Secure BYOD Policies in the Enterprise

The potential security risks that BYOD policies can pose for the enterprise, and how to overcome them

The security concerns around BYOD stem from the fact that employees are bringing unmanaged devices into the corporate environment. Often the organisation has no knowledge or visibility as to where BYOD devices have been.

A device that has been compromised in some manner may lead to the compromise of the entire corporate infrastructure. Targeting and compromising an unmanaged and unpatched BYOD device in a coffee shop may prove easier and less time consuming than scanning and attacking the organisations external infrastructure in order to gain a foothold on the network.

BYOD devices will often not be subject to corporate security policies in the same way as company issued devices. This can result in devices running outdated software with known security vulnerabilities as the responsibility for maintaining the security of the devices is shifted from the organisation to the device owners.

Mobile Device Management

One of the most effective methods of implementing and maintaining a secure BYOD policy is to require employees to register their device with a corporate Mobile Device Management (MDM) solution that provides access to the corporate network and internal services via network authentication.

This will allow the organisation to enforce an MDM policy on the BYOD devices, while allowing the device access to specific corporate resources. MDM can often be configured to allow the user to unenrol, should they no longer wish to participate in the BYOD program. A correctly configured MDM solution will remove any corporate data from the device upon unenrolment.


BYOD programs should always be implemented with caution. Appropriate steps should be taken in order to segregate BYOD devices from other devices on the network, especially those that hold sensitive data or perform critical operations.

The safest approach would be to provide the devices with an independent network that is separated from other devices in the corporate infrastructure. It is also advisable the BYOD devices are monitored in order to detect any threats to the network originating from unmanaged devices.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.