On a recent Monday morning, a mid-sized mortgage firm's IT director proudly reviewed his security dashboard. The metrics looked stellar—multi-factor authentication deployed, conditional access policies configured, and a Microsoft Secure Score hovering above 85%. By all measures, they'd built a model of cyber resilience.
Yet later that week, a loan officer's personal smartphone—used daily to check client files—went missing. Suddenly, that comfortable sense of safety evaporated.
It's a scenario playing out across industries. Organizations feel confident they've "checked all the boxes," only to discover a blind spot large enough to drive a data breach through.
A recent Cisco survey found 80% of companies feel moderately to very confident in their cybersecurity, even though only 3% have achieved a mature security posture by today's standards.
This gap between confidence and readiness is dangerous.
Studies estimate that as many as 90% of successful cyberattacks and 70% of data breaches originate at endpoint devices—the laptops, tablets, and phones we rely on daily.
When those endpoints fall outside the security team's control, no amount of identity verification or application security will fully protect the organization.
In a typical enterprise, identity verification, conditional access policies, and security monitoring protect every resource. Yet one employee's personal iPhone—loaded with confidential emails and client data—can bypass all of that simply by existing outside corporate oversight.
It's a false sense of security that bad actors eagerly exploit.
The biggest security risks aren't the ones you're actively monitoring—they're the ones you didn't even know existed.
And in an era when over 90% of remote workers use personal smartphones or tablets for work, it's easy to overlook these devices. We lock the front door but leave a window ajar.
The result? Over half of organizations have experienced a data breach due to insecure personal devices or BYOD.
Meanwhile, Verizon's latest data shows that more than 50% of personal devices were exposed to a mobile phishing attack – meaning many employees' phones are one click away from compromise.
The stage is set for a hard truth: even the best Zero Trust network and identity controls can be undone by an unmanaged device in an employee's pocket.
This article explores why Zero Trust isn't enough if you ignore the devices employees use, and how to close the BYOD (Bring Your Own Device) security gap for good.
We'll start by examining the gap between security "on paper" and security in reality (the Secure Score vs. real risk). Then we'll show how BYOD, if not handled properly, can undermine your entire Zero Trust program.
A real case study from a mortgage firm will illustrate the problem and solution in action.
Finally, we'll lay out a practical two-phase strategy – mobile application management (MAM) first, mobile device management (MDM) next – along with the cultural, leadership, and governance changes needed to make it stick.
The goal: to guide CIOs, CISOs, and business leaders toward true Zero Trust maturity, where identity, applications, and devices are all secured in harmony.
Many organizations gauge their security posture by metrics and checklists. One typical example is Microsoft's Secure Score – a numerical gauge of how many recommended security controls you've enabled in your Microsoft 365 environment.
A high Secure Score can indicate progress (turning on MFA, disabling legacy protocols, etc.). But a score isn't the same as real-world risk, and it can even mislead you if you take it at face value.
It's possible to game the system – for instance, by "ignoring" certain recommended actions, you can artificially boost your percentage. An executive looking at a dashboard might see an 88% score and assume the company is 88% secure, when in reality, that remaining 12% could represent a critical blind spot.
Focusing on the score alone creates a false sense of security. Automated tools reward you for checking a box ("policy enabled") even when no one actually verifies that the controls work in practice.
In other words, a company can look perfect on paper yet still be one click away from disaster.
Often, that gap exists because traditional assessments and scores don't fully account for human behavior and unmanaged technology.
BYOD is a prime example. Your Secure Score might tick up if you enforce strong passwords in Office 365. Still, it has no visibility into employees saving documents to personal cloud apps or accessing email on an unpatched Android phone.
The real risk lies in those unmonitored activities.
SIDEBAR: Beyond the Score—How Guardian Security Insights Reveals What Your Dashboard Hides
A high Secure Score looks impressive in board presentations. But it doesn't tell you whether a loan officer accessed client files on an unpatched iPhone or whether mobile devices have been carved out as exceptions to your conditional access policies.
ABT's Guardian Security Insights →
Guardian Security Insights goes beyond surface-level metrics to identify the hidden vulnerabilities that automated dashboards miss—including policy exceptions, unmanaged BYOD devices, and security gaps that don't affect your score but dramatically increase your risk.
Guardian Security Insights automates deep analysis of your Microsoft 365 environment, delivering insights that standard Microsoft reports simply don't make easily accessible to all the stakeholders. It flags critical issues, such as "MFA enabled, not registered" users, and catches when admins toggle exceptions in Conditional Access policies—before those exceptions become breaches.
The platform bridges the gap between technical data and business decisions, providing:
Weekly executive reports showing MFA enforcement, device compliance, and configuration trends
Prioritized action plans that turn complex security data into clear to-do lists for IT teams
Trend analysis over time to prove security improvements and justify investments
Continuous accountability through automated monitoring that eliminates manual checks
Real Results
As one mortgage lender discovered after implementing Guardian Security Insights, their Secure Score jumped from 32% to over 90%—not because they changed their score, but because they finally saw and fixed the real vulnerabilities hiding in policy exceptions and overlooked configurations.
The Bottom Line
Guardian Security Insights transforms your security posture from "looks good on paper" to "actually works in practice." Because the difference between a green dashboard and genuine security is knowing what you don't know—and having the expertise to fix it.
One mortgage lender learned this the hard way when an auditor asked: "How do you secure the phones and tablets employees use to check company email?"
The IT team, proud of their high compliance marks elsewhere, confidently explained: "We have MFA turned on. We verify the user's identity—we're doing Zero Trust."
But the auditor pressed further: "What about the devices they're using to access that email?"
Silence.
The uncomfortable truth hit home: they were only verifying half the equation. Identity verification through MFA is critical—it confirms who is accessing the system. But without device trust, they had no way of knowing "what" was accessing their data.
Technically, HomeTrust had conditional access policies in place. Their corporate laptops and desktops were subject to device health checks, compliance verification, and strict access controls. On paper, the policies looked comprehensive. The compliance dashboards showed green checkmarks across the board.
But buried in those policies were exceptions—lots of them. Mobile devices had been carved out as exceptions to avoid "breaking" email access for executives and loan officers who needed to work on the go. The IT team had rationalized it as a temporary workaround that became permanent. The reports looked clean because the exceptions weren't flagged as risks—they were simply ignored.
An employee's compromised iPhone, infected with malware from a sketchy app, could pass MFA checks all day long because the user's credentials were valid—even while malicious software exfiltrated every email the employee opened.
