Did you know that allowing your employees to use their personal devices to access company systems is putting your business at risk? Every unmonitored phone, tablet, or laptop is a potential gateway for all kinds of cyber attacks. And with Zero Trust security models becoming the new standard, the old “it’ll be fine” approach is no longer an option.
Over the years, I’ve worked with many UK SMBs who embraced Bring Your Own Device (BYOD) because it was cheaper, faster, and less hassle. But here’s the truth: without the right controls in place, you’re not just exposing your data — you’re also setting yourself up for compliance failures, downtime, and costly breaches. As someone who’s helped multiple of businesses recover from those exact scenarios, I know how quickly things can go belly up.
If you're looking for clarity on whether BYOD can survive in a Zero Trust world, you're in the right place. In this article, I’ll walk you through what Zero Trust means for BYOD, the key risks you need to understand, and the smart, realistic steps you can take to stay secure.
If we’re being honest (which we always are), bringing in your own device is not only convenient, but is the most cost-conscious decision – especially for SMBs. On paper, everyone benefits: employees don’t have to carry around two phones, and companies don’t have to foot the bill for hardware or deal with logistics. That, coupled with the rise in remote and hybrid working environments, is predominantly why Bring Your Own Device (BYOD) has gained popularity over recent years.
However, on its own, BYOD is not a strategy – it’s a shortcut that, quite frankly, leaves your business dangerously exposed. This is where Zero Trust comes in: a security strategy firmly rooted in the “Never trust, always verify” philosophy. Sounds good, right? However, having both BYOD and Zero Trust in place creates a clash between convenience and control. Zero Trust is fundamentally at odds with the uncontrolled, diverse “Wild West” of personal devices.
To have Zero Trust in place, you have to know what the device is, where it’s been, and what software is on it. Now, here’s the problem: you don’t know what you don’t know. That second-hand iPhone you got from eBay could be jailbroken. That Android handset might have malware from a dodgy app. That employee using the free hotel Wi-Fi has just unleashed a Denial-of--Service (DoS) cyber attack.
Allowing BYOD in a Zero Trust framework isn’t just a technical challenge — it’s a business risk. Here are some of the biggest threats I’ve seen:
It’s usually only when disaster has struck that SMBs reach out for help with securing their endpoints – which we’re more than happy to do. But wouldn’t it be better to have that conversation before everything’s on fire?
Zero Trust doesn’t mean you have to ban BYOD completely. What it does mean is you need to prioritise visibility and control over convenience. Moreover, how Zero Trust is implemented in a business depends on an organisation's risk tolerance and how its environment is set up.
So while there’s no single answer, you essentially have three options that lie on a spectrum of control:
Sandboxing can work well, and we do that ourselves at Babble. While this is often the most realistic option for SMBs, it still requires proper planning, automation, and enforcement.
Some people think they can just install MDM on any old phone and call it a day. But it’s not a quick fix at all. The proper way to deploy MDM is on a clean device, before rollout. Retrofitting it to someone’s personal phone is a nightmare: you might have to wipe it, and people understandably won’t go for that.
While Microsoft and others offer “live” MDM options, they’re limited. You can certainly secure corporate apps, but the rest of the phone is still the Wild West. And that’s the point: you don’t control it (these are still people’s personal devices after all). This means the user remains accountable for keeping their device secure. If their personal WhatsApp backup introduces malware, if they ignore a software update, or if they log onto an unsecured Wi-Fi, your business still pays the price.
Read this article if you’re curious about implementing MDM the right way.
To bring home the gravity of what’s at stake, let me tell you about a scenario I’ve seen firsthand:
A field engineer (we’ll call him Anthony) gets sent a spreadsheet with addresses and customer details for the week. Because he’s usually on the move, that document is sitting on his personal phone. In between site visits, Anthony hops onto a spoofed coffee shop Wi-Fi to check his emails. Being his first time there, he’s completely unaware that he has connected his device to a fake Wi-Fi network. Within seconds, his phone gets scraped, and now all of that personal data has fallen into the wrong hands.
That’s a GDPR breach: you have the legal responsibility to keep your customer data secure, no matter what. It doesn’t matter if you didn’t know. It doesn’t matter if you “did your best”. You’re still accountable. (We won’t even go into how hefty the fines are.) The thing is, most SMBs don’t realise how close they are to disaster until they’re in it. I know it’s tempting to do what’s easy. But easy doesn’t mean safe.
While Zero Trust doesn’t mean you have to ditch BYOD entirely, you still need to make a conscious decision about how you manage personal devices. There’s a way to do it securely, cost-effectively, and without disrupting your team’s workflow. You just need the right partner to help you.
The real problem isn’t BYOD itself, but it’s the lack of visibility, control, and policy around it. Every unmanaged device is an open doorway into your business. And if you’re not actively managing those endpoints, you’re just hoping no one invites themselves in.
For over 20 years, I have been helping businesses like yours avoid learning the hard way. This article is about showing you how to regain control before something goes wrong. And trust me, it’s a lot easier (and cheaper) to fix this now than after a breach.
If you’re ready to figure out the best approach for your business — whether that’s locking things down, sandboxing apps, or building a custom mobile device policy — let’s have that conversation. We’ll help you secure your mobile environment in a way that actually works for your team and your budget.