BYOD Workplace Realities

Navigating Across the Everchanging Cybersecurity Landscape

Amidst our novel digital age whereby computer technology is as ubiquitous as the air we breathe daily, Bring Your Own Device (BYOD) business practices implementation has transitioned from a futuristic concept to a day-to-day reality for 82% of businesses¹. BYOD is a growing corporate practice allowing employees to use their personal devices – such as smartphones, laptops, and tablets – for work purposes. This approach is part of a larger trend known as IT consumerization, whereby the integration of personal and work technology reflects changing attitudes towards traditional work environments. The mobile phone industry and the workplace are the two main contexts in which BYOD is used.

Within the mobile phone industry, BYOD denotes conveyors permitting customers to activate their existing phone or other cellular device on the network, rather than being forced to buy a new device from the conveyor. In the workplace, BYOD designates a policy authorizing employees to bring personally owned devices – e.g.: laptops, tablets, smartphones, etc. – to work, and to use them to access privileged company information, data and applications².

Nevertheless, alongside the freedom it brings, BYOD opens a Pandora’s box of cybersecurity concerns. Imagine the following scenario: a single employee’s smartphone, acting as a Trojan horse, compromising an entire company’s data integrity. This situation unfolded last September 2023 to Rightway Healthcare, a medical service that Okta Inc. – an American identity and access management company based in San Francisco – uses to support employees and their dependents in finding healthcare providers and healthcare plan rates. An unidentified threat actor gained access to the network of Rightway Healthcare and made off with an eligibility census file that the vendor maintained on behalf of Okta Inc. As a consequential result of such an IT network intrusion, 5,000 healthcare records were leaked³. As alarming as it sounds, this scenario is avoidable with the right cybersecurity measures. Whether you are a growing startup or an established corporation, understanding how to navigate these turbulent waters is not just an IT matter – it is a business imperative. This is why navigating the evolving cybersecurity landscape within BYOD workplace realities is the topic of our April 2024 Newsletter.

[1] Cybersecurity Insiders. 2021 BYOD Security Report – https://pages.bitglass.com/rs/418-ZAL-815/images/CDFY21Q2BYOD2021.pdf

[2] Fortinet Glossary – https://www.fortinet.com/resources/cyberglossary/byod

[3] Ars Technica – https://arstechnica.com/security/2023/11/okta-hit-by-another-breach-this-one-stealing-employee-data-from-3rd-party-vendor/

Adaptation with Workplace Changes: Comprehending the Evolution and Popularity of BYOD

The corporate world is continuously evolving, and flexibility has become the hallmark of modern business practices. BYOD signals a workplace shift toward such a flexibility, but many are still playing catch-up when it comes to understanding this trend’s implications on cybersecurity. What underlies the evolution of BYOD and why are BYOD policies increasing in popularity?

Evolving simultaneously with the digitalization of business practices, BYOD policies have been adopted by many companies because they make it easier for employees on-the-go to access information and improve productivity, both of which are valuable benefits. Moreover, BYOD policies have gained traction as employees yearn for the convenience of using their personal devices for work-related tasks. This evolution speaks to the demand for agility and flexibility in the workplace – a response to the ever-blurring lines between professional life and personal life. The popularity of BYOD is rooted in its potential to boost productivity and employee satisfaction.

Nonetheless, without the right cybersecurity strategies and knowledge of the advantages and disadvantages of BYOD, many organizations may become vulnerable to unexpected cyber incidents. BYOD can also present risks for employers who ignore its positive and negative consequences. Consequently, let us have a look at some pros and cons of a BYOD culture¹.