Identity alone gets you maybe 70% of the way to real security. The other 30%—arguably the more dangerous half—is the device. Is it running outdated software with known exploits? Is it jailbroken? Does it have encryption enabled? Has it been compromised by malware?
Without device trust, those questions go unanswered. And unanswered questions become attack vectors.
HomeTrust had built a security model that said "never trust the user, always verify"—but then completely trusted whatever device the user happened to be holding to verify. It was Zero Trust in name only.
Their Microsoft 365 Secure Score had lulled them into overlooking an apparent vulnerability: dozens of personal devices with access to client financials, completely outside corporate control.
This kind of oversight is more common than you think.
According to Cisco's 2024 Cybersecurity Readiness Index, 85% of companies report that employees use unmanaged personal devices to access company platforms. In 43% of those companies, employees spend at least one-fifth of their time accessing corporate resources through those untrusted devices.
If that isn't a recipe for unseen risk, what is?
Zero Trust architecture was supposed to eliminate blind spots by assuming breach and verifying everything. But as we'll see next, if your Zero Trust implementation doesn't extend to BYOD, you end up with what might be called "Zero Trust virtue signaling" – proudly displaying all the right security buzzwords while quietly ignoring a massive vulnerability.
It's security posturing that looks great in board presentations and compliance reports, but crumbles when real threats emerge. Organizations check the Zero Trust boxes for identity verification and network segmentation, then signal their maturity to auditors and stakeholders—while dozens or hundreds of unmanaged personal devices access their crown jewels daily.
To bridge the gap between comforting security scores and actual risk, organizations must shine a light on BYOD usage and incorporate it into their security metrics and planning.
True security maturity isn't about how many controls you've enabled or how impressive your security vocabulary sounds. It's about covering every avenue an attacker or accidental loss could exploit—including the devices your team brings to work.
Zero Trust, at its core, is founded on the mantra "never trust, always verify."
Instead of assuming a known user or their device is safe, Zero Trust requires continuous authentication and authorization for every interaction. User identity, device health, and other context must be confirmed each time.
The ideal is a world where only explicitly verified users on explicitly verified devices using verified apps can access your data. In theory, that covers personal devices too: if Jane from Finance logs in from her iPad, a Zero Trust system should verify that the iPad is trusted and compliant before granting access.
In practice, many Zero Trust deployments falter when it comes to BYOD.
ABT has observed this pattern repeatedly: companies proudly announce they're "doing Zero Trust" after rolling out MFA and deploying conditional access policies. Yet when asked about the personal phones and tablets employees use to access client data, the answer is often a nervous pause. They've secured identity and network access, but ignore unmanaged devices, creating a glaring gap in the Zero Trust fabric. Yet when asked about the personal phones and tablets employees use to access client data, the answer is often a nervous pause. They've secured the corporate perimeter but ignore unmanaged devices, creating a glaring gap in the Zero Trust fabric.
This mirrors broader industry research: Cisco found that only 3% of organizations have achieved a mature security posture, despite 80% feeling confident in their cybersecurity.
The disconnect? Partial implementations that address some pillars (such as identity and partial conditional access) while neglecting others (e.g., access), and neglecting others (such as mobile devices).
This piecemeal approach can increase risk by creating false confidence. Suppose an organization verifies a user's identity after login without validating the device's security posture. In that case, it may allow an infected device access to its crown jewels while assuming everything is secure.
BYOD breaks Zero Trust when organizations don't extend zero-trust principles to personal endpoints.
Consider an employee's personal smartphone that lacks the latest security patches and endpoint protection. Under a naive Zero Trust model, the employee still gets through if their password and 2FA code check out.
Once in, an attacker who has compromised that phone (through malware from a sketchy app or a phishing link) now has a foothold within your "trusted" zone – precisely what Zero Trust is designed to prevent.
The threat is real: Verizon's Mobile Security Index found mobile device compromises had doubled from the prior year, and 45% of organizations said mobile devices are their company's most significant IT security threat.
Attackers are targeting the path of least resistance, which increasingly sits in an employee's pocket.
Over 90% of successful cyberattacks and 70% of data breaches now originate on endpoint devices like phones and laptops—the devices users rely on to access corporate resources.
In ABT's experience working with mortgage companies, employees consistently view a personal phone as "their turf" – they install apps at will, connect to any Wi-Fi (coffee shops, airports, home networks), and treat it differently than a managed corporate device with security controls.
This sense of ownership breeds complacency. Users feel safe on personal devices because they're familiar and comfortable, but that psychological safety is exactly what attackers exploit.
A phone doesn't broadcast the same warning signals that a suspicious email might on a desktop with enterprise security tools. An employee might tap a malicious link in a text message or download a risky app with far less caution than they'd exercise at their desk.
The numbers bear this out: Verizon's Mobile Security Index found that more than 50% of personal devices were exposed to mobile phishing attacks. Attackers increasingly target mobile users who tap links in texts or social apps without desktop email filters or a large screen to scrutinize URLs.
ABT has seen this play out in real time: a loan officer who would never click a suspicious email at the office will thoughtlessly tap a text link on their iPhone while standing in line at Starbucks—and inadvertently compromise their access to thousands of borrower records.
Zero Trust models assume every device might be compromised until proven otherwise. But unless an organization can assess and enforce device trust on BYOD, that assumption doesn't translate into action.
ABT routinely encounters organizations where BYOD devices are completely invisible to IT—they aren't enrolled in any management system, so there's no way to tell whether they have disk encryption enabled, whether they're running an outdated OS vulnerable to known exploits, or whether malicious apps are installed.
When ABT conducts security assessments for mortgage firms, IT teams are often shocked to discover how many unmanaged devices access their systems.
The point is, you can make meaningful progress in weeks (with MAM) and continue improving over months (with MDM) rather than treating it as an all-or-nothing switch.
SIDEBAR: Want to Know What You Don't Know? Get a Guardian Security Assessment
Most IT leaders believe they have a handle on device access to their systems. Then they see the assessment results.
ABT's Guardian Security Assessment →
ABT's Guardian Security Assessment provides a comprehensive evaluation of your Microsoft 365 environment, going far beyond what your Secure Score reveals. Our expert security team performs a thorough analysis that includes:
Device inventory and compliance analysis – Discover every device accessing your systems, including unmanaged BYOD devices you didn't know existed
Conditional Access policy review – Identify exceptions, misconfigurations, and gaps that create security blind spots
MFA enforcement audit – Find users who are "MFA enabled, not registered" and other authentication vulnerabilities
Microsoft Secure Score deep-dive – Understand what your score actually means and which ignored recommendations pose the greatest risk
Personalized Cyber Defense Action Plan – Get specific, prioritized steps to achieve a robust 90%+ security posture
The assessment includes detailed instructions for implementing security policies that are missing or misconfigured, covering everything from SharePoint and OneDrive security to device management and auditing capabilities.
