The rise of remote and hybrid work has driven new technological trends, and among these is Bring Your Own PC (BYOPC), which is a subset of Bring Your Own Device (BYOD). BYOPC programs, according to Gartner, permit personally purchased client devices to execute enterprise applications and access company data. BYOPC is a logical extension of a remote or hybrid work program; allowing employees to use their own devices when working from their home offices makes sense and can be a cost-effective option for the business. However, BYOPC also has its downsides, namely its impacts on corporate cybersecurity. If employees are working from personally-owned devices, the organization may have decreased visibility into and control over the devices accessing corporate data and applications. As BYOPC becomes an integral part of modern business, companies must develop and implement policies that enable employees to work from personally-owned devices both efficiently and securely.
The challenges of securing information in a BYOPC environmentRemote and hybrid work environments introduce unique BYOPC security challenges for an organization, including the following:
- Security Visibility: In a BYOPC environment, an organization may lack full visibility into the devices being used by employees for business purposes. As a result, it can be more difficult for an organization to monitor the use of its data and ensure that employee devices follow corporate security policies.
- Data Security: A BYOPC policy allows employees to access corporate data on devices that are not owned by the company and may not comply with corporate security policies. This increases the risk that corporate data will be accessed and used in a way that places it at risk of breach or regulatory non-compliance.
- Insecure Devices: BYOPC policies enable employees to use devices not owned or managed by the corporate IT department. These devices may not be compliant with corporate security policies — lacking antivirus, lagging on security updates, or insecurely configured — increasing the probability of a malware infection or data breach.
- Lost and Stolen Systems: A BYOPC policy increases the probability that devices will be used outside of the office and travel between locations. As a result, the risk that these devices will be lost or stolen may be higher than with company-owned devices.
- Dual-Use Devices: BYOPC means that employees will use the same device for business and personal purposes. This increases the risk that corporate data or applications will be exposed to malware or that an unauthorized user — such as a spouse, child, or friend — will have access to company data and applications.
- Departing Employees: When an employee leaves the organization, the company can reclaim corporate devices, reducing the risk that sensitive corporate data will be lost. However, if company data is stored on a device owned by a departing employee, they may take the data with them when leaving the organization.
The Gartner Hype Cycle for Endpoint Security indicates that BYOPC Security is maturing as companies accept that BYOPC will be a crucial part of their business practices in the future. Support for BYOPC is key for sustainable remote work, and companies need to ensure that employees can work remotely from personal devices. This includes implementing a range of security controls including multi-factor authentication (MFA), endpoint security, and solutions that protect their cloud data and environments from potential attacks by compromised BYOPC devices.
Business Policy and Cost Assessments of BYOPC PoliciesWhile implementing a Bring Your Own Computer program can be beneficial or even necessary to the business, there are numerous considerations to keep in mind while doing so, including the following:
- Reduced Procurement Costs: By allowing employees to work from their own devices, an organization eliminates the need to provide these devices. This can reduce the costs associated with procuring and configuring company-owned computers.
- Remote Work Infrastructure Support: If an organization doesn’t already support remote work, then a BYOPC policy may mandate additional infrastructure investments. For example, remote workers may need a virtual private network (VPN) to securely connect to corporate networks and applications.
- Policies: A BYOPC program may make it necessary for the organization to implement additional employee policies. For example, the company may need an Acceptable Use policy that defines what activities an employee may perform on devices that have access to corporate data and applications.
- Regulatory Compliance: Allowing employees to work from personal devices may have impact on an organization’s regulatory compliance. For example, an organization may need to take additional steps to ensure that it is properly managing access to and securing data protected under laws such as PCI DSS and HIPAA.
- Security Policies: A BYOPC policy may mandate changes in how an organization secures its data and systems. For example, incident responders may not be able to access a system encrypted with ransomware, and the company may need additional capabilities for monitoring and securing devices not connected to the corporate network.
Advantages and Disadvantages of Bringing Your Own Computer to WorkSupporting a BYOPC policy can provide significant benefits to a company and its employees, including the following:
- Cost Savings: BYOPC has the potential to provide cost savings to the organization. For example, the company doesn’t need to provide devices to employees who bring their own.
- Scalability and Agility: BYOPC can help to eliminate friction when onboarding new employees or upgrading employees’ devices. If the employee brings their own preferred device, the company avoids the delays associated with procuring, configuring, and sending one for them.
- Employee Satisfaction: BYOPC policies tend to have a positive impact on employee job satisfaction and retention. The convenience of working from their own preferred device provides a significant morale boost to employees.
- Productivity: Along with employee satisfaction, BYOPC can also improve employee productivity. An employee’s personal device is one that they selected, configured, and are comfortable using, eliminating the learning curve that may exist with company-owned devices.
- Cost: While BYOPC may reduce the cost of employee endpoints, it may increase other costs. For example, the organization may need to purchase and deploy solutions designed to secure the remote workforce.
- Infrastructure Complexity: BYOPC means that every employee may be working from a different type of device. The resulting variety of devices can increase the complexity of monitoring and securing all of these workstations.
- Implementation Challenges: Implementing a secure, usable BYOPC program can be difficult and time-consuming. This is especially true if employees use a variety of devices, and solutions must work for every user.
- User Support: IT staff are responsible for providing tech support to employees and enabling them to do their jobs. The infrastructure complexity caused by a BYOPC policy can make it more difficult for IT staff to diagnose and fix users’ issues.
- User and Data Privacy: Securing corporate data with a BYOPC policy means that the company needs some level of visibility into employee-owned devices. However, this can create significant privacy concerns if the company is accidentally monitoring the personal use of these devices.