[1] Optimus Learning Services – https://www.optimuslearningservices.com/practical-ld/advantages-disadvantages-byod-in-learning

Pros of a BYOD Culture

The following benefits are, among others, some advantages of using BYOD:

It allows employees to use their own devices: One of the biggest advantages of a BYOD Policy is that it allows employees to use their own devices rather than having to have them provided by the company. This can be useful in many different situations, including allowing employees to work from home and providing them with flexibility.
It enables employees to work from home: Another advantage of using your own device is that it lets you work from home if necessary or desired by both parties (you and your boss). Employers can also choose whether or not they want an office space at all if all employees follow BYOD Policy.
It may help to reduce costs: One of the biggest advantages of a BYOD Policy is that it may help to reduce costs for the employers. Rather than having to purchase expensive devices and software licenses, employees can use the equipment and software that they already own. This also reduces the amount of time spent setting up each device.
It facilitates employees to be more productive: Another advantage is that employees who have their own device tend to be more productive than those who don’t. When you have a device that’s specifically designed for work and the tools you need to do your job, it is easier to stay focused on your tasks.
It gives employees more flexibility: A BYOD Policy can also provide employees with more flexibility in their workday. Rather than being tied down by office hours, they can access files at anytime from anywhere.

Cons of a BYOD Culture

The issues outlined below are, among others, some disadvantages of using BYOD:

It can sometimes be costly for companies: The biggest drawback to BYOD is that it can cost businesses a lot more money than traditional policies. When employees have their own devices, they are not required to buy one with company funds. That means companies might need to pay for the technical support when something goes wrong. Employers may need to purchase genuine software licenses if employees’ devices do not have the required software to perform their duties.
It may lead to data loss and cybersecurity breaches: If a company does not have control over the devices that employees use, it may be exposed to malware or other forms of malicious software. The employees could also lose their devices, which would result in loss of sensitive files and sensitive information.
It can be an invasion of privacy: In some cases, the employer may ask for access to the device in order to make sure that it is being used correctly. This could result in an invasion of privacy and could lead to discrimination against certain employees.
It can be difficult to manage: If employers do not have control over the devices, they may have difficulty managing it. This could result in lost of productivity due to a lack of security controls and effective management tools.
It entails a lack of uniformity in devices: A significant drawback of the BYOD model is the diversity of devices used for office work. For example, some employees may prefer a Windows tablet and laptop, while others would be comfortable only with an iPad and a MacBook. Additionally, some may keep upgrading their smart devices every 2-3 years, while others may use the same device for many years. Having multiple devices may lead to operational and compatibility issues with a company’s software.

As described above, there are several advantages and disadvantages pertaining to BYOD. Within a BYOD work environment, protecting company data becomes more challenging. To summarize just a few challenges, cybersecurity breaches can stem from lost devices, unsecured Wi-Fi networks, or outdated software. This why the implementation of BYOD security best practices for businesses is not just beneficial; it is a crucial defense mechanism against data theft and cyber-attacks. To better understand why such a BYOD Policy implementation is important, picture your company as a fortress and each device as a potential gateway that must be vigilantly guarded. Establishing clear-cut policies and educating employees are the cornerstones of creating a secure BYOD ecosystem. As the BYOD culture continues to expand, it is critical to weigh the convenience it offers against the potential risks.

BYOD Culture

Advantages

It allows employees to use their own devices.
It enables employees to work from home.
It may help to reduce operational costs.
It facilitates employees to be more productive.
It gives employees more flexibility.

Disadvantages

It can be sometimes costly for companies.
It may lead to data loss and cybersecurity breaches.
It can be an invasion of privacy.
It can be difficult to manage.
It entails a lack of uniformity in devices.

However, with reference to the above advantages and disadvantages, one does not have to be fearful. With the right precautions and adequate BYOD security best practices explained in the following paragraphs, productivity and protection are well within a company’s reach.

BYOD Security Best Practices for Businesses

To mitigate the risks and safeguard your business in a BYOD environment, understanding and implementing best practices are non-negotiable. It is about making informed, proactive decisions to ensure the security of your company’s data is never compromised by the convenience of personal devices. In terms of fundamental review, IT security and expertise enforcement, hereafter are some BYOD best practices strengthening the cybersecurity posture of a business¹:

1. Communicate written BYOD security policies

Put you BYOD security policies into writing. Acceptable use policies are a given with corporate-owned devices and they should be with personal devices that access corporate resources too. It is likely most organizations already have formal BYOD polices in place but if you do not have such written policies, yours should include basic criteria such as what devices are allowed, their security requirements, control given to IT over them, and a general guideline for how personal devices should be used.