The Bottom Line
You can't fix what you can't see. Schedule your Guardian Security Assessment today and discover the hidden risks lurking in your environment—before an auditor or attacker finds them first.
This aligns with broader industry findings: Cisco's 2024 Cybersecurity Readiness Index reports that 85% of companies have employees using unmanaged personal devices to access company platforms.
It's no surprise, then, that Cisco found closing vulnerability gaps created by unmanaged devices was a top recommendation for improving security posture.
Until you tackle that, you don't truly have Zero Trust – you have "some trust" for devices that remain invisible to your security team.
Let's make this concrete.
Zero Trust maturity is typically measured across five pillars: Identity, Devices, Applications, Networks, and Data.
To reach full maturity, you can't skip the device pillar. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) explicitly advises agencies that all devices accessing organizational resources – whether enterprise-owned or BYOD – must be secured and managed under Zero Trust principles.
If your Zero Trust plan only covers enterprise-owned laptops while ignoring the CEO's personal iPad (which he regularly uses to view board documents), you haven't achieved complete Zero Trust. You've created a risk.
The payoff for including devices is real: organizations that completed the device pillar of Zero Trust were 21% more likely to effectively track critical systems and data, according to Cisco's analysis.
And when all Zero Trust pillars are addressed – identity, apps, devices, and more – companies report security incidents at half the rate of those with partial implementations. Half the incidents. That's the difference comprehensive Zero Trust makes, and devices are a linchpin of that comprehensiveness.
In summary, BYOD can undermine Zero Trust if left unchecked, but it doesn't have to. The key is integrating personal devices into your security architecture without compromising user experience or privacy.
Achieving that balance is tricky but possible – and our real-world example will show how one firm pulled it off.
Consider "HomeTrust Mortgage" (an anonymized example from a real ABT client).
HomeTrust is a regional mortgage lender with about 150 employees. Like many financial services companies, they operate in a highly regulated environment—handling sensitive personal and financial data requires compliance with frameworks like GLBA and state privacy laws. A breach of borrower data could devastate their business and reputation.
By 2024, HomeTrust had invested heavily in security: they moved core applications to a secure cloud workspace, enforced strong authentication, and deployed conditional access policies for Zero Trust. On paper, they were doing nearly everything right.
Yet a near-miss incident exposed a gaping hole in their defenses: employees' BYOD use.
HomeTrust's loan officers and executives often worked on the go. The company had a bring-your-own-device policy in practice—employees were allowed (and encouraged) to use their personal smartphones to check corporate email, log in to the loan origination system, and communicate with clients.
This wasn't unusual. In mortgage banking, responsiveness can make or break a deal, and mobile access is a competitive edge.
However, HomeTrust's IT department had no formal mobile device management or app protection for those devices. The unwritten assumption was that employees would "do the right thing"—keep their phone's OS updated, use a PIN lock, avoid sketchy apps—but nothing was monitored or enforced.
Meanwhile, the compliance team focused on traditional endpoints and network controls, largely overlooking mobile devices in audits.
The wake-up call came when a HomeTrust loan processor—let's call her Sarah—had her personal iPhone stolen from a coffee shop.
Normally, losing a phone is an IT hassle. In this case, it was verging on a data breach.
Sarah's phone had Outlook configured with no PIN requirement (she found it annoying, and no policy required one). It stayed logged in to several company web apps. She had customer documents in her email and text messages with clients.
When IT learned of the theft, they realized they had zero ability to remotely wipe the device or block it from accessing company email. Their Exchange email didn't have a device policy, and without an MDM, they couldn't send a wipe command.
By sheer luck, the thief wanted the hardware and quickly resold the phone—no evidence of data misuse surfaced.
But things could have easily gone sideways: that phone was packed with unencrypted sensitive information. The incident rattled the executive team.
During the post-mortem, HomeTrust's CEO asked the obvious question: How did we let this happen?
The CIO and CISO admitted that BYOD controls had fallen through the cracks. They'd been so busy strengthening identity controls, application security, and cloud access policies that they overlooked the devices many employees used daily.
It was a classic case of false security: their dashboards showed all green, yet a critical risk was growing unchecked.
The reality? 2 out of 3 businesses have experienced a mobile-related security breach, yet only 16% are fully prepared to handle mobile threats. HomeTrust was in the unprepared majority.
Determined to fix this, HomeTrust brought in ABT (Access Business Technologies) to build a solution that wouldn't kill productivity or trigger employee pushback.
As a mortgage-focused cloud security provider, ABT had seen this pattern before. Employees loved the convenience of BYOD—and for good reason. BYOD brought real productivity gains, saving an estimated $300+ per employee per year in device costs and adding up to 240 work hours annually, according to one survey.
HomeTrust didn't want to kill BYOD, and realistically, they couldn't put the genie back in the bottle. Instead, they needed to enable BYOD without sacrificing user experience or privacy.
ABT proposed a phased strategy that had worked for other clients: start with Mobile Application Management (MAM), then move to full Mobile Device Management (MDM) once the organization was ready.
Here's what HomeTrust did in each phase and how it closed the gap.
In Phase 1, the focus was on protecting corporate data at the app level on personal devices, without taking over the entire device.
This approach—Mobile Application Management—let HomeTrust tackle the most urgent risks quickly, with minimal intrusion into employees' personal lives.
Mobile Application Management (MAM) means the company controls and secures specific apps (and their data) on a device. For example, the firm can require that the Outlook app and the OneDrive app (where employees access work files) have certain protections:
Crucially, MAM achieves this without requiring the device to be "enrolled" or fully managed by IT. The personal stuff on the phone stays personal.
With ABT's guidance, HomeTrust's IT team rolled out Microsoft Intune App Protection Policies – a popular MAM solution – to all employees' devices.
When employees like Sarah accessed corporate email or documents on their phone, they now had to use managed apps (like the Outlook mobile app wrapped with Intune's policy).
Employees first noticed a prompt to set a 6-digit PIN for their Outlook app and enable phone encryption. It was a small change that paid dividends: if a phone was lost or stolen, the company could now issue a "selective wipe" that would erase just the corporate app data (emails, documents, etc.) while leaving personal photos and apps untouched.
This selective wipe capability addressed the exact nightmare HomeTrust faced with Sarah's lost iPhone.
