Your next employer might ask you to bring your own computer to work instead of providing you with one. Or you may choose to do so yourself. Cybersecurity professionals, however, call the bring-your-own-computer (BYOC) trend “a stupid nightmare” – it’s very risky.
Invanti recently discovered that bring-your-own-device (BYOD) was practiced at 84% of organizations globally. Employees use their devices for work even when it is forbidden.
It all started with mobile phones, but now laptops are increasingly also being incorporated into BYOD policies. Network defenders are having a hard time adjusting to new realities.
“Seeing more orgs move away from shipping company laptops to new hires. Instead, they’re letting people use personal machines to speed up onboarding and cut IT overhead,” one Reddit user started a discussion on the “r/cybersecurity” community with over 1.2 million members.
That quickly escalated into a dreadful emotional spectacle.
“That sounds like a stupid nightmare,” the most upvoted answer reads.
The “only way I would even consider going down this route is by using locked down virtual desktops and disabling basically anything between their laptop (no copy/paste, no USB storage, no print, etc.) and the virtual machine,” another top commenter said.
Cybernews asked cyber pros what they think about bringing your own computer. Some expect the experiment to fail, yet the trend seems to be gaining speed.
The shift is being driven by both cost-saving employers and employees seeking “work everywhere” flexibility.
However, it involves compromises for everyone. For employees, convenience comes with privacy risks – a “big brother” behind their backs. Meanwhile, companies are risking their security by allowing unmanaged devices into their networks.
What drives this trend?
According to Jeremy Rambarran, Adjunct Professor at Touro University's Graduate School of Technology, bring-your-own-computer (BYOC) has been gaining popularity since the pandemic, especially among startups, remote-first businesses looking to save provisioning costs, teams who rely heavily on contracts (media firms, dev shops), and businesses with robust cloud-native or virtual desktop infrastructure (VDI) plans.
“According to a 2023 Forrester survey, about 30% of mid-sized companies were amenable to letting employees use their own computers for work as long as certain restrictions were in place,” Rambarran noted.
The firms benefit from lower hardware, logistics costs, and provisioning-related IT overhead. They can quickly onboard new employees, especially in completely remote settings. For gig workers and contractors, this is usually the only choice.
“Employees who prefer their own equipment are happier, and it facilitates worldwide, decentralized workforces,” Rambarran said.
Many employees arbitrarily do not follow the work rules prohibiting the use of personal computers.
Diversified, a firm providing technology solutions, recently surveyed more than 1,600 US employees and found that 89% of them use their own devices or apps for work “due to better ease of use.”
Jason Kornweiss, senior vice president of advisory services for Diversified, explains that many employees don’t want to carry two of the same devices, such as phones or iPads.
“There is a clear gap between IT policies and employee needs, often leading to frustration and lower efficiency,” Kornweiss believes.
According to the survey, three-quarters of employees recognize that company devices are better secured, but prefer personal tech anyway for ease of use. Many companies are lagging behind with investments in modern technology, collaboration, AV, or other solutions for a thriving hybrid workforce. Some firms provide senior employees with better tools, causing “us vs. them” divides. So employees are “taking matters into their own hands.”
“Company tech is often clunky, outdated, or has restrictive security measures that slow down workflows,” Kornweiss said. “IT policies are too rigid, making it difficult for employees to work effectively within security constraints.”
The expert sees organizations failing to both meet security requirements and maximize the capabilities of their teams.
Dangers
Most security experts express serious concerns about the bring-your-own-computer practice.
“BYOD might seem like a way to keep costs down and allow employees to use the laptops they are most familiar with, but the potential risks far outweigh these small positives," warns John Jackson, founder of Hitprobe, a click fraud protection platform.
“Asking employees to use their own devices means you'll never truly have control or oversight of what else is on those devices and what level of security is being maintained.”
Employers can’t effectively control what information stays on the devices when employees leave the company. If the device gets stolen or lost, the options are very limited.
The only way to properly secure the data would be to insist on some form of remote device management (MDM) software and policy enforcement, including a remote wipe in the case of a lost device.
“But expecting an employee to agree to this on their personal machine is both unreasonable and unrealistic,” Jackson said.
John Yensen, President at Revotech Networks, says that many companies are exploring the BYOC route, but it is rarely the right call.
“Perhaps BYOC might save time during onboarding and in many cases reduce hardware costs, but I have seen it become a nightmare for security and IT teams like us,” Yensen said.
“You can't fully harden a device you do not own. Even with MDM, EDR, or virtual desktops, you're introducing variables you can’t control: outdated OS patches, conflicting software, even hardware vulnerabilities.”
For regulated industries, compliance might become next to impossible when corporate data lives on personal machines.