2. Continuously provide security awareness training

Security awareness training is a standard BYOD security best practice that goes a long way toward mitigating risks like phishing, malware, and even physical security threats. Implement regular security awareness training, primarily around preventing account compromise or data leaks. This includes social engineering like spear-phishing down to proper use of applications like ChatGPT.

3. Reinforce account and device safety

Encourage the use of multiple passwords, paying special attention to eliminating the use of a single password across both personal and corporate applications.

And just as important, educate users about the physical security risks of using personal devices for work. These include losing a device, leaving a laptop open and unlocked while others are in the room, or even making it easy for someone to see sensitive information over your shoulder or at a glance.

4. Incorporate Zero Trust principle

One of the most important BYOD security best practices is incorporating Zero Trust principle of requiring every action to be checked and authorized every time. It is an effective way to minimize lateral movement in the event of account compromise and it excels at simplifying secure access to cloud, web and private applications. Consider adopting security technologies that allow you to implement the principle of least privilege so that employees on any device only have access to the tools they need to do their job. Zero Trust Network Access (ZTNA) and Zero Trust Web Access (ZTWA) are good starting points.

5. Implement strong data security controls

Stop data theft and exfiltration in its tracks. Incorporate strong data security solutions that enable you to discover, classify, prioritize, protect and monitor interactions with data. Eventually, organizations with advanced data security strategies can introduce risk-adaptive protection to automatically adjust policies based on context and user behavior to stop threats.

6. Prevent malware threats

Prevent and not just detect malware threats. Risk prevention is the name of the game when it comes to BYOD security best practices. That is why it is important to lean toward security solutions that prevent threats before they have a chance to strike, rather than tools that act after detecting a threat.

Remote Browser Isolation (RBI) and Zero Trust Content Disarm & Reconstruction (ZTCDR) are two great examples. RBI renders all websites in a safe container, letting users interact with them like normal even if they house malicious content. ZTCDR prevents files from launching known or unknown attacks by recreating documents with the verified information it extracts. Amalgamated with Secure Web Gateway (SWG), all three technologies combine to provide Zero Trust Web Access (ZTWA).

7. Get visibility into the context of your devices

Software-Defined Wide Area Networking (SD-WAN) provides a trove of security analytics for organizations on what is going on across their network. With SD-WAN, companies can use an Endpoint Context Agent (ECA) to better understand the devices and users that are accessing the network. Deployable on endpoint devices, it provides granular visibility of traffic and information about the user, device and application being used to better detect and prevent threats.

8. Secure data everywhere it goes

Move forward data security everywhere. Applying and maintaining data security policies across all the different methods through which data is accessed only adds more complexity to BYOD policies. Data security everywhere simplifies BYOD security. Set policies once within Data Loss Prevention (DLP) and seamlessly extend them to Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), Zero Trust Web Access (ZTWA) or Secure Web Gateway (SWG) to apply the same protection to cloud, web, email, endpoint, network and private apps.

[1] Bryan Arnott, Senior Content Marketer & Digital Strategist at Forcepoint LLC Nine (9) BYOD Security Best Practices You Need to Know, 3rd November 2023. https://www.forcepoint.com/blog/insights/byod-security-best-practices

What Are the Essentials of a Secure BYOD Policy for SMEs?

Developing a robust BYOD policy requires SMEs to define acceptable use, enforce security measures, and provide training to all stakeholders. Company data must be segmented, encrypted, and remotely manageable so that risks are minimized even if a device falls into the wrong hands. Make sure that every employee understands their role in maintaining cybersecurity protocols – it is undoubtedly a collective effort with no room for ambiguity. In this regard, the Rogers Cybersecure Catalyst under the aegis of the Toronto Metropolitan University provides a free sample of a BYOD Policy that SMEs can customize for their own needs¹. For SMEs convenience, the different sections of that free BYOD Policy sample are namely: (1) Policy Brief and Purpose, (2) Scope of Policy, (3) Responsible Use, (4) Organizational Rights, (5) Risks/Liabilities/Disclaimers.