Additionally, the policies prevented actions like copying text from a company email and pasting it into WhatsApp or personal Gmail, closing off a common data leakage avenue.
Employee reaction to these MAM controls was notably calm.
By communicating clearly – "We're protecting company information in the apps you use for work, but we won't touch your personal stuff" – HomeTrust avoided significant pushback.
Many employees felt relieved to hear the company could now wipe corporate data if their device were lost; it gave them peace of mind, too.
There was some grumbling about entering an app PIN occasionally, but it died down quickly. It helped that HomeTrust's leadership stood firmly behind the change, with the COO emailing staff that "this minor inconvenience beats a major breach, hands down." Such leadership messaging is key (more on that later).
From a security standpoint, MAM delivered results quickly.
Within weeks, Intune's app reports revealed that 10% of devices ran outdated OS versions lacking critical patches – something IT would never have discovered otherwise.
They prompted those users to update via gentle email reminders, and Intune's conditional access rules blocked a couple of really outdated devices from accessing email until they were patched, preventing potential malware entry points.
One of the best aspects of MAM was how quickly it could be deployed and show impact. HomeTrust didn't need to purchase new hardware or force everyone onto corporate-issued phones. Within a month, they went from zero visibility into BYOD to full policy-governed access for email and documents.
There was also a legal benefit: HomeTrust's counsel updated the company's BYOD policy for employees to sign, clarifying that the company could remove its data from personal devices if necessary (like after a device loss or employment termination).
Because the MAM solution confined the "wipe" to company data alone, it sidestepped much of the anxiety employees feel about MDM wiping everything. This is a critical cultural point – employees are understandably protective of their photos, messages, and personal contacts.
Early BYOD programs that used full-device control saw horror stories, like the New York contractor whose entire phone was wiped when his contract ended – including personal photos of a deceased relative – leading to a lawsuit. HomeTrust smartly avoided that scenario with a MAM-first strategy.
As Gartner's research director, Chris Silva, noted, heavy-handed device wipes have landed companies in court, so a more nuanced approach is essential.
By the end of Phase 1, HomeTrust had achieved a significant milestone: every employee device accessing company email or apps was governed by at least baseline security controls.
They had visibility into how and when devices accessed corporate resources, as well as the ability to contain data in the event of an issue. The false sense of security was replaced with fundamental awareness – for instance, they discovered a handful of personal iPads that some executives' family members occasionally used to view work files (previously unknown; those were promptly brought under policy, or access was revoked).
In essence, MAM allowed HomeTrust to reap the benefits of BYOD (flexibility, productivity) while adding a safety harness to those personal devices.
It's worth noting that MAM alone isn't a complete solution. Gaps remained—for example, MAM couldn't ensure the device's OS was malware-free or enforce device-wide settings (such as disabling USB debugging on Android or ensuring that iCloud backups of corporate data were encrypted).
But it dramatically shrank the attack surface. A compromised personal device would have much more difficulty stealing corporate data with MAM container protections in place.
And for HomeTrust's regulators and auditors, the story changed: they could now demonstrate controls over mobile access to sensitive data, where before it was the wild west.
The success of Phase 1 built both momentum and trust for the next step: Phase 2 – extending to complete Mobile Device Management (MDM) for even stronger security and compliance.
After several months of running the MAM program, HomeTrust had significantly reduced its immediate risk.
But leadership and the IT team recognized that truly closing the BYOD gap required going further. Mobile Application Management secured the apps, but the device itself could still be a weak link.
For example, MAM can't detect if a phone is jailbroken or rooted (which might allow malicious apps to bypass containerization), and it can't enforce OS updates or block dangerous app installations.
As HomeTrust's CISO put it, "MAM was a fantastic start, but to reach Zero Trust on devices, we need the ability to verify device health and compliance, not just app policy."
So HomeTrust is prepared to implement Mobile Device Management (MDM) on employee devices, using ABT's MDM best-practice solution tailored for mortgage companies.
Unlike MAM, MDM enrolls the entire device under corporate management. This gives the organization much deeper control:
From a security standpoint, MDM is the gold standard for ensuring a device is trustworthy—it lets you say, "Only devices that are patched, uncompromised, encrypted, and meeting our security baseline can access company data."
For HomeTrust, implementing MDM was about meeting compliance obligations. Regulators like the CFPB (Consumer Financial Protection Bureau) expect financial institutions to protect customer data wherever it resides.
By making all devices that handle customer information compliant with regulatory standards through ABT's best-practice model, HomeTrust could demonstrably meet that "reasonable protection" requirement.
However, moving to MDM raised a delicate people issue: employees would have to consent to more IT oversight on their personal phones.
Some privacy-conscious staff were wary. They'd heard horror stories of employers using MDM to track locations or peek at personal data.
HomeTrust's leadership tackled this concern head-on with transparency. The IT team rolled out an FAQ clearly stating what they could and couldn't see or do with MDM.
For example:
"We cannot see your photos, personal emails, or web browsing history. What we can see is device model, OS version, and a list of installed apps (but not usage or content). We only use this to ensure security—for instance, to verify you don't have known malware apps and that your OS is up to date."
They also explained the wiping policy: the company would never remotely wipe without serious cause (lost device or termination), and even then, they would attempt a "corporate wipe" (just company data) first whenever possible.
In short, HomeTrust worked to build employee trust that MDM was a safeguard, not Big Brother. This cultural preparation proved crucial.
To ease the transition, HomeTrust's executives led by example. The CEO, CFO, and others all voluntarily enrolled their own phones in the MDM program first.
Nothing defuses resistance quite like seeing your boss say, "I'm doing this because I wouldn't ask you to do something I wouldn't do myself."
The CIO also highlighted the benefits to employees: with MDM, IT could now offer better support for BYOD devices (like helping recover a phone or pushing Wi-Fi configurations), and employees would have access to a secure company app store for useful work apps.
Plus, if an employee lost their phone, IT could help locate it or ensure no one else could use it—a service many appreciated.
Technically, ABT deployed M365 Guardian standard through a combination of Intune (for device policies) and ABT's proprietary integrations for the mortgage apps.
The MDM enforced encryption, strong device PINs, auto-lock timeouts, and blocked app installations from outside official app stores. Jailbroken or rooted devices were automatically flagged as non-compliant and denied access until fixed.
One immediate win: M365 Guardian detected that a loan officer had sideloaded a third-party app that was spyware disguised as a loan calculator. That phone was quarantined from company access until wiped clean—potentially averting a data leak.
