Remote and hybrid work have made Bring Your Own Device (BYOD) a common practice
-
Nearly 70% of businesses have BYOD policies allowing staff to use personal laptops, phones or tablets for work.
-
Studies show that 92% of successful cyber attacks originate from an unmanaged endpoint, making BYOD security a top concern.
-
Learn what unmanaged devices are and how they end up on corporate networks.
-
Why the threats they pose (from data leaks to malware) can affect your business.
-
How to proactively defend against them using strategies like Zero Trust.
-
What to do if a rogue device is detected or causes a breach.
-
We’ll also highlight how frameworks like Cyber Essentials (CE) and NCSC guidance support these efforts.
What Are Unmanaged Devices and How Do They Get on the Network?
Unmanaged devices are any endpoints accessing corporate systems that are not under the organisation’s direct control or standard configuration. This typically includes personal devices used in BYOD scenarios – for example, an employee’s own smartphone syncing work email. It can also include contractor or third-party devices, and even rogue or “shadow IT” assets that employees use without IT’s knowledge. If the device isn’t provisioned, secured and continuously monitored by IT, it’s unmanaged from the company’s perspective.
How do these devices end up on corporate networks? There are several common paths:
Bring Your Own Device policies
- Many organisations permit BYOD to boost flexibility and reduce hardware costs. Employees enjoy using familiar personal devices, and companies save on purchasing equipment. Over 80% of organisations allow BYOD in some form, so personal laptops, tablets, and phones routinely connect to business applications.
Remote work and external partners
- With widespread remote work, staff may log in from home PCs or unmanaged tablets. Contractors, vendors, or partners might access your systems using their own devices as well. Without strict controls, these endpoints mix into your network environment.
Shadow IT and unauthorized hardware
- Sometimes employees connect devices outside of policy – e.g. plugging in an unsanctioned USB device or setting up their own network device – often in an attempt to work more effectively. If official channels are too restrictive or slow, well-meaning staff might seek “workarounds” that inadvertently introduce shadow IT.
IoT and miscellaneous endpoints
- Beyond phones and laptops, think of smart gadgets, personal IoT devices, or even a random unmanaged server spun up by a department. These can quietly attach to networks without proper vetting.
These devices bypass the standard IT onboarding. They may not have corporate endpoint protection installed, may not be patched to required levels, and aren’t listed in the asset inventory. The Cyber Essentials framework now explicitly brings BYOD under its scope, meaning companies seeking certification must secure and manage personal devices just like corporate-owned ones. If unmanaged gear is accessing work data, it’s officially your responsibility to address its security.
Why Unmanaged Devices Are Risky: Threats and Impacts
When a device isn’t managed by IT, it creates a blind spot. Lack of visibility and control means the organisation cannot easily enforce security policies, monitor activity, or ensure the device is up to date. This opens the door to a variety of threats, including:
Data leakage and loss
- BYOD blurs the line between personal and work data. Sensitive files can accidentally end up in personal apps or cloud backups outside company control. An employee might inadvertently share a confidential document via a personal email or messaging app. If an unmanaged device is lost or stolen, any business data on it could be exposed – especially if there’s no remote wipe or encryption. In fact, many companies don’t enforce remote wipe on BYOD devices, making a lost phone or laptop a critical breach point. Over two-thirds of businesses have experienced significant data loss, and unsecured personal devices only increase the odds.
Malware and ransomware
- Personal devices often lack the stringent protections of managed corporate PCs. Users may download unsafe apps or click phishing links when using their own device, resulting in malware infections. Once an infected BYOD device connects to the corporate network (e.g. via VPN or office Wi-Fi), that malware can spread. Without company defence on the device, any compromise might go unnoticed until damage is done. It’s telling that ransomware operators actively target unmanaged devices – according to Microsoft, 92% of ransomware attacks in 2024 involved an unmanaged endpoint.
Unauthorised access
- An unmanaged device might not adhere to corporate authentication standards – only protected by a weak password or no PIN at all. If such a device has saved corporate logins, an attacker could potentially use it to access company data without permission. Because IT isn’t monitoring these devices, it’s harder to know who is accessing what.