Furthermore, the Rogers Cybersecure Catalyst also offers, via free download, a very useful and practical handbook entitled 10 Steps to an Effective Cybersecurity Program: For Small and Medium-Sized Businesses² covering cybersecurity issues like phishing, ransomware, email compromises, passwords and insider threats.

[1] Toronto Metropolitan University, Rogers Cybersecure Catalyst – https://simply-secure.ca Free sample of BYOD Policy – https://simply-secure.ca/wp-content/uploads/2020/08/Sample-BYOD-Policy.pdf

[2] Toronto Metropolitan University, Rogers Cybersecure Catalyst –10 Steps to an Effective Cybersecurity Program: For Small and Medium-Sized Businesses, 44 pages. Free download available at: https://simply-secure.ca/wp-content/uploads/2021/02/RCC_SMB_Handbook_10stepsEffectiveCybersecurityProgram_Final.pdf

What Are the IT Technology Solutions to Support BYOD Security?

Leveraging IT Technology efficiently is vital. Implementing Mobile Device Management (MDM) and Mobile Application Management (MAM) solutions allows businesses to monitor and control which devices and apps can access corporate data. Alongside this, employing Virtual Private Networks (VPNs) and routinely updating software build a remarkable defense against cyber threats.

Protecting company data in a BYOD environment extends beyond mere policy making. Cutting-edge IT Technology is a powerful ally in this battle, and when paired with informed and well-trained personnel, it forms an effective shield against the most inventive of cyber misdeeds. By integrating BYOD security best practices for businesses, your organization can not only promote flexibility and efficiency but also ensure a resilient and secure operational environment. Understanding the nexus between BYOD and cybersecurity is essential in steering your company towards a promising and protected future in this interconnected, digital world.

Now, let us have a look at some common cyber threats in BYOD scenarios.

Common Cyber Threats in BYOD Scenarios

The practice of allowing BYOD opens the doors to various cybersecurity threats that are abridged as follows¹ :

1. Unauthorized applications: Unauthorized applications installed on a device can cause security concerns as the integrity, availability, and confidentiality of the organizations’ information and systems are at risk. Threat actors can use applications for malicious intent and potentially gain access to device location, network settings, the files, applications, and data stored on the device. Crypto malware can also wreak havoc on the availability and integrity of data.

2. Data leaks: BYOD devices potentially open the door to confidential or sensitive data being shared or leaked in ways that would not be possible if employees used corporately issued devices. Social Media applications and accounts are often installed and configured on personally owned devices and allow you to quickly share text, pictures, audio, and video content to a wide, and often public-facing audience.

Personally owned devices are not as secure as corporately provided devices. Personal devices allow users to access a variety of apps and websites that would likely not be permitted on a corporately issued device. Accessing some of these apps and websites can expose your organization to additional risks, such as providing threat actors additional vectors to exploit and gain access to your corporate systems and networks. BYOD devices are a target for threat actors, as these devices store a large amount of data and provide an entry point to connected corporate systems and networks. BYOD devices may be more susceptible to privacy breaches than corporate devices that do not contain personal information. Threat actors may steal your data to sell or hold it for ransom.

Users may also connect to unsecure Wi-Fi networks more often with their personal devices. Often, once you have connected your device to these networks, it will automatically reconnect in the future. Users may also download and store large amounts of data offline to avoid waiting or exceeding their bandwidth allotments. Since the device has fewer controls than your organization’s infrastructure, there is an increased chance of data leaks.

3. Privacy concerns: With the ability of most Mobile Device Management (MDM) and Unified Endpoint Management (UEM) software to allow deep insights into the user environment on the device, personal details (e.g. email, personal information stored in applications and files, location, and other aspects of a users’ identity) can be accidentally or maliciously viewed. Employees may be hesitant to provide organizational visibility into their device. Given that you have limited abilities to monitor or detect threats, this increases the attack surface.

4. Device sharing: Devices that are personally owned may be shared with family and friends. This can cause accidental information leaks and could compromise the integrity of any data stored on the device.

