Bring-your-own-device Policies – Is it worth the risk?

With technology constantly evolving and organisations now dependent on their employee’s ability to stay connected, Bring-your-own-device or BYOD policies provide employees with the option to bring personally owned devices and use them to access company information and applications. Boosting your company’s mobility in the given market is, without a doubt, an invaluable asset; although BYOD policies -when not implemented properly- can pose a large security risk to an organisation.

BYOD programs cannot operate successfully within any sized organisation unless appropriate safeguards are put in place. As employees increasingly make use of personal devices for corporate activities, sensitive data will increasingly be passing through mobile traffic. Criminals are becoming increasingly attracted towards the mobile platform as a result of the spike in BYOD policies in the workplace, looking to steal confidential information passing through the network. In 2018, Kaspersky recorded a doubling of the number of attacks using malicious mobile software.

Mobile malware: What is it and what does it do?

Mobile malware is malicious software specifically targeted to mobile device with criminals aiming to compromise devices through a range of attacks. Recently specific strains on malware branded towards employers as applications that can be used to monitor employee communications and analyse team behaviour. Despite their promises these applications can often be detrimental to the security of a device, often transmitting data in plain text and logging user credentials.

Often malicious applications known as ‘Trojans’ will be available to download on to a device. Trojan’s are applications that appear to be harmless when they are in fact malicious. Trojan’s take many forms and include – but are not limited to – banking trojans which profit off stealing money out of mobile users’ bank accounts.

BYOD: Mitigating the risk

In order to mitigate the risk of implementing a BYOD policy within the workplace appropriate measures must be taken. Prior to rolling out ‘BYOD’ the organisation should ensure that the policy is well thought out with rules that every employee can understand and more importantly gain access to with ease if required. A BYOD policy should outline, but is not excluded to, the following:

Acceptable use

  • Company can define acceptable business use as activities that may directly or indirectly affect the organisation

  • Device camera’s and/or video capabilities must/must not be enabled while on-site

  • Device’s must not be used to harass others or store illicit material

Devices and support

  • Specify specific smartphones including models, operating systems and versions that can be used

  • Devices must be given to IT prior for configuration of standard mobile applications such as browsers and security tools


  • Device’s must be protected using a passcode minimum of six characters with a separate strong password required to access the company network

  • Rooted android devices or jailbroken iOS devices are strictly forbidden from accessing the network

  • Device’s that are not listed as supported are prohibited from being connected to the company network

  • Users are not permitted to install applications from third party app stores or out with the list of permitted applications maintained by the company


  • Companies may wish to reserve the right to disconnect devices or disable services without notification

  • Any lost or stolen devices must be reported to the organisation within 24 hours

Strong authentication, such as two-factor authentication, must be used by staff, limiting the risk of any stolen or lost devices compromising company data. 2FA was invented to add an extra layer of security to login credentials and encompasses two different methods of identity confirmation, an example being login credentials and verification codes sent via email. Furthermore, any organisation wishing to support a BYOD policy must keep an up-to-date list of approved applications and versions that are deemed as not at risk to compromise end-user security and as a result sensitive company information.

Are you curious about cyber security? We'll be frank about it! From security consultations, cyber security training, digital foot-printing, extensive security tests and more, Curious Frank the best range of services to help individuals and organisations be more cyber secure.

Find out more.

Useful Links
Site Information
Follow Us
Contact Us

A division of the Scottish Business Resilience Centre

Oracle, Blackness Road

Springfield, Linlithgow

EH49 7LR

  • Twitter - White Circle
  • LinkedIn - White Circle
  • Facebook - White Circle
  • Spotify - White Circle
  • YouTube - White Circle

© Curious Frank 2019