Lack of patching and vulnerabilities
- Keeping software updated is a basic security practice, but on personal gear it relies on the user’s diligence and many people delay installing updates. An unmanaged laptop could be running an outdated OS or unpatched apps full of known vulnerabilities with attackers actively seek out such soft targets. If that device connects to the office network, it can act as an entry point. There’s no guarantee that an employee’s antivirus or firewall is enabled or that insecure configurations have been corrected.
Shadow IT and compliance gaps
- Unauthorised devices and apps create “shadow IT” that escapes governance. The NCSC warns that unknown assets make risk management harder and can lead to data theft or malware spread due to lack of oversight. From a compliance perspective, control cannot be demonstrated over data on unknown devices. For example, under GDPR and UK Data Protection laws, the company must protect personal data – if an employee’s unvetted device stores customer data and gets breached, the organisation is still on the hook. Cisco found that 1 in 5 organisations have experienced security events from unsanctioned IT resources, highlighting how common this issue is.
Device loss and insider threats
- Personal devices are, well, personal – employees take them everywhere. The odds of loss or theft are high. A stolen BYOD laptop that isn’t encrypted could expose volumes of company information to whomever finds it. Additionally, when employees leave the company but still have work data on their personal device, it’s hard to ensure that data is returned or wiped. Unmanaged devices complicate off-boarding and raise the risk of insider threat if data isn’t properly removed when someone exits.
In short, an unmanaged device is a bit like an unlocked back door to your secure office: perhaps nothing will happen for a while, but when an intruder eventually finds that door, you’re in trouble. The stats are sobering – almost half of companies knowingly allow these devices to access corporate resources, yet a vast majority of breaches trace back to them. The lack of visibility means threats can lurk undetected, undermining all your other security investments.
Proactive Defence: How to increase BYOD Security and Unmanaged Endpoints
The good news is that organisations can proactively mitigate BYOD security risks without completely banning personal devices. It starts with an assumption that any device could be compromised – the essence of the Zero Trust philosophy – and layering controls to limit what an unmanaged device can do. Here are key strategies:
Adopt a Zero Trust approach
Under a Zero Trust model, no device or user is inherently trusted just because it’s “inside” the network perimeter. Every access request is verified, and least-privilege access is enforced. For BYOD, this means treating personal devices as untrusted by default. Such measures can be implemented by:
Strict authentication and least privilege
- Require robust authentication (like multi-factor authentication or passkeys) for any device accessing company resources, and limit access rights to only what the user truly needs. Even if an employee is on the corporate Wi-Fi with a personal laptop, they should pass the same identity checks as if they were external.
Device posture checks
- Before allowing a BYOD device to reach sensitive apps, check that it meets basic security requirements. For example, verify the OS is up to date, the device isn’t jailbroken, and it has disk encryption enabled. Modern zero trust solutions can perform such posture assessments in real-time. If a device fails, block or sandbox its access.
Network segmentation and conditional access
- Don’t let unmanaged devices roam free on the core network. Use network segmentation to create isolated VLANs or guest networks for BYOD and unknown devices. Implement conditional access policies that restrict what resources can be reached from those networks. For instance, an unmanaged device might be allowed to use Office 365 via a secure web portal but not directly query an internal database.
Continuous monitoring and anomaly detection
- Since no device is fully trusted, behaviour should be continuously monitored. Anomalous activity originating from a personal device (e.g. large data transfers, unusual access times) should trigger alerts.
Zero Trust is increasingly recommended by security authorities worldwide, including the NCSC. By verifying every device and user, chances are significantly reduced that a forgotten laptop becomes the weakest link.
Implement Mobile Device Management policies
Device management solutions are essential to extend control over BYOD hardware. A Mobile Device Management (MDM) tool can enforce policies on enrolled personal devices in a way that balances security with user privacy. Key actions include:
Device enrolment and compliance
- Encourage or require employees to register their BYOD equipment. This allows IT to push security profiles (Wi-Fi configs, VPN settings, etc.) and set minimum standards (such as requiring a lock screen, enabling encryption, and disallowing risky apps). MDM can detect jailbroken or rooted phones, blocklist prohibited apps, and report on device health. For example, they can ensure a BYOD phone has the latest security patches and no known vulnerabilities.
Silo corporate data
- Use containers or secure workspace apps to segregate corporate information on personal devices: work emails, documents, and apps operate inside a managed container that the company can control (and wipe if needed) without affecting the user’s personal data. This approach, often provided by MDM solutions, mitigates data leakage by keeping business content isolated. If the employee leaves or loses the device, IT can remotely wipe the corporate container while leaving personal stuff untouched.