5. Device rooting/jailbreaking: Personally owned devices are sometimes “rooted” or “jailbroken.” This means that some of the normal security permissions are removed, giving users and applications more access to the core operating system. These devices have a higher potential to bypass security controls implemented by your organization and put your data, network, and applications at increased risk.

To mitigate this risk, you should disallow any device that has been altered beyond its intended use and permissions. It is also important to define what corporate data is permitted on a device used for BYOD purposes via policies and education. Your policies and training should provide employees guidance regarding the appropriate use (e.g.: which personal activities are permitted on the device), data protection, and security measures for their devices.

6. Lack of provisioned patching and updates: If your organization implements a BYOD model, it may limit your ability to provision and update the operating systems, applications, and desktop environments. One method your organization can use to help ensure new security updates are provided is by allowing only approved devices that meet the compliance requirements of the organization (that are patched and supported by the manufacturer) to have BYOD access.

[1] Canadian Centre for Cybersecurity, End User Device Security for BYOD – https://www.cyber.gc.ca/en/guidance/end-user-device-security-bring-your-own-device-byod-deployment-models-itsm70003

What Are the Fundamental Components of a Strong BYOD Policy?

A stalwart BYOD Policy is a linchpin in the effort to secure a safe business environment. It should clearly outline the elemental components below:

Company expectations.
Permissible use.
Security requirements for employees who opt to engage in BYOD.
Delineation of which types of devices are allowed.
Cybersecurity protocols that must be adhered to.
Separation of personal data and work data.
Compliance standards.
Employee accountability.
Clear guidelines on the company’s rights to access, monitor, manage and wipe out company data on personal devices.

How to Enforce Security without Sacrificing Employee Privacy?

Protecting company data in a BYOD environment requires a delicate balance between stringent security measures and respecting employee privacy. It is imperative that security measures such as remote wiping capabilities, location tracking, and monitoring software are implemented with a clear communication strategy that informs employees of their rights and the intent of these protocols. Ensuring transparency in policies fosters trust and cooperation, two basic requirements for successful BYOD security management.

How to Balance Flexibility with Control?

Flexibility with control is a paradoxical yet crucial aspect of BYOD security. While employees value the flexibility of using their own devices, businesses must retain a degree of control to protect sensitive data. This includes controlling access to the corporate network, establishing restrictions on the types of company data that can be stored on personal devices, and delineating criteria for password strength and device encryption. Finding equilibrium here is key to a robust BYOD strategy.

Why Should a Device be Registered and Systems be Managed in Order to Implement BYOD Security Protocols?

A fundamental step in fortifying BYOD security involves implementing device registration and systems management. Such systems ensure that only authorized devices can access company data and resources. They help IT departments keep an inventory of connected devices, enabling them to monitor for any irregularities and respond quickly to potential cyber threats.

For example, under the Microsoft 365 or Google Workspace environment, it is important for users to install Microsoft 365 Apps or the Google Apps instead of using generic apps.

By using these apps, you can ensure a clear separation between corporate data (e.g.: work emails, documents, and collaboration tools) and personal data. This separation is crucial for maintaining security and privacy. Corporate data remains within the confines of the Microsoft 365 environment or the Google Workspace, thereby reducing the risk of accidental leakage or unauthorized access. This allows the capabilities for the organization to erase such information on the device if needed.

Why Must Encryption and Secure Access be Used within a BYOD Workplace?

One cannot overstate the necessity of using encryption and secure access protocols in a BYOD environment. Encryption acts as a safeguard for data in transit and at rest, making it indecipherable to unauthorized intruders. Secure access mechanisms such as Virtual Private Networks (VPNs) or secure Wi-Fi connections are equally important for protecting data as it travels from the personal device to the company network.

What is the Importance of Regular Software Updates and Security Patches?

Keeping software up to date with the latest security patches is a simple yet effective defense against many cyber threats. Encouraging or even mandating regular updates for all devices participating in the BYOD program can significantly reduce the risk of vulnerabilities being exploited by attackers.