Another win: 100% of devices accessing sensitive loan data were now known quantities—listed in an inventory, each with a compliance status. This satisfied a key Zero Trust principle, giving HomeTrust confidence in the "device trust" part of their security model. Teams that complete the device pillar of Zero Trust are substantially more successful in tracking and safeguarding their key systems.
An interesting development was the decision to offer company-issued devices for employees who didn't want MDM on their personal phones. A handful took this option. HomeTrust bought a small batch of iPhones that were fully managed and offered them to anyone uncomfortable enrolling their own device—the only caveat being they'd need to carry two devices if they wanted to keep a personal phone.
This gesture showed the company respected personal choice and maintained morale. Most employees, however, eventually became comfortable with MDM on their own phones after seeing it in action and realizing nothing terrible happened.
After a few months, employees reported positive side effects: by adhering to MDM, all their phone data was now encrypted and backed up, and some said they felt safer knowing that work and personal data were separated and protected.
From a governance perspective, HomeTrust's BYOD policy was updated to reflect the new regime.
The policy explicitly stated that by enrolling in BYOD, employees consent to MDM controls for security purposes. It also outlined procedures, such as what happens if an employee refuses a critical security update (answer: their device may be blocked from access).
Lawyers noted this as a reasonable effort to protect sensitive data—and it's essential. Under trade secret law, employers must prove they took reasonable measures to safeguard secrets. Allowing unfettered BYOD could undermine that claim, while using MDM and agreements demonstrates diligence.
Additionally, HomeTrust included provisions allowing the company to preserve or collect data from personal devices if litigation hold or e-discovery became necessary. Courts have consistently found this acceptable when properly communicated upfront.
In short, they got their legal ducks in a row while implementing the tech.
By the end of Phase 2, HomeTrust Mortgage had transformed its BYOD risk profile.
Every smartphone or tablet that touched company data was either fully managed by the company or blocked from accessing it.
The company can now prove that if an employee leaves or loses a device, they can immediately cut off access and wipe company information. They could also push emergency security patches or settings to all devices within minutes if a new threat emerged.
Essentially, they now had an enterprise-grade grip on mobile endpoints equal to their control over corporate-managed devices.
And notably, productivity didn't suffer. Employees still enjoyed using their own familiar devices, and the firm continued to benefit from the mobility and fast response times enabled by BYOD.
But now it was BYOD on IT's terms, not on blind trust.
One might ask: Did any employees rebel or quit over these tighter controls?
In HomeTrust's case, no. Thanks to careful change management, open communication, and leadership example, adoption was smooth.
In fact, ABT has found that clients who initially resist MDM deployment often become its strongest advocates once they see it in action. What initially seems like a burden becomes an enabler: by solving the security and compliance headaches, BYOD transforms from a risky liability into a viable long-term strategy.
This mirrors Gartner research showing that organizations with comprehensive device management are significantly more likely to achieve their digital workplace objectives while maintaining a security posture.
HomeTrust could confidently say "yes" when an employee asked to use the latest gadget for work, because they had the infrastructure to secure it.
SIDEBAR: The MAM and MDM Solution Behind the Success: Microsoft 365 Guardian
The MAM and MDM capabilities that transformed HomeTrust's security posture aren't standalone products—they're part of a comprehensive security framework explicitly tailored for regulated companies.
ABT's Microsoft 365 Guardian →
Microsoft 365 Guardian simplifies the complex licensing landscape by bundling essential Microsoft 365 licenses tailored for regulated companies. With built-in tools, productivity applications, and robust security features, these licenses lay the foundation for an efficient, compliant, and secure work environment.
Most organizations don't realize what they're missing when they buy Microsoft 365 licenses the "cheap" way. Yes, the software works. But without proper configuration and expert guidance, the powerful security features you're already paying for sit unused—leaving gaps that become breaches.
When you license Microsoft 365 through ABT, you get more than software:
Fully configured MAM and MDM policies designed specifically for regulated industries like mortgage lending
Expert implementation support tailored for regulated companies that handles the technical complexity while you focus on your business
Automated updates, centralized monitoring, and comprehensive support that keeps your BYOD program compliant as threats evolve
Security training and awareness programs that turn employees into defenders, not vulnerabilities
Compliance guidance for GLBA, CFPB, and other regulatory requirements
Automated monitoring and ongoing insights to maintain a secure, compliant, and efficient operation
Microsoft 365 Guardian is more than a tool—it's a comprehensive solution tailored for regulated companies by combining industry-specific expertise with the full power of Microsoft 365.
The Bottom Line
The "cheap" licensing approach might save a few dollars upfront, but it costs far more when security gaps lead to breaches, compliance failures, or the scramble to retrofit security after an incident.
ABT's clients don't just get licenses—they get a security partner who ensures the powerful capabilities already in their Microsoft investment actually protect their business.
That's the difference between buying software and building security.
With both phases complete, HomeTrust achieved something important: closing the BYOD gap without closing the door on BYOD. It wasn't about banning personal devices; it was about innovative risk management and steady progress.
One clear takeaway from HomeTrust's story is that technology alone (MAM, MDM, etc.) isn't the complete solution – people and culture are critical.
BYOD security measures touch on personal space and habits, so how you manage the human side determines success or failure.
As I often remind CIOs and CISOs: "You can deploy all the security tech in the world, but if your employees see it as Big Brother rather than a safety net, they'll find ways around it. Security isn't something you do to people – it's something you build with them."
When the C-suite and senior management treat security as a top priority (and follow the rules themselves), it sends a powerful message.
At HomeTrust, executives enrolled their own devices in MDM first, signaling trust in the program. This leadership by example must start at the top.
It's not enough for IT to mandate a policy; employees need to see leadership walking the walk.
In sensitive industries – finance, healthcare, and critical infrastructure – leaders can reinforce the mission-critical nature of security.
For instance, a CISO might remind staff that protecting clients' personal information is part of the company's duty of care and ethical obligation, not just an IT box to tick.
When leadership frames security as protecting the customer and the business (not just locking down employees), it creates a shared sense of purpose.
Education and awareness go hand in hand with leadership. People resist what they don't understand.
A key cultural driver is ensuring employees understand the why behind BYOD security measures. Instead of saying "Do this because policy says so," translate it into real-world terms: "Your phone can be a target. Here's what could happen if it's compromised—and here's how these controls protect you and the company."
One effective tactic is sharing sanitized stories about breaches or near-misses (like Sarah's stolen phone scenario) to make the risks tangible.