Conditional access and app controls
- Integrate your device management with access control systems. For instance, using Conditional Access policies in Microsoft 365, email or data access can be restricted to only compliant devices. Devices not enrolled or not meeting policy can be denied email sync or forced to use web versions with limited capabilities. Similarly, enforce that only approved apps can be used for work data, blocking unapproved apps from connecting to corporate services.
Remote wipe and lock
- Ensure the capability to remotely lock or erase corporate data from a BYOD device if it’s reported lost or compromised. Employees should understand and consent that this is part of BYOD usage. Having a MDM solution that can perform a selective wipe (only company data) is ideal so that personal data remains untouched.
Endpoint detection on BYOD
- Traditional antivirus might not be installed on personal machines, but solutions now exist to extend endpoint detection and response (EDR) to BYOD in a non-intrusive way. Consider tools that can scan devices for threats at the point of access.
It’s important to note that Cyber Essentials requires up-to-date software and malware protection on all devices with corporate data – including BYOD. So implementing MDM not only secures your data but also helps you remain compliant with such baseline certifications. The latest Cyber Essentials controls require the blocking of unmanaged devices from email or using MDM to enforce policies.
Strengthen policies, user awareness and culture
Technology alone isn’t a silver bullet. Clear policies and educated users are just as crucial in managing BYOD security:
Robust BYOD policy
- Draft a dedicated BYOD policy that spells out what is and isn’t allowed when using personal devices for work. This should cover acceptable use, security requirements (e.g. mandatory PIN, no jailbreaking, regular updates), and responsibilities.
Employee agreements
- Users should sign a BYOD agreement acknowledging the policy. This sets expectations and accountability.
Security awareness training
- Regularly train staff on the risks of unmanaged devices and how to use BYOD securely. Refreshers and even phishing simulation exercises can reinforce good practices.
Cyber security culture
- Encourage an open culture where employees can discuss their tech needs and challenges. The NCSC’s guidance on shadow IT notes that if staff feel they cannot get their job done with provided tools, they’ll seek unofficial solutions. So, proactively gather feedback – if people are resorting to personal devices because the corporate laptop is too locked-down to be productive, adjust policies or provide alternative solutions. It’s a balance between security and usability. By addressing legitimate needs, you reduce the temptation for employees to go around IT with unmanaged gadgets.
Technical measures and frameworks
There are additional technical measures and best practices that round out a strong defence:
Encryption everywhere
- Ensure that any device touching company data has encryption enabled. For mobile devices, enable device encryption; for USB drives, use encrypted drives only. That way, if a BYOD device is lost, the data remains unreadable without the key. Many modern phones and laptops encrypt by default, but it must be verified.
Safe access and data handling
- Use secure gateways for BYOD access. For instance, require VPN or a secure application portal rather than direct access to internal network. Deploy Data Loss Prevention (DLP) controls on cloud services to detect if a personal device is uploading sensitive data to unauthorised locations.
Application control
- Practice allow-listing or deny-listing of apps that can be used for work – allow only an approved secure messaging app for work chat on BYOD phones, and block others that are known risky. This reduces the attack surface.
Update and patch management
- Although you can’t directly patch a device you don’t own, you can enforce update policies through MDM or regularly prompt users. Some organisations send periodic reminders or even automate checks – for instance, blocking network access for devices that haven’t installed critical updates after a certain time.
UK Government guidance
- Follow best practices. The CE framework essentially mandates the following controls: firewall all devices, secure configuration, access controls, malware protection, and patch management. Achieving CE can give you confidence that you have covered the basics for all endpoints, managed or not. Aligning with these guidelines will not only improve security but also demonstrate due diligence, which is important for regulatory compliance.
By combining policies, user education, and layered technical controls, you can significantly lower the risks posed by BYOD and other rogue devices before an incident occurs. Prevention is far easier and cheaper than dealing with a breach.
Incident Response: What to Do if a Rogue Device is Detected
Despite best efforts, you may eventually encounter an unmanaged device on your network that shouldn’t be there, or worse, discover that such a device has been involved in a security incident. Quick and decisive action is crucial. Your incident response plan should include specific procedures for these scenarios.
