BYOD: What do organisations really know?

Welcome to the new 144 cyber warriors who joined us last week. Each week, we'll be sharing insights from the Black Hat MEA community. Read exclusive interviews with industry experts and key findings from the #BHMEA stages.

Keep up with our weekly newsletters on LinkedIn — subscribe here.

This week we’re focused on…

The realities of employees using their own devices for work, and whether organisations really understand why, when, and how much their team members are using personal devices. 

Research shows organisations don’t know as much as they think 

The 2024 State of Cybersecurity Report by Ivanti turned up some interesting findings about ‘bring your own device’ (BYOD) practices. 

Perhaps most important is this contradiction: 

Security teams said they know when employees use their own devices for work. 

But Ivanti’s research showed they don’t. 

According to the IT and security experts included in the study, BYOD is practiced at 84% of organisations around the world, in spite of the fact that only 52% actually allow it. Among the organisations that do not allow BYOD, 78% said employees do use their personal devices at work – even if it’s absolutely forbidden in company policy. 

Of the organisations that do ‘allow’ BYOD, a third don’t actually explicitly allow it – they just tolerate it or look the other way; and they don’t track it. 

This is important, because BYOD poses a relatively high risk to an organisation’s security; with unsecured endpoints that could be exploited by threat actors to gain access to the organisation’s network. The reluctance to ban or track BYOD effectively exists even among security and leadership teams that are aware of the risks. 

The office workers included in Ivanti’s research confirm the reality that BYOD is happening far more than most organisations know, with 81% admitting they use a personal device of some kind for work. Half of them are using personal devices to login to work software and networks, and 40% said their employers don’t know they’re doing this. 

For employees, the top reasons for using their own devices were: 

• They prefer the UX of their personal devices.
• Their employers don’t provide mobile devices. 

Why aren’t these organisations tracking BYOD? 

One of the key reasons why a third of the organisations in this survey don’t track BYOD is simply that they don’t have an effective way to do it. Only 63% of organisations in the survey reported having an IT and cybersecurity system that enables them to track BYOD alongside their organisation-owned devices. 

And of those that tolerate BYOD and don’t track it, many are reluctant to explicitly ban it – because that drives higher levels of shadow BYOD, when employees use personal devices without the knowledge of their employer. 

What’s the solution? 

According to Ivanti’s researchers, it’s essential that organisations achieve better visibility and control over BYOD in order to minimise the risks. 

Unified endpoint management (UEM) could be the key to unlocking this visibility, if it includes features that enable an employer to manage personal devices as well as IT assets belonging to the organisation. UEM systems can enable organisations to: 

• Set system access protocols, such as allowing the minimum necessary network access to employees using personal devices.
• Enforce strong passwords.
• Implement software updates.
• Apply force lock-out and purge features if a breach is identified or suspected.

UEM solutions also allow organisations to partition employee-owned devices, to separate personal data from work data – which means if they do have to purge work data from a device, they can do this without affecting personal data. 

We want to know what you think

Is it possible to have full visibility and control over BYOD practices? Open this newsletter on LinkedIn and tell us what you think in the comment section. We’ll see you there – and we might reach out to feature your comments in a future BHMEA newsletter. 

Do you have an idea for a topic you'd like us to cover? We're eager to hear it! Drop us a message and share your thoughts. Our next newsletter is scheduled for 25 December 2024.

Catch you next week,
Steve Durning
Exhibition Director

Join us at Black Hat MEA 2025 to grow your network, expand your knowledge, and build your business.