Pages
Events
Whitepapers
BYOD: Bring Your Own Device - and alternatives
In our modern working world, new methods are constantly being developed to facilitate collaboration. When employees had to work from home overnight during the coronavirus pandemic, this reinforced the already growing BYOD trend. Find out how this concept works and what companies need to consider when introducing Bring Your Own Device here.
What is BYOD?
BYOD is the abbreviation for "Bring your own Device", which means "Bring your own end device". This term refers to the fact that private smartphones, laptops and tablets are integrated into closed networks. These include schools, universities and libraries as well as those of companies.
BYOD concept in companies: How does it work?
More and more employees are allowed to work with their own end devices - and the trend is continuing to rise, according to a recent analysis by market research company Mordor Intelligence. For companies, this means that employees use their favourite laptops or smartphones for their work. They then download company-specific applications and programmes onto their personal devices. This allows them to carry out their work on their personal laptop at any time and from anywhere.
Level 1: Informal BYOD (Unofficial BYOD):
The first level of BYOD is the unregulated form. It allows employees to use their private end devices for business purposes without any guidelines or security measures from the company. This leads to considerable security risks, as company data is stored unencrypted on external devices.
Level 2: Bring Your Own Device with guidelines (Policy-Based BYOD):
In the second level of BYOD, companies have established firm security policies, privacy policies and regulations for the use of personal devices in the workplace. Although this level offers significantly more security than the first, it requires a certain degree of personal responsibility on the part of employees. After all, it is up to them to adhere to these regulations - if they don't, sensitive data can fall into the wrong hands.
Level 3: Managed BYOD (Fully Managed BYOD):
The third level describes a fully managed BYOD model in which organisations implement strict security and management measures for BYOD devices. This can include only allowing employees to use devices and operating systems that the employer deems secure. It also allows companies to manage and remotely access the devices concerned, for example. This level offers the highest level of security and the greatest control for the company.
BYOD data protection: How secure is the concept?
How can BOYD policies improve security?
BYOD policies should address the following points in particular:
- Security policies include the use of passwords or PIN codes, updating operating systems and applications, encrypting data and enabling remote wipe capabilities for lost or stolen devices.
- The implementation of Mobile Device Management(MDM) significantly improves the security of BYOD devices. MDM enables organisations to manage devices, enforce security policies, protect corporate data and wipe data in an emergency.
- Companies must ensure that the processing of personal data on BYOD devices complies with applicable data protection laws and compliance regulations.
- Employee training ensures that employees are aware of best security practices for BYOD devices. These include avoiding insecure Wi-Fi networks, using apps securely and identifying phishing attacks.
- Data encryption of business information on BYOD devices is also important to prevent serious consequences of theft or loss.
- In such cases, remote wiping, which allows companies to delete data on BYOD devices remotely, also helps.
- Internal company BYOD policies should also stipulate that IT administrators can take control of any device that can access the company network. In this way, security updates can be deployed from a central location, applications installed and devices checked for malware.
Legal basis
According to Art. 4 No. 7 GDPR, the employer is also responsible for the devices on which business-related processes are carried out if they do not belong to him and he only has limited access. Restricted access refers to the fact that only company-specific data may be viewed by the IT administrator on private end devices. This means that it is much more difficult to detect risks as not all programmes can be accessed.
Is BYOD even GDPR-compliant?
BYOD allows employees to process personal data on personal devices. For this to be GDPR-compliant, companies must comply with the applicable data protection laws and regulations that govern the protection of personal data. This may include obtaining consent from employees to process their data, implementing appropriate data protection measures and reporting data breaches.
BYOD labour law: risks for employers
The labour law firm Taylor Wessing clarifies: In principle, the employer is obliged to provide the work equipment required for work performance. If he fails to do so, the employee can use his own end device for work purposes under certain conditions. In this case, it is essential that it is determined in advance who will bear the costs of the device in the event of loss, theft or damage. However, not every employee is convinced by BYOD, as companies have deep access to personal end devices. This can give the impression that the employer is stingy, which in turn can reduce acceptance of the concept as well as employee satisfaction and work motivation.
There are also risks for the employer in that private and company data are not clearly separated from each other on a private laptop. This increases the risk of sensitive data being stored or copied without authorisation and falling into the hands of third parties. To avoid this, detailed BYOD guidelines based on current data protection concepts are a must.
Creating a BYOD policy: Which points are important?
Before companies allow their employees to work on business matters using their own devices, a policy is essential. Computerweekly recommends that the policy covers the following points:
- Encrypted connection (VPN) for access to company systems
- Security controls on the device
- Require components such as Secure Sockets Layer (SSL) certificates for device authentication and user identity
- Define the company's rights to change the applications and data on the device - especially in the event of loss or theft
- Encryption of stored data
- Prohibit the storage of passwords for business applications
- Protection of device passwords
- Registering devices with an MDM platform or in UEM (Unified Endpoint Management)
BYOD sample company agreement
To conclude such a works agreement, templates such as the one from Haufe on "§ 6 Transfer and use of work equipment / VI. Works agreement: Bring Your Own Device (BYOD)" are suitable.
What advantages does BYOD offer?
- Cost savings for companies: If employees use their private end devices, there are no acquisition costs for companies. In addition, devices already in the company wear out more slowly if employees prefer to use their own.