During an incident, communication is key. Keep management and relevant teams informed. If the incident involves personal data of customers or employees, assess whether it meets the threshold for reporting to the ICO (Information Commissioner’s Office) – serious data breaches should be reported within 72 hours. This ties back into having CE and good practices in place; if you’ve followed the guidance, you’ll be better positioned to respond and demonstrate control.
Cyber & Data have incident response (IR) specialists to assist with major incidents. We can bring forensic tools and expertise to handle complex attacks or stealthy malware that may be involved with rogue devices.
The aftermath of an unmanaged device incident should galvanise improvements. Often it exposes gaps, such as an unknown VPN account or a lack of network segregation. Treat it as a catalyst to shore up those weaknesses before the next incident – which, if you implement the defences discussed earlier, is much less likely to happen. Cyber & Data’s Cyber Risk Assessment can help highlight potential gaps before they are exposed.
How CE and Cyber & Data Can Help BYOD Security
Leveraging government-backed cybersecurity frameworks can significantly aid in managing BYOD security and unmanaged devices:
This certification scheme, backed by the NCSC and IASME, outlines five fundamental security controls. BYOD falls under its scope as of the latest version. Following CE requirements means, for example, ensuring all devices (including personal ones) have up-to-date software, malware protection, and appropriate access controls. CE also emphasizes secure configuration – so if employees use their own devices, they should still adhere to secure settings. Achieving Cyber Essentials certification forces an organisation to catalogue devices and address any that don’t meet the criteria, which inherently reduces the unmanaged device risk. In short, CE provides a solid baseline and checklist to harden your environment against common threats, BYOD included. It’s also something you can showcase to clients and partners as evidence of good security hygiene.
Unmanaged and BYOD devices are an inseparable part of the modern workplace. Completely banning them isn’t realistic in most cases – instead, the goal is to embrace flexibility without sacrificing security. By understanding the risks (ranging from data breaches to malware outbreaks) and implementing a combination of Zero Trust controls, device management, user education, and incident response planning, organisations can significantly reduce their exposure to threats from rogue devices.
However, tackling this challenge can be complex. This is where CDP can assist. CDP offers expert services to help your organisation prevent, detect, and respond to threats involving unmanaged devices:
Prevention
- Our team can help design and implement robust BYOD security policies and deploy the right technical solutions. We’ll ensure your endpoint management covers personal devices without infringing on privacy, setting up things like secure containers, compliance checks, and encryption. We also provide security awareness training tailored to your workforce, so employees become your first line of defence when using their own devices.
<h6>Managed Detection & Response (MDR)
- With CDP’s MDR service, you get 24/7 monitoring of your IT environment. We use advanced tools to detect suspicious behaviour on any device – managed or unmanaged – and our analysts respond immediately to neutralise threats. This dramatically reduces dwell time for attackers and minimizes damage.
Incident Response and Cure
- In the event of a security incident, CDP’s Incident Response specialists are on hand to help contain and eradicate the threat. We have experience handling incidents involving rogue devices and can perform swift forensics to find out what happened. From isolating affected systems to cleaning up malware, we take a comprehensive approach to cure the issue and get you back to business fast. Our team can also guide you through any necessary breach notifications and post-incident improvements.
Investigation and Continuous Improvement
- Beyond the immediate incident, CDP helps with the investigation and root cause analysis. We dig into how an unmanaged device slipped through and work with you to strengthen your defences for the future. This might mean updating your network access controls, improving your device inventory, or deploying new tools to gain visibility into unknown endpoints. We aim not just to fix the problem, but to fortify your security posture so that similar incidents don’t reoccur.
No organisation should feel helpless in the face of BYOD security challenges. With the right partner, you can turn what might seem like a vulnerability into a manageable risk. CDP has the expertise in managed detection, incident response, and device security to help you strike that balance between productivity and protection.
Contact us to learn how we can tailor a solution for your environment, secure your network against unmanaged device threats, and provide peace of mind in today’s mobile and flexible working world. Your employees may bring their own devices – but together, we can bring our best defences.
✅ Take Action Now
Contact Cyber & Data Protection today to discover how our tailored cyber security solutions and training can keep your business secure in a rapidly changing threat landscape.</p>
<p>📧 Email: [email protected]
📞 Call: +44 1743 644404