For the AI era, it’s time for BYOE: Bring Your Own Ecosystem

COMMENTARY: The traditional boundaries between personal and professional digital spaces have dissolved. Today's employees seamlessly access work applications across an array of personal devices — smartphones, laptops, tablets, and sometimes even smartwatches.

Adding even more complexity, these personal devices are often employee-owned or shared. This shift created a significant challenge for enterprise security teams: these personal devices lack enterprise-level security controls, yet they've become integral to daily operations. It's time to move beyond viewing this as merely a device problem and embrace a new paradigm: Bring Your Own Ecosystem (BYOE).

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

The evolution of workplace connectivity tells a clear story. In 2015, security teams grappled with Bring Your Own Device (BYOD) — employees bringing their phones into the organization — and focused on containerizing services. By 2020, this expanded to BYODs, encompassing both personal phones and laptops, complicated by the widespread use of untrusted networks thanks to the increase in remote-work.

Now in 2025, we face an even more complex landscape with the proliferation of browser-based access, software-as-a-service (SaaS) applications, and zero-trust network access (ZTNA) implementations.

We can no longer limit user access to one or two devices — we must address the entire ecosystem. Instead of forcing users down a single, constrained path, security teams need to acknowledge that users will inevitably venture into unsafe territory, and focus on strengthening the security of the broader environment. In 2015, we as security practitioners could get by with placing “do not walk on the grass” signs and ushering users down manicured pathways. In 2025, we need to create more resilient grass.

The scale of the challenge

Recent research from our international survey of more than 14,000 office workers reveals the widespread use of personal devices for work purposes. A staggering 80% of employees access work applications and services from their personal devices. More concerning: 36% don't immediately install security patches or software updates on these devices, and 26% don't consistently use VPNs when accessing work resources and are not leveraging ZTNA or a VPN alternative.

The risk extends beyond basic access. Forty-percent of employees download customer data to personal devices, while 33% alter sensitive data, and 31% approve large financial transactions. And, most alarming, 63% use personal accounts on their work laptops — most commonly Google — to share work files and create documents, effectively bypassing email filtering and data loss prevention (DLP) systems.

These behaviors introduce multiple attack vectors into corporate environments. Browser-based access exposes users to risks from malicious plugins, extensions and post authentication compromise, while the increasing reliance on SaaS applications creates opportunities for supply chain attacks. Personal accounts serve as particularly vulnerable entry points, allowing threat actors to leverage compromised credentials or stolen authentication tokens to infiltrate corporate networks.

These employee behaviors pose great risk to businesses. IT departments lack visibility and control over personal devices, which means they don’t understand the scope of the problems and thus can’t address them.

Real-world consequences

Recent breaches illustrate the dangers of this interconnected ecosystem. For example, Okta was breached in 2023 after an employee saved their service account credentials into their personal Google account, which then gave threat actors access to corporate systems. A year earlier, the company was breached after threat actors gained access to a laptop owned by a customer service subcontractor. Compromise of an external contractor’s personal account was also the source of a data breach at Uber in 2022.

Organizations need a comprehensive approach to address these challenges. Here are some recommendations for achieving that:

Policy modernization: Organizations must review and update security policies, particularly those hastily implemented during the pandemic. Many companies still operate with permissive controls that were meant as temporary measures. An example of this: establishing policies for company-owned devices (managed endpoints) and employee-owned devices (unmanaged endpoints).

Advanced access controls: Moving beyond traditional VPNs, companies should implement modern tools like identity access management (IAM), single sign-on (SSO) products, and ZTNA. These tools authenticate and authorize each device and user individually, providing granular access control rather than broad network access.

Privilege management: Implement OS-level least privilege on corporate-owned devices and establish controls for browser-accessed applications. This ensures users have only the access they need for their respective roles. This should stay consistent across operating systems rather than siloed.

Browser security: Deploy technology that allows for secure access via browsers to SaaS and cloud offerings, protecting against risks from malicious plugins and extensions, as well as abstracting or protecting authentication token and other sensitive cookies.

Security hygiene: Maintain fundamental security practices, including prompt security patch installation, regular security audits, and consistent VPN (or alternative) usage.

Employee education: Implement comprehensive security training and awareness programs that bridge the gap between policy and practice. Include behavioral analytics and data literacy programs to empower employees to protect both personal and corporate data. Technology only solves part of this problem.

Balanced controls: Recognize that different user personas require different levels of constraint. While IT users may require strict controls, workforce users need more flexibility. Implement similar security measures but adjust the "expectation of constraint" accordingly.

A look ahead

We’ve made it this far without talking about AI, but it’s important to consider these identities as part of the ecosystem as well. The shift from the current state of AI-enriched human identities to unattended (and agentic) AI identities will have a compounding effect on the complexity of securing an identity-centric perimeter.

Including these new identities in governance efforts has become important. Likewise, the BYOE approach offers a framework for addressing this compounding effect and other challenges by focusing on securing the entire digital ecosystem rather than individual devices or access points.

Brandon Traffanstedt, Field CTO, CyberArk

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.