What Is the Benefit of Conducting Risk Assessments and Audits for the BYOD Security Framework?

Performing regular risk assessments and audits is essential to evaluating the effectiveness of the BYOD security framework. These practices identify potential weaknesses in the system and help develop strategies for mitigating those risks, including reviewing policy compliance and detecting any unauthorized access or data exfiltration attempts.

Why Is it Important to Train Employees in Cybersecurity Awareness by Educating Them about Best BYOD Practices?

Educating employees on the importance of cybersecurity awareness is a critical element of a secure BYOD culture. Training should include guidance on identifying and avoiding malicious attacks, recognizing phishing attempts, and following proper protocols for reporting security incidents. A well-informed workforce is the first line of defense in protecting an organization from cyber threats.

Developing an Incident Response Plan for Cybersecurity Incidents: Fillable Template Provided by the Government of Canada

In the face of a cybersecurity breach, a clearly defined incident response plan is invaluable. It should encompass the steps to be taken by employees and the IT team, from immediate containment and eradication of threats to post-incident analysis. Having a structured procedure in place guarantees a swift and effective resolution, minimizing potential damage. In this context, the Government of Canada – through the Department of Innovation, Science and Economic Development Canada – provides a fillable template of an Incident Response plan that can be customized according to the needs of your organization¹.

[1] Government of Canada: Department of Innovation, Science and Economic Development Canada, Develop an Incident Response Plan and Fillable Template – https://ised-isde.canada.ca/site/cybersecure-canada/en/certification-tools/develop-incident-response-plan-fillable-template-and-example

Leveraging Technology for Enhanced Protection: Advantages of Mobile Device Management (MDM) Software

The deployment of Mobile Device Management (MDM) software is an increasingly popular method for enhancing BYOD security. MDM solutions provide a centralized platform for monitoring and managing all personal devices within the corporate network. Through enforcing security policies, remotely wiping data on lost or stolen devices, and managing application usage, MDM software proves to be an invaluable asset in the protection of corporate data.

The Role of Virtual Private Networks (VPNs) in BYOD Security

Virtual Private Networks (VPNs) play a pivotal role in establishing secure communications between personal devices and corporate networks. By creating an encrypted tunnel for data to travel, VPNs ensure that sensitive information remains confidential and impervious to interception or tampering. When connecting to Microsoft 365 or Google workspace, you typically do not need a VPN since Applications like Outlook, OneDrive, Gmail connect directly to the cloud servers via secure HTTPS connections. There might be explicit scenarios where it is beneficial, namely:

Remote Work: If you are working from an unsecured public Wi-Fi network, using a VPN adds an extra layer of security.
Geographic Restrictions: Some countries or networks might restrict access to Microsoft 365 services. In such cases, a VPN can help bypass these restrictions.

MFA as a Security Must-Have for BYOD Framework

Multi-Factor Authentication (MFA) is another critical security layer that must be integrated into the BYOD framework. MFA requires all employees to provide two or more verification factors to gain access to corporate resources, significantly decreasing the likelihood of unauthorized access due to compromised credentials.

Importance of Ongoing Cybersecurity Monitoring

Continuous cybersecurity monitoring is imperative for early detection of anomalies and potential breaches. By consistently scrutinizing system activity and access logs, businesses can quickly identify and address threats before they escalate into more severe cyber incidents.

Update BYOD Policies to Reflect Emerging Threats and Technologies

The cybersecurity landscape is ever-evolving, necessitating regular updates to BYOD Policies. As new threats emerge and new technologies are adopted, policies must adapt to encompass these changes, ensuring that the organization’s security posture remains robust and proactive.

Foster a Company Culture of BYOD Cybersecurity by Creating a Shared Responsibility Model

The development of a shared responsibility model in which both the employer and the employee are accountable for upholding cybersecurity best practices is essential for a successful BYOD environment. This collective approach reinforces the idea that security is not solely an IT issue but a company-wide commitment.