Regular training makes a huge difference. ABT has found that training employees on mobile security risks is just as critical as deploying the technology itself. When users understand that clicking a random link in a text message could install malware that steals borrowers' Social Security numbers from their work email, they suddenly get why that MAM policy blocks copy-paste or why they need to authenticate into work apps.
When your team understands why security controls exist—not just that IT demands them—everything changes. Employees stop seeing security as an obstacle and start recognizing themselves as defenders. Research backs this up: organizations running regular, practical security awareness programs see 70% fewer incidents than those relying on annual compliance videos alone.
The question is: how do you build that kind of program without overwhelming your already-stretched IT team?
SIDEBAR: Turn Your Team Into Your Best Defense with Attack Simulation & Training
Your employees are either your strongest security asset or your biggest vulnerability. The difference? Training that actually works.
ABT's M365 Guardian Attack Simulation & Training →
ABT's M365 Guardian Attack Simulation & Training goes beyond boring compliance videos to create realistic, hands-on security awareness that changes behavior. Our cutting-edge simulation service immerses your team in real-world scenarios they'll actually encounter—from mobile phishing attacks to social engineering tactics targeting mortgage professionals.
What makes ABT's approach different:
Intelligent simulations – Realistic phishing attacks, ransomware scenarios, and social engineering tactics designed specifically for the mortgage industry
Comprehensive reporting and analytics – Measure baseline awareness, track behavioral changes over time, and identify which employees need additional support
Targeted security awareness training – Equip your team with practical skills to recognize and respond to threats, not just check a compliance box
Continuous improvement – Regular simulations keep security top-of-mind and help employees build instinctive threat recognition
Data-driven insights – Understand your organization's security posture at the human level and make informed decisions about training investments
Real Results
One ABT client saw their click-through rate on phishing simulations drop from 32% to just 4% within six months of implementing the program—turning what was once their weakest link into a vigilant first line of defense.
The Bottom Line
Don't wait for an employee mistake to become a data breach. Empower your team to recognize threats before they become incidents.
Be transparent about what data you collect from personal devices. Employees naturally worry that enrolling in MDM means Big Brother is watching.
Be transparent about what data you collect from personal devices. Employees naturally worry that enrolling in MDM means Big Brother is watching.
Many MDM solutions allow IT to disable location tracking for BYOD devices or restrict data viewing. Make it clear in both policy and practice that employees' personal content is off-limits.
At the same time, emphasize that company data on an individual device is company property and will be protected as such.
Getting this balance right in your messaging fosters trust. Some companies involve employee representatives or focus groups when developing BYOD policies to ensure they address common fears and pain points. The more employees feel the policy is in their own interest (protecting them from liability or loss), the more they'll support it.
Another cultural factor is incentivizing good security behavior.
This could be:
Gamify compliance by showing your organization's overall "secure device" percentage on a dashboard and praising improvements. Turn it into a team sport.
If your Secure Score is worth celebrating, maybe your "Mobile Secure Score" (how many devices are compliant) should be too!
Create positive reinforcement around participating in the security process, rather than making it feel punitive.
It's also worth mentioning the role of IT support culture. When you ask employees to adopt new security tech on their personal devices, you must be ready to support them kindly and competently.
A frustrated user who can't access their work email after enrolling in MDM will sour others if their issue isn't quickly resolved. HomeTrust ramped up its helpdesk during the BYOD rollout, ensuring questions like "How do I install this profile?" and "Will this erase my photos?" were answered patiently and clearly. This supportive approach helped win hearts and minds.
In operationally sensitive industries, employees are often very busy (think doctors, loan officers, plant managers). Making security as seamless as possible is part of the cultural equation. Strive for a user experience where security controls run primarily in the background and don't disrupt workflow – and when they do surface (like a block or wipe), IT is there to guide the user through it.
Security culture isn't built overnight. It's cultivated through consistent messaging, education, and by weaving security into "how we do things here."
Over time, what was once seen as an extra burden (like an app PIN or mandatory update) becomes an accepted routine. At HomeTrust, a year after implementing BYOD controls, new hires would routinely be briefed on enrolling their phones on day one – it became just another part of onboarding, as normal as issuing a company badge. That's when you know culture has shifted: when secure behavior becomes standard.
Finally, culture and technology feed into each other. A strong security culture makes your BYOD technology more effective (because people adhere to it), and visibly effective security measures reinforce the culture (people see that the organization genuinely cares about protecting data).
Leadership and cultural buy-in are the multipliers that turn good security policies into excellent security practices.
Implementing MAM/MDM technology and fostering a security-aware culture are two pillars of closing the BYOD gap. The third pillar is governance—the policies, procedures, and oversight mechanisms that ensure BYOD security isn't a one-time project but an ongoing discipline.
In regulated and operationally sensitive industries, governance isn't optional; it's mandatory. Here's what solid BYOD governance looks like:
Every organization that allows BYOD should have a written policy that's communicated and acknowledged by all participants.
This policy should specify:
Who may use personal devices for work (employees, contractors, etc.)
The types of corporate data they may access
The security requirements they must meet
For example, the policy might require:
Only devices running supported OS versions are permitted
Devices must have up-to-date security patches and cannot be jailbroken
The company will install MDM software
Users must agree to the remote wipe of company data if needed
Strong authentication (like MFA) is required for access
The company reserves the right to disconnect or disable any non-compliant device
The policy should clarify user obligations, like reporting a lost or stolen device immediately (typically within 24 hours).
A well-crafted policy establishes the rules of engagement, protecting both company and employee.
The importance of a comprehensive written policy cannot be overstated—nearly half of employers with BYOD programs have experienced data breaches caused by employee error or intentional wrongdoing, underscoring the criticality of proper documentation.
Personal devices complicate the discovery process in litigation. Identifying, preserving, and collecting relevant data from these devices is complex and costly, and failing to do so appropriately can lead to sanctions or spoliation claims.
As legal experts have noted, BYOD problems can lead to significant litigation if a business isn't aware of the potential risks and doesn't have policies and practices to mitigate them.
A particularly critical issue that BYOD policies must address is wage-and-hour compliance.
Under the Fair Labor Standards Act (FLSA), employers must pay non-exempt employees for all time spent on work-related tasks beyond 40 hours in a workweek, even if that work happens on a personal device after hours.
Courts have consistently held employers liable for failing to compensate employees for overtime work performed on employee-owned devices. For instance, in Mohammadi v. Nwabuisi, an employer was found liable for failing to pay overtime when an employee used their personal device for work tasks.
The issue is straightforward: if a non-exempt employee checks work emails at 11 PM or responds to client texts on a Sunday, that time is compensable work. It must be tracked and paid—regardless of whether the employer explicitly requested the after-hours work.
