An organization is considering a Bring Your Own Device (BYOD) program that lets employees access company email and files from their personal smartphones. Which of the following statements BEST describes the security impact of adopting BYOD?
It guarantees regulatory compliance because modern smartphones encrypt data by default.
It eliminates the need for mobile-device management (MDM) because the devices are privately owned.
It typically reduces the attack surface because users are more familiar with their own devices.
It can increase the risk of data leakage and malware infection if additional controls are not implemented.
Option C is correct. Allowing personally owned devices onto the corporate network widens the attack surface and can lead to data leakage, malware infection, and compliance issues unless additional controls such as mobile device management (MDM), containerization, and strong authentication are put in place. Sources such as NIST SP 1800-22 and industry analyses emphasize that BYOD introduces security and privacy risks that must be mitigated, rather than inherently improving security.
Why the other options are wrong:
Option A: User familiarity does not reduce risk; corporate IT loses visibility and control over patching, app installations, and configuration.
Option B: MDM or a similar management/control mechanism is even more important when devices are not corporately owned.
Option D: Encryption is not guaranteed on all personal devices and does not by itself ensure regulatory compliance.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the main security risks associated with BYOD policies?
Open an interactive chat with Bash
What measures can organizations take to mitigate risks from BYOD?
Open an interactive chat with Bash
What is the purpose of a BYOD policy in an organization?