Making BYOD Work in the Era of GDPR

Shimrit Tzur-David | April 24, 2018

The ever-expanding popularity of implementing personal, mobile devices as a tool in the workplace has brought unprecedented versatility to the business world.

While bring-your-own-device (BYOD) protocols have important benefits from an operational perspective, from a security standpoint, having a slew of additional devices connected to company networks creates a huge liability.

Nowhere is this risk more pronounced than when it comes to compliance with the fast approaching GDPR, set to become European law at the end of next month.

GDPR requires companies to keep a tight handle on personal data stored collected from clients or face heavy fines. Securing the data on corporate computers and accounts is hard enough. Personal devices add a whole new challenge as they exist outside the domain of protective corporate firewalls and IT command-and-control mechanisms. The BYOD culture, now the expected norm for the majority of businesses and employees, opens up a long series of system endpoints, that form both potential entry point for attackers, and additional data storage and access locations that need to be accounted for.

For companies to achieve compliance with demanding regulation like GDPR, it vital they understand the risks created by BYOD and how to address them.

 

Commonly Unauthorized

Employees use personal devices to access and download corporate data from company cloud applications like Office 365 and Salesforce. What’s worse, is files are often saved to personal unauthorized storage services, further exposing the data on online platforms.

For managers to ensure that employee devices are not compromising sensitive data under GDPR, they must set protocols to discover who is accessing company data and restrict download of personal data onto unauthorized devices.

Additionally, a company must set rules for monitoring and analyze devices to ensure they are sufficiently compliant to allow access to the organization’s system. To their networks, organizations will need solutions that offer granular control over access. This way, managers can monitor the sessions of devices with network access.

 

Ease of Use

Part of any effective BYOD strategy needs to be ensuring ease of use that’s compatible with security protocols. Employees need to be educated on how to easily configure and utilize their devices without making sensitive corporate information vulnerable to exposure. When implementing personal devices as tools to interact with company systems, smooth user experience is key. Demanding users comply with too ridged authentication rules such as multiple logins or the use of complex passwords, will inevitably cause major logistical hurdles. Employees are sure to get locked out and resort to company helpdesks, or stop using applications and suffer a loss of productivity.

Furthermore, if it’s difficult or time-consuming to comply with access rules, employees will ultimately look for ways to circumvent security protocols, which is where BYOD strategies will fail when it comes to compliance.

When it comes to user experience, passwordless solutions are the next great leap for digital authentication. Going password free means streamlining the authentication process for users. By eliminating passwords as the standard authentication method, employees and managers alike are able to do away with all the challenges that come with password maintenance, including the need to store passwords and reset them, as well as all of the IT man hours necessary to address troubleshooting associated with password systems.

Get Our Free Whitepaper: How to choose an MFA solution?

Under the Security Umbrella

A highly effective solution to make a BYOD system work with GDPR is for companies to set up a Single Sign-On (SSO) service for all enterprise-connected devices.

The benefits of such as strategy are twofold:

First, it keeps things simple for employee access and helps ensure users won’t lose time and energy on authentication or attempt to circumvent controls out of frustration.

On the security end, an SSO solution helps meet GDPR requirements by identifying risk factors such as unauthorized users, apps, and devices and block them from interacting with the system.

 

Edge on Authentication

Even with the best protocols in place, mobile device security is only as good as the accuracy of the authentication solution being deployed. To really ensure only authorized users are accessing company data, managers need solutions that offer high-level assurance when authenticating user identity.

To achieve this, managers will need to resort to the next generation in authentication schemes, employing technologies that defend against digital identity theft, and make traditional hacking methods obsolete.

By bolstering authentication at the individual user level, companies employing BYOD can move confidently into the GDPR era, knowing that enterprise data is secure, both within the corporate domain, and across network endpoints.