Encourage Continuous Communication and Feedback

A culture of robust cybersecurity is reinforced when continuous communication and feedback loops are established. Encouraging dialogue between employees, IT staff, and management fosters transparency and enables quick action when security concerns arise. Such an approach helps to ensure that security measures remain practical, effective, and aligned with the needs of all stakeholders, creating an environment where cybersecurity is ingrained in the organizational ethos.

Conclusion

Nowadays, in our digital era whereby the distinction between professional life and personal life is constantly blurring, a BYOD Policy is not just an option but a necessity for many businesses. Embracing this unavoidable shift requires an understanding of cybersecurity implications to safeguard your most precious asset: your company data. Trust and responsibility become the two-fold pillars upon which businesses must build their BYOD strategies.

To navigate the intricate web of BYOD security best practices for businesses, one must start with clear policies that define the permissible use of personal devices in the workplace. It is paramount to balance freedom with controls in order to protect company data in a BYOD environment without stifling employee productivity. Regular training on cybersecurity awareness can further fortify your first line of defense – your employees. Keeping software updated, incorporating multi-factor authentication (MFA), and ensuring regular audits are imperative. These steps not only mitigate risks but also ensure that you stay ahead in the ever-evolving landscape of cybersecurity threats.

Implementing a BYOD Policy that prioritizes cybersecurity is a step towards empowering your workforce. With the right measures in place – such as secure connections, data encryption, and device management solutions – employees can work efficiently, securely and even remotely. A BYOD culture that emphasizes cybersecurity as a shared responsibility can transform your workforce into a powerful line of defense protecting your organization’s digital assets.

Resources, Guides and Handbooks

U.S. Department of Commerce, National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) Mobile Device Security – NIST SP 1800-22: Mobile Device Security: Bring Your Own Device (BYOD), September 2023, https://csrc.nist.gov/pubs/sp/1800/22/final

Cybersecurity Insiders: BYOD Security Report 2021– https://pages.bitglass.com/rs/418-ZAL-815/images/CDFY21Q2BYOD2021.pdf

U.S. Department of Commerce, National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) Mobile Device Security – NIST SP 800-114: User’s Guide to Telework and Bring Your Own Device (BYOD) Security, July 2016, https://csrc.nist.gov/pubs/sp/800/114/r1/final

Government of Canada: Department of Innovation, Science and Economic Development Canada, Develop and Incident Response Plan: Fillable Template – https://ised-isde.canada.ca/site/cybersecure-canada/en/certification-tools/develop-incident-response-plan-fillable-template-and-example

Toronto Metropolitan University, Rogers Cybersecure Catalyst – https://simply-secure.ca and Sample BYOD policy – https://simply-secure.ca/wp-content/uploads/2020/08/Sample-BYOD-Policy.pdf

Toronto Metropolitan University, Rogers Cybersecure Catalyst – 10 Steps to an Effective Cybersecurity Program: For Small and Medium-Sized Businesses, a useful and practical handbook for SMEs, 44 pages. Free download available at: https://simply-secure.ca/wp-content/uploads/2021/02/RCC_SMB_Handbook_10stepsEffectiveCybersecurityProgram_Final.pdf

Canadian Centre for Cybersecurity, End User Device Security for BYOD – https://www.cyber.gc.ca/en/guidance/end-user-device-security-bring-your-own-device-byod-deployment-models-itsm70003

CNIL (Commission Nationale de l’Informatique et des Libertés). Practice Guide for the Security of Personal Data: 2024 Edition – https://www.cnil.fr/en

Center for Cyber Security Belgium – Cyber Security Coalition. Cyber Security Incident Management Guide 2021 – https://ccb.belgium.be/sites/default/files/cybersecurity-incident-management-guide-EN.pdf

SANS Institute Cybersecurity Whitepaper. Raphael Simmons (for more technical perspectives), BYOD Security Implementation for Small Organizations, December 2017 – https://www.sans.org/white-papers/38230/

Contributions

Special thanks for the financial support of the National Research Council of Canada (NRC) Industrial Research Assistance Program (IRAP).

Executive Editor: Alan Bernardi

Reviser, Proofreader & Translator: Ravi Jay Gunnoo