“The majority of people want to keep personal and business life separate. It can feel invasive when companies require staff to use personal devices (especially if monitoring tools are being installed),” Yensen said.
“In terms of regulatory and privacy issues, accessing personal devices is generally against compliance regulations such as GDPR or HIPAA. When an incident occurs and a company needs to access or secure data from a personal device, the challenge becomes more complex,” Allan Hou, Sales Director at TSL Australia, added.
Employee advocates concerned
Employee advocate Kelsey Szamet, a Partner at Kingsley Szamet Employment Lawyers, finds the growing BYOC trend troubling.
“The negatives associated with it are very high,” said Szamet.
“This practice opens privacy risks, potential employer surveillance, and blurs the lines between work duties and personal life. Many workers end up costing their company money, resolve IT issues on their own clock, and unknowingly allow access to their personal machines by their employer.”
Szamet warns that employers often require installation of security and monitoring software, which is capable of accessing personal data, and remote wiping of the device. As the burden of risks gets transferred to workers, cost-benefit analysis rarely favours them.
“Employees often don't understand that in agreeing to BYOC policies, they are also accepting the terms.”
The attorney recommends employees always ask for clear BYOD policies, understand any monitoring tools involved, and push for stipends or company-issued equipment.
“Workers have the right to maintain their privacy and shouldn’t be forced to take on extra risks or costs to make their employer’s life easier.”
Cost-benefit gains rely on workers fixing their own IT problems
The idea that BYOC saves companies money isn’t so simple. It’s true for initial hardware costs, as well as parts of support and management. But the latter plays a huge role, and unexpected costs can pop up.
“Gartner estimates 80% of total costs manifest after the initial purchase and run on average $700 per month per user when all IT expenses are considered. Much of that is spent on tools and processes to manage the device, from procurement to endpoint management to IT support,” explains principal security consultant at Stratascale Stephen Christiansen.
If everything works well, the end user maintains the device in exchange for an annual stipend that allows them to choose the device of their liking.
“If done correctly, BYOD offers a better experience for users and potentially a higher degree of security, as you need to have an appropriate level of maturity in place. The key is a solid Zero Trust model that alleviates the need to micromanage devices,” Christiansen explains.
Zero Trust shifts the security model from the device and the network to the identity and the application. The key is to continually verify and validate the user, use secure access solutions for application and data, to minimize the need for a corporate-owned and managed device.
Yet, cost savings and potential flexibility introduce security and privacy risks, and their proper management is a challenge that can be costly.
Supporting BYOC is a nightmare because it involves many different devices, OS versions, and configurations. Companies need to protect assets using MDM, patching, and EDR software, as well as have a consequence management policy.
And for bad actors, these present many more opportunities – attack surface – to gain access.
“Spending more on security technologies like an MDM, DLP (data loss prevention), and containerization can easily outweigh the genuine hardware cost benefits, especially when scaled up. Additionally, they may be vulnerable to possible threats of IP theft or data breaches,” Rambarran said.
“The savings are short-sighted unless a business has a solid endpoint security posture, such as having device posture checks and a zero-trust architecture.”
Satyam Patel, Head of IT and InfoSec at Kandji, noticed that many companies do not have a mature data security program and do not know “where all the critical data exists.”
In an ideal world, businesses can protect the data with correct authentication mechanisms regardless of the device.
“In a practical world, all employees have personal data on company machines. In the end, saving money on computers does not offset the security risks,” Patel said. “There is no easy cookie-cutter approach to BYOD, but I would start with a strong BYOD policy.”
Best Practices
Many experts agree that the best approach to BYOC is the Virtual Desktop Infrastructure or leveraging browser-isolated SaaS environments. This is still vulnerable to infostealers; therefore, having a robust identity and access management is key.
“The secret is segmentation: business data should never reside on a user's computer directly, but rather in distinct, auditable contexts,” Rambarran noted.
Some workers will like it, some won’t, and will demand a company-provided device. It will be crucial to establish a mutually accepted policy.
Many pros recommend refraining from implementing BYOC.
“BYOC, in most real-world cases, is a short-sighted decision that saves pennies and risks dollars,” Yensen from Revotech Networks sums up.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, even says that the BYOD experiment that started 15-20 years ago has largely failed.
“The IT industry, in general, and the cybersecurity industry, specifically, believes the BYOD experiment proved it didn't work. Today, most employers buy your device and put up with employees using them personally for some portion of their use,” Grimes said.
Professor Rambarran, too, believes that managed corporate devices remain the safer option for the majority of businesses, particularly those that handle sensitive data, due to the security, legal, and cultural expenses.
“In adaptable, cloud-native settings with segmented systems and trustworthy users, BYOC can function effectively,” Rambarran concludes.
Your email address will not be published. Required fields are markedmarked