Remote and hybrid work has emerged as the standard at many organizations, which puts considerable pressure on security teams. Today it’s getting harder and harder to maintain data and network security when people use their own computers, smartphones and tablets for work.
When formulating BYOD policies, security leaders generally cover the basics – how to handle encryption keys, MFA, acceptable use, and remote wipe. Nobody’s going to get a bonus for including these elements, and nobody’s getting fired for them either. But BYOD policies have a tendency to solidify around these no-brainer controls while the actual attack surface continues to evolve.
After all, the most damaging breaches don’t always come at you in an obvious way. And the gaps that pose real threats very rarely seem urgent at first glance. They sneak up on you, bubbling up in the background, only to be surfaced in the middle of an incident review when somebody finally says, “Wait, didn’t we actually cover this in the policy?”
Generally, policy omissions don’t take place due to carelessness, but mainly due to the fact that most of these elements live in that gray area between IT, legal, HR and compliance, so nobody quite owns it. But it’s the security team that bears primary responsibility for BYOD safety, so let’s take a look at some essential elements that every security team needs to address in a comprehensive BYOD policy.
Laptop-Specific Controls That Go Beyond Mobile MDM
The concept of BYOD policies originally emerged as a way to address security concerns around smartphones and tablets. As times changed, many companies have simply extended these policies to include laptops, without considering the unique risks these devices pose.
Managing a mobile device that runs in a dedicated container is one thing, but an unmanaged MacBook with substantial local storage, browser extensions, USB ports, and processing power is a completely different beast. And these differences are more fundamental than most policies account for.
With this in mind, organizations should specify application control, device compliance, and system-level checks relevant to a full laptop environment rather than trying to retrofit them from mobile-first policies. This means regular checks for drive encryption, minimum OS version, and endpoint compliance. These all go far beyond what a standard MDM profile handles on a phone.
A Defined IT Reallocation Strategy
This one almost never gets written down. When a company transitions from working only with company-issued hardware to allowing BYOD, IT generally steps back from its role in purchasing and deploying devices.
The time that was once dedicated to device procurement and management needs to be reallocated intentionally. Without a proper plan in place, these hours will disappear into reactive work.
A good BYOD policy should state how IT resources will be redirected. Maybe that means a deeper time investment in security monitoring, device onboarding processes, or security threat hunting.
This may sound more like an operational planning decision than a security policy decision. Yet it determines whether the BYOD policy achieves the improvements that it promised or simply shifts those burdens sideways. Write it down, and make it part of your framework.
Granular Data Segregation and Privacy Boundaries
Most policies include a line about separating personal and corporate data. Yet, very few provide examples of how this is supposed to look when someone is sitting at their kitchen table with their personal laptop.
What counts as corporate data? What happens if an employee pastes sensitive data into their personal note-taking application? Can IT see the employee’s browsing history on their personal devices? Can they take screenshots?
Lacking clarity here creates two main problems. First, the employees lose trust because they have no idea what kind of data is being monitored. Second, the security department loses control, because the boundaries become too vague to enforce.
NIST’s SP 1800-22 practice guide on mobile device BYOD security highlights exactly this tension. By allowing BYOD, the employer often gains access to the employee’s personal devices and the potential to observe their activity in ways that would not otherwise be possible.
A good policy will clearly define this in simple language. What the organization can and cannot see. What kind of data can be shared. What triggers a compliance review versus a privacy concern. Getting this wrong will result in lost trust and potentially legal issues for the organization.
Offboarding Protocols That Account for Data Persistence
Lost or stolen device sections in most BYOD policies are usually solid. The voluntary departure section usually isn’t. When someone leaves, what happens to the corporate data that’s on-device? The data that isn’t on a managed download folder and not in a managed cloud account.
Remote wipe sounds simple, but in practice it raises a bunch of complicated questions. Wiping a personal device is a legal minefield, and wiping a managed container only works if one actually exists in the first place (and only if it’s been used correctly). And these are both pretty big assumptions.
Your BYOD policy should clearly describe the process for all offboarding situations, including how to revoke access tokens, confirm the managed container has been deleted, and that the ex-employee signs a declaration of compliance that all corporate data has been deleted. Specify what happens if the ex-employee does not follow through on their end, and make sure to have a contingency plan in place.
The challenge of endpoint security in a remote or hybrid work environment is tough enough when you’re just dealing with active employees. Former employees with legacy corporate data on their personal devices is a whole other kettle of fish, and one that most policies do not address head on.
The Common Thread
All four of these gaps share something. They sit at the intersection of multiple stakeholders. IT, legal, HR, compliance, and the C-suite each own a piece, and when nobody owns the full picture, the policy language stays vague or gets left out entirely.
More technology won’t solve that problem. It’s purposeful cross-functional collaboration and not just checking the box that the BYOD policy was reviewed at the annual audit. The organizations that nail BYOD aren’t the ones that end up with the longest policy document. They’re the ones that keep asking, “What did we miss?”
Join our LinkedIn group Information Security Community!
