BYOD security warning: You can't do everything securely with just personal devices

New National Cyber Security Centre guidance looks to find a balance between BYOD and security -- and warns if BYOD devices have admin privileges, those privileges should be removed immediately.
Written by Danny Palmer, Senior Writer

Remote working has become far more commonplace over the past year. Still, even as some employees start returning to the office, businesses must be aware that there should be limitations to staff using their own laptops and other devices inside a corporate environment. 

Bring Your Own Device (BYOD) brings many benefits. Still, the National Cyber Security Centre (NCSC) has detailed certain situations where it should never be considered due to the potential cybersecurity risks it could cause. 

"You cannot do all your organisation's functions securely with just BYOD, no matter how well your solution may be configured," say new guidelines from the NCSC.

"If you've given BYOD users admin access to company resources, revoke that access immediately," NCSC said.

See also: A winning strategy for cybersecurity (ZDNet special report).

If a personal device gets compromised by cybercriminals, they could use that admin access to gain access to critical systems and functions via the use of legitimate administration tools. That could allow cyberattackers to steal data and lay the foundations for ransomware attacks and other malware campaigns. 

"Existing BYOD deployments need review. Potentially, you need to undo some of those quick fixes and start afresh," the agency said.

BYOD is the idea of allowing employees to use their personally owned devices for work. It can be a complex topic as we increasingly use personal devices for everything from answering emails to managing critical services and hardware. 

While businesses also issue the same or similar devices, a personal device is configured differently from a corporate device, making things more complicated and leading to additional security risks.

When the COVID-19 pandemic first started, and many organisations and their employees suddenly had to adapt to working from home; the main concern was just ensuring that people could continue to do their jobs – in some cases, with employees using their own laptops in order to do so. 

But if businesses haven't done so already, it's time to think about what can and can't be done with BYOD devices in order to ensure that employees are productive but are also secure.  

"This 'just make it work' mentality is entirely understandable, but the time has come to deal with those wounds," the NCSC said.

See also: Ransomware attackers targeted this company. Then defenders discovered something curious.

The level of access and trust BYOD devices have depends on the organisation and the user's role. Still, some things all businesses need to consider when making this decision are what employees need to do, what employees need from a device, and what needs to be done in order to ensure the security and privacy of corporate data on their personal device.  

It's a complex issue, but NCSC advises that in order to get the best results, organisations shouldn't rush into any decisions. 

More on cybersecurity:

Editorial standards