- Productivity: Employees know their own devices and are confident and familiar with them. As they are intuitive and familiar with them, they are often more productive with their own devices. This may also be due to the fact that these are more modern than the hardware available to them in the company.
- Employee satisfaction: As a rule, employees enjoy working with their preferred devices. This increases employee satisfaction and also has a positive effect on loyalty to the company.
- Flexibility: If employees not only have a modern end device, but can also use it for business purposes at any time and from any location, meetings can take place more flexibly. Emails are also often answered more quickly.
What are the disadvantages of BYOD?
- Complexity: Different end devices with different operating systems make the IT landscape in companies more complex. This harbours security risks. IT security in the home office is therefore not nearly as high as in the company itself and brings with it gateways for malware.
- Control: IT administrators are responsible for controlling business applications and processes on private end devices. This requires not only familiarisation time, but also the cooperation of employees.
- Data protection: In order to ensure personal data protection despite private devices, detailed guidelines and control measures are required. In addition, internal data can fall into the hands of unauthorised third parties if a mobile phone or laptop is lost or stolen.
- Gateway for malware: As IT administrators are only allowed to control the applications used for business purposes, viruses can find their way onto privately used end devices and access internal company data in other ways.
What BYOD solutions are there?
BYOD solutions are technologies, strategies and approaches that companies use to enable their employees to use their personal devices at work - while ensuring the security of company data and compliance with company guidelines. These include
- BYOD management
BYOD management takes over the management and control of personal devices used by employees in a company for business purposes. The aim of BYOD management is to ensure the security, compliance and efficiency of these devices.
- BYOD app
The BYOD app is a software application that is installed on employees' personal devices and gives them access to business applications. The BYOD app enables the clear separation of professional and personal data. It also increases the security of company-specific information, as it can be monitored and managed remotely.
BYOD strategy
- Best practices
Managing BYOD with the cloud-based software solution Microsoft Intune has proven its worth. This gives administrators access to all mobile devices in the company network so that they can update and uninstall applications. The ACMP Intune Connector is suitable for optimising the use of this solution in practice with an existing UEM application. This provides a better overview and standardises the interfaces in the ACMP Console.
- Prerequisites
In addition to the technical requirements - i.e. that every employee has the necessary mobile devices for private use - the legal requirements must also be met. In addition, the use of private work equipment is subject to co-determination by the works council in accordance with Section 87 of the Works Constitution Act (Betriebsverfassungsgesetz, BetrVG), Section 87 (1) No. 6 BetrVG (introduction and use of technical equipment), Section 87 (1) No. 1 BetrVG (organisation of the company with specifications on usage behaviour) and Section 87 (1) No. 2, 3 BetrVG (working hours).
- What must be observed?
If a company introduces a BYOD strategy, it is essential that all employees are aware of it and agree to it. In addition, various training courses on malware and guidelines are necessary so that every employee can work with their end device without causing damage to the company.
- Organisational and technical measures for implementation
Once written guidelines have been drawn up and all employees have been trained, technical measures such as MDM, encryption, authentication, network access controls and security monitoring are introduced.
Alternative concepts: COPE, CYOD, COBO
Model | BYOD | COPE | CYOD | COBO |
Meaning | Bring your own device | Corporate-owned, personally enabled | Choose your own Device | Corporate, Business only |
summary | Employees may use private devices for business purposes. | Company provides employees with devices not only for business purposes, but also for personal use. | Company provides employees with a selection of mobile devices from which they may choose which one they use for business purposes. | Device provided by the company may only be used for business purposes. |
Per | Employees have control over device selection. | Employers control the range of devices they support. | Employees have a choice of devices. | The IT department controls the device and the applications on it to ensure maximum security and ease of management. |
Per | Employees use the same phone for work and personal use. | Employees receive the benefits of a mobile device without bearing all or part of the associated costs. | The IT department determines the scope of device diversity, e.g. that only Apple iOS products are used. | The workforce is mobile. |
Contra | Comprehensive BYOD guidelines are necessary to ensure data protection and privacy. | Employees expect the freedom to choose, upgrade and share mobile devices - restrictions are undesirable. | Employees may already have a personal mobile device. | Employees have limited flexibility and control |
Contra | IT department manages an unlimited number of devices and operating systems. | Cost and management trade-offs with a mobile device plan. | Companies are responsible for devices on which personal information and applications are stored. | The organisation is responsible for the cost and management of the devices. |
Use Case | In organisations where employees already install work email and other applications on personal devices. | In organisations with security and compliance restrictions that still want to enable a mobile, flexible workforce. | In organisations where employees do not already have personal mobile devices or where the IT department needs to streamline mobile device management. | Workplaces that require certain applications/mobile device functions outside the workplace. Devices can be shared between employees. |
Conclusion: BYOD
Although BYOD offers many benefits such as flexibility and cost savings, it also brings challenges in terms of security and data protection. Organisations need to address these challenges by implementing appropriate security measures, ensuring compliance and training employees in security awareness and practices. With the right measures and precautions, BYOD can be used safely and effectively in an organisation.
Es scheint, als wären Sie auf nicht auf der gewünschten Sprachversion dieser Website gelandet. Möchten Sie wechseln?