Bring Your Own Device Security Risks



Bring Your Own Device (BYOD) is becoming increasingly popular in the corporate environment, with many organisations looking to save money and resources, while allowing employees to use devices they are familiar with. However, BYOD brings with it a number of risks, and this article will look at Bring Your Own Device security risks and recommendations in further detail.

Recent reports from research giants Gartner suggest that bring your own device, as well as bring your own application, are the future in ways that employees consume services and data for their roles. The paper outlined by Gartner suggests that by 2017 half of all employers will utilise bring your own device to reduce costs and increase usability in the work place. The same paper also states that by 2015, employees utilising mobile applications for work purposes will double – this presents a whole lot of bring your own device security risks in the immediate future. So, what is bring your own device? And what are the bring your own device security risks to consider?

Bring your own device consists of an organisation allowing an employee to use their own device to access the corporate network remotely, either from their home location or from the workplace. The benefits are clear – by allowing employees to use their own machines, the organisation can save money on procuring and managing that equipment. It also brings benefits in allowing employees to use devices they are familiar with, as well as reducing the number of devices employee’s have to carry out if the on the move, for example.

However, with all these benefits there are a large number of bring your own device security risks that need to be considered. As the device is owned by the employee, it is also used for their own personal use and the organisation has no control over this. With this in mind, the organisation cannot apply any controls to the device to reduce the likelihood of the device being infected with malware or compromised. If the users personal device does become infected or compromised, the attacker can use this as a platform to attack the corporate network, extract company data from the users device or allow the malware to propagate onto the corporate network.

The main concern is that the device is outside the scope of the organisations control. This means that the organisation would struggle to control the device from a technical perspective, for example, applying anti virus signatures or preventing the user from accessing malicious websites when browsing the Internet. With this lack of control, the organisation places itself at risk from a potentially compromised device extracting data from the corporate network when connecting remotely.

There is further complications when it comes to managing these devices. As the organisation will allow the user to bring any device, this leaves a multitude of different technologies, operating systems and applications to attempt to manage. This presents further bring your own device security risks and complications that organisations seriously need to consider when deciding whether or not to allow bring your devices.


Bring your own device is a trend that is rising, with 82% of organisations allowing some form of BYOD in 2013.

Finally, there are risks regarding the applications run on the network by BYOD. As the organisation has no control over what is being executed by the user, there are clear risks from both malicious applications as well as applications that utilise mass amounts of bandwidth, reducing the capability of the network. These multitude of bring your own device security risks are partially manageable, however, it is strongly recommended that in a sensitive environment BYOD is not used as the organisation can never truly control the device and secure it from compromise. The next section looks at bring your own device security recommendations, to reduce the risks of BYOD.

If organisations are determined to use BYOD, there are a number of methods that may be able to reduce the risk to an acceptable level:

1. Dual boot a secure operating system

The organisation may wish to secure the device partially by initiating dual boot on the device. This will allow the organisation to ensure that if the user is accessing the corporate network from the device that they are doing so from a secure, clean operating system. This operating system can be configured onto the device via partitioning the device and installing the operating system on a separate cluster.

By doing this, the organisation can ensure that the operating system is locked down and secure. The organisation can also implement controls to ensure that the employee can only access the corporate network from a secured VPN in the clean operating system. The organisation should be aware, however, that this approach will not secure the device entirely. Many strains of malware can attach to the boot process or compromise resources that are utilised by both operating systems. Dual boot may be a viable option for some organisations, however, this should be part of a risk assessed process.

2. Mobile Device Management Software

Bring our own device security risks may also be minimized by implementing mobile device management software. This will enable the organisation to centrally apply security policies, lock down devices and utilise secure wipe remotely. Permission may need to be gained from the employee to allow this type of software but this will allow a central control of devices.


Bring your own device security risks are clear, however, they are also partially manageable. Security risks will still remain, however, the organisation must consider utilising controls outlined here to reduce the risk to an acceptable level. Bring your own device is a trend that will continue for years to come and, while organisations are embracing this, they must also consider the risks to the rest of their network.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *