Community Question of the Week: What to do when all your employees bring their own devices?

  • 7 November 2022
  • 3 replies

Userlevel 2
Badge +1

Hey there! Welcome to Drata’s Community Question of the Week, where each Monday we discuss various situations in cybersecurity and compliance. We know that everyone’s compliance journey is unique, but there are common questions that often come up and could benefit us all. So let’s discuss!  Read on and add your comment below for a chance to win some pretty sweet Drata swag! 🎉 


Question of the week:  What are some things you can do to stay compliant if you have employees that use their own devices? 


(Check back with us Friday, November 18th at 12PM PST for insight to this question, directly from a Drata expert.)

3 replies

Userlevel 4
Badge +5

I know our internal experts are going to tap into the various frameworks, but from my experience it’s ranged anywhere from company owned devices (government) to requiring VPN use, limiting access to certain apps, and using verification apps instead of SMS.

Userlevel 2
Badge +1

Hey Elliot! Spot on. I know it can be tricky when it comes to this topic of BYOD. I recently learned that it can also help to have a Reservation of Rights clause in employee/ contractor agreements, a specific BYOD policy, and encouraging hard drive encryption and anti-virus/anti-malware.

Badge +2

BYOD is a very hot topic, especially since 2020 when companies started moving to remote operations, and since that time when companies (including Drata!) were founded as entirely remote organizations. It makes sense, using BYOD machines both saves the company money and it gives employees and contractors machines they’re already comfortable with. But BYOD machines come with their own security concerns and sit in an interesting space because they’re machines outside of the organization’s control boundaries. The important thing to remember is that you can outsource almost anything: Machines, processes, entire business functions, but you can’t outsource the risk that your company faces.


So with that said, what do you, as the employer, need to do to stay compliant when you allow BYOD machines?


First and foremost, you need to understand that even with BYOD, you still have obligations related to keeping data secure, whether that’s internal business data or customer data. So this actually creates 2 approaches to managing BYOD machines. The first approach is to leverage virtual machines. Many companies take the approach of allowing BYOD machines, but requiring that all access to customer data and production infrastructure be conducted through a virtual machine, which the BYOD machine connects to. When you use this approach, you won’t need to examine the controls on the BYOD machine such as hard disk encryption.


The second, and more common approach is to allow direct connections from the BYOD machine to production infrastructure and customer data. This is a completely valid approach, but does require you to ensure that these BYOD machines are controlled. The most common controls implemented on workstations are automatic updates, anti-virus, and hard disk encryption. The reason that these controls are implemented are to secure the workstation (by showing that it receives security updates and is being checked for malware) and to secure the data stored on that workstation (by encrypting the hard drive).


Regardless of the approach taken, it is important that you make these requirements clear to your employees and contractors. You should be very clear and direct in your policies, such as the Acceptable Use Policy, on what you require to be implemented on a BYOD machine. After you have written this out and presented this to employees/contractors, you also have to figure out how you’re going to enforce these requirements. There are a lot of nuances on how to actually enforce these, so if anyone has questions on that part, please let me know!