Many organizations have faced significant wage-and-hour liability simply because they failed to account for the reality that BYOD makes it easy for non-exempt employees to work "off the clock."
The solution: Many employers limit BYOD access for non-exempt employees or implement strict controls.
A common and practical approach is to prohibit non-exempt employees from accessing company systems or performing any work-related activities on personal devices outside their scheduled work hours.
Legal counsel recommends that policies explicitly prohibit the use of devices for work when non-exempt employees are off the clock. That includes:
Checking work-related emails
Making work-related phone calls
Any other job duties
Some organizations go further by restricting or eliminating remote access altogether. Best practices include:
Removing company email access for non-exempt employees entirely
Not providing BYOD privileges to this employee class
If business needs require non-exempt employees to have BYOD access, companies must implement rigorous time-tracking systems that:
Capture every minute of after-hours work
Require employees to report all such time
Ensure supervisors never encourage or tacitly permit off-the-clock work
As a rule of thumb: if you have non-exempt employees, either exclude them from BYOD programs or tightly control when and how they can use personal devices for work, with robust time-tracking to capture every compensable minute.
Keeping up with technological advances to improve efficiency and retain top talent will remain at the forefront of many employers' strategic plans. If your business already uses a BYOD policy or is planning to institute one, remember that this practice can expose you to significant liability—from data breaches and e-discovery complications to wage and hour violations.
Carefully drafting a written BYOD policy that addresses all these risks—and ensuring it's followed in practice—is essential to minimizing exposure to costly lawsuits and regulatory penalties.
Within the policy (or a separate consent form), spell out what the company can and cannot access on a personal device.
For instance, many policies state that the company owns all work-related information on the device and that employees have no expectation of privacy for company data. At the same time, the company won't intrude on purely personal information.
Employees should sign to acknowledge they understand these terms.
This consent becomes essential if you ever need to conduct a forensic investigation on a BYOD device or preserve data for e-discovery—you can show the employee agreed that work data on their device is subject to company oversight.
It also helps defend against claims of privacy invasion if you wipe a device or monitor it in ways the policy covers.
Essentially, explicit consent is your legal safety net when enforcing security on BYOD.
Your governance should include specific technical controls (many of which we discussed in the HomeTrust case):
"Devices must have encryption enabled and a lock screen set to activate after X minutes."
"The device must be enrolled in [Company's MDM] and comply with its security checks."
"If the device falls out of compliance, it will be automatically blocked from corporate resources."
These standards can map to established frameworks.
For instance, NIST guidelines for mobile device security (such as NIST SP 800-124) recommend:
Maintaining an inventory of mobile devices
Ensuring data-at-rest encryption
Enabling remote wipe
Aligning your policy with these standards improves security and satisfies auditors.
If you're in a regulated sector (finance, healthcare), tie your BYOD policy to the relevant regulations. For HIPAA compliance, for example, state that any mobile device accessing e-PHI must be encrypted and subject to remote wipe.
At a high maturity level, organizations incorporate BYOD into their risk assessment process—periodically evaluating the threat landscape (are new mobile threats emerging?) and reviewing compliance (what percentage of BYOD devices are fully patched?)—then updating policies accordingly.
Governance is toothless without enforcement. This is where technology and policy meet.
Your policy should specify what happens when a device or user is non-compliant. For example, if a device falls out of compliance (no updates, rooted, etc.), access will be automatically denied, and the user will be notified to remediate within 24 hours. Failure to comply may result in the revocation of BYOD privileges.
Monitoring mechanisms—such as MDM compliance reports or anomaly detection (e.g., a normally compliant device suddenly stops checking in, which could mean the user removed management)—need active review by IT or a security operations team.
In many companies, BYOD governance is part of broader information security governance, which feeds into infosec dashboards and metrics. For instance, a CISO might regularly report, "BYOD compliance stands at 98% this quarter, up from 90% last quarter, with two incidents of policy violations we've addressed" to the board or risk committee.
Some organizations establish a governance board or committee that includes IT, security, HR, and legal to oversee BYOD and mobile security. This cross-functional group handles tricky cases—like an employee requesting an exception or refusing to comply—and ensures alignment with HR policies. If an employee refuses to comply with device requirements, that should trigger HR disciplinary action. Make sure your policy explicitly states this.
Despite your best efforts, incidents will happen. A device might get compromised or lost. Your governance should include a BYOD incident response playbook.
This includes steps like:
Identifying and remotely locking or wiping the device
Removing the device from the authorized list
Investigating which corporate data may have been accessed
Notifying appropriate stakeholders (including customers or regulators if data is breached)
Practice this as part of your incident drills.
After an incident, governance means learning and adapting: Was the policy followed? Do we need to tighten something?
Here's a real-world example: a company discovered an employee had been using an unapproved cloud backup app that saved work files from her BYOD laptop to a personal cloud. After resolving the incident, the company updated its policy to forbid personal cloud backups of work data and configured its DLP (Data Loss Prevention) to flag such behavior.
Governance is a living process, not a one-time document.
In industries such as mortgage lending, banking, or healthcare, demonstrating compliance with laws and regulations is a fundamental driver of BYOD governance.
Regulators will ask: Do you have adequate controls to safeguard customer data on all devices?
A governance best practice is to map your BYOD controls to specific regulatory requirements. For example, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect consumer information. That includes BYOD devices in the scope of your GLBA Safeguards program (with documented risk assessments and controls).
Similarly, if you operate under GDPR or other privacy laws, your BYOD program should address how personal data is protected and who can access it on personal devices.
Some regulations even require that certain data be stored on personal devices only if specific encryption is in place.
Governance here might involve technical measures such as containerization (to keep personal and work data separate), and demonstrating to auditors that customer loan files on a BYOD phone are always encrypted and can be wiped within 24 hours if the employee leaves.
ABT's DeviceGuardian solution was designed to make all devices compliant with CFPB regulations for mortgage data protection. The governance built into the tool ensures features such as encryption and access controls that meet regulatory expectations.
Governance also covers the full lifecycle of BYOD usage.
How are new devices onboarded? Is there an approval process, or can employees self-enroll with automatic policy application?
And more importantly, how is off-boarding handled?
The policy should require that, upon termination of employment (or the end of a contractor's contract), the employee must cooperate in removing all company data—typically by performing a remote wipe via MDM or by removing accounts.
An exit checklist in HR's process should include triggering IT to wipe or disable BYOD access on the employee's last day.
We've seen legal cases where failing to remove company access from a personal phone promptly led to data leakage or disputes. Governance means having that process buttoned up so no one slips through the cracks.
Lastly, an often overlooked aspect: verifying that all these policies actually work.
Internal or external audits should periodically cover BYOD practices. This might involve reviewing a sample of devices to ensure policies are applied and effective.
Some organizations conduct spot checks or automated compliance audits via their MDM console. Others involve their internal audit or compliance teams to test the program—for instance, trying to enroll an unapproved device or intentionally jailbreaking a test phone to see if the system catches it.
Verizon's research found that 58% of companies said having more endpoint security tools made management harder, cautioning that adding MDM/MAM must be accompanied by streamlined management.
This is where ABT's Guardian Security Insights becomes invaluable.
Rather than wrestling with multiple security dashboards and struggling to verify that policies are working, ABT's approach to Microsoft 365 licensing includes ongoing audit and verification as part of the Guardian package.
Guardian Security Insights provides continuous monitoring of your BYOD program, automated compliance reporting, and proactive alerts when devices fall out of compliance or security gaps emerge. This keeps your BYOD program efficient and prevents it from sprawling into a mess of exceptions or ignored alerts—a common problem when organizations manage these programs without expert support.
Continuous improvement should be part of governance: use audit findings or incident post-mortems to refine your policies and controls. Guardian Security Insights makes this data readily accessible, so IT teams don't have to cobble together reports from multiple sources.
Governance is about formalizing BYOD security into your organization's DNA. It provides clarity and consistency: everyone knows the rules, and there are mechanisms to enforce and update them.
Good governance transforms BYOD from a wild risk into a controlled, sustainable practice. It sets guardrails so employees can enjoy the productivity of using their own devices, while the company can sleep at night knowing those devices aren't the Achilles' heel of its security.
The journey we've explored—from recognizing a false sense of security to bridging the gap with MAM and MDM, underpinned by culture and governance—leads to a more resilient organization.
The final message is clear: Zero Trust maturity means securing identity, applications, and devices as equal pillars of your cyber defense.
Any weakness in one pillar undermines the whole. It's not enough to verify the user (identity) and lock down the software (applications/data) if the device they use is an open door. Conversely, even a secure device becomes a problem when credentials are compromised through phishing.
True security in today's world requires a comprehensive approach.
For companies operating in highly sensitive, regulated industries—whether mortgage finance, healthcare, legal, or government—the stakes couldn't be higher.
The data you handle is often the most sensitive, attracting threat actors and warranting strict compliance. Achieving Zero Trust in these environments isn't a checkbox; it's a continuous improvement process.
Ensure no unmanaged endpoints access your critical systems. If 100% of devices are either company-controlled or under an approved BYOD management scheme, you've eliminated one of the biggest attack vectors organizations overlook.
Remember: organizations that completed all zero trust pillars (including device trust) experienced incidents at half the rate of those that didn't. That's a tangible payoff—fewer breaches, less downtime, less fraud. Strive for that completeness.
Include devices in your security checks. Modern IAM (Identity and Access Management) and Zero Trust implementations rely on conditional access policies: a user must be both who they claim to be and on a trusted device to gain access.
If either condition fails, access is denied or stepped-up verification kicks in. This dual requirement is powerful.
Microsoft's Zero Trust approach, for instance, emphasizes that only devices meeting security compliance should gain access. By enforcing this, you keep "dirty" devices out of your clean rooms.
Think of it like a lab requiring both an ID badge and a hazmat suit to enter—neither alone is sufficient.
The trends are unmistakable. Gartner research shows that by 2025, 70% of businesses worldwide will adopt BYOD or similar mobile device management models, with global adoption already at 69% by 2023. Post-pandemic flexible work arrangements guarantee that number will keep climbing.
The BYOD market itself tells the story: it's projected to grow from $132 billion in 2025 to $276 billion by 2030—driven by cost savings, mobile workforce demands, and workplace flexibility needs.
Employees appreciate and often expect the freedom to choose their tools. 87% of companies now depend on their teams using personal smartphones to access business apps.
Rather than fighting the tide, embrace it securely. The good news? When done right, BYOD is a win-win: organizations report an average 68% boost in productivity and over half say workers are more satisfied, while saving $341 per employee annually through reduced equipment costs.
The key is "done right"—which means adequate investment in the security tools and expertise to manage it properly.
If your organization is starting to tackle BYOD security, consider the strategy we outlined.
Start with Phase 1 (MAM) to quickly cover the basics and get people comfortable with security controls on personal devices.
Move to Phase 2 (MDM) to tighten security and meet higher-level requirements.
Not every company will follow the same path. Some highly regulated environments might skip MDM and issue corporate devices to avoid dealing with personal devices. Others, especially mid-size firms, will find a MAM-first approach more palatable and gradually enforce MDM only as needed (perhaps for higher-risk roles such as executives or IT admins).
The point is, you can make meaningful progress in weeks (with MAM) and continue improving over months (with MDM) rather than treating it as an all-or-nothing switch.
Deploying an MDM solution isn't just an IT project—it's an organizational change project. The soft factors (executive sponsorship, employee communications, training) determine whether your Zero Trust controls get embraced or quietly circumvented.
Organizations with strong security cultures find BYOD controls easier to implement. Invest in awareness. Make security part of your company's DNA. When people understand the why, they cooperate with the how.
Consider measuring employee cybersecurity awareness through quizzes or simulations, then improve those scores alongside your technical rollouts.
Closing the BYOD gap significantly reduces breach likelihood, but nothing is foolproof. Create an incident response plan specifically for mobile/BYOD incidents—and drill it.
Practice a hypothetical "lost device with customer data" scenario and learn from the simulation rather than during a real crisis.
Also consider implementing Mobile Threat Defense (MTD) solutions that detect malware or network attacks on mobile devices. Some organizations integrate MTD with their MAM/MDM.
For example, if MTD flags malware on a BYOD phone, the MDM can automatically cut off that device until the issue is resolved. This advanced capability further strengthens device trust.
New OS features, attack vectors (such as SMS phishing and malicious apps), and solutions (such as zero-trust network access for mobile devices or improved sandboxing) emerge constantly. Keep your policies and tools current. What works in 2025 might need an upgrade by 2026.
For example, the rise of personal eSIMs and device cloning could create new challenges—be ready to adapt.
Subscribe to mobile-focused threat intelligence, follow guidance from reliable sources (NIST, Verizon's Mobile Security Index, Gartner), and regularly re-evaluate your BYOD approach.
Zero Trust isn't a one-time destination; it's a continuous journey toward maturity.
Zero Trust isn