so take it!

Software products like VMWare and MobileIron, among others, have been built specifically for this task and should be investigated and evaluated for your business.

A final word about BYOD

While BYOD has been hot for a few years’ now, the diversity of business needs and the associated risks is driving a variety of other options, like:


Corporately Owned, Personally Enabled (COPE) seen as an attractive option, with employees selecting from a list of devices to use. With COPE devices, they are always MDM, but allow for personal use of the device, too. This way, the security benefits of MDM over MAM are realised, and should employees wish to use their personal device for personal pursuits they can, or simply use their work device in a “walled garden” for personal use instead of having 2 devices on the go.


Another alternative for businesses to explore is the Choose Your Own Device (CYOD) policy, which enables business to support their employees’ choice of device while keeping their confidential business data secure.

CYOD works by offering employees a choice of approved devices, which allows IT to have more control over what devices employees use, as ComputerWorld explains.

Direct to Carrier Stipends

Direct to Carrier Stipends are frequently considered as an innovative approach to BYOD. Stipends are often used by businesses as a way to reimburse employees for a portion of their wireless costs. Gartner has, in fact, identified this process as the most effective method for managing BYOD expenses. According to Network World, this method entails companies determining payment levels based on employee role or any other relevant factor and then having the stipends applied directly to employees’ bills as a credit.

There is, in fact, a lot to think about in a heightened security atmosphere when cyber threats are only likely to become more complex. I would love to hear about your experience.

Get the facts

Get the facts

Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.

Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets.  If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.

I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.


You can download my e-book for free, here.

“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal. 

... ... ...

Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity and Blockchain; I'm active on LinkedIn and Twitter. 
I’d really value your input and comments so please join the conversation.