Identification should include how BYOD practices can expose a network to malware and other threats, creating additional vulnerabilities in a number of ways, such as
- Organizational controls such as password complexity and restrictions on software installation can be bypassed.
- Operating systems and software on devices used under a BYOD policy may not be patched and updated regularly.
- BYOD policies may not allow devices to run antivirus or other security software that are required for organization-owned devices.
- BYOD policy approved devices can download and store sensitive organizational data. Loss, theft, or other data compromises on these devices may not be reported.
- Personal devices and portable media can contain malware and could threaten the network or infect other systems if they are allowed to connect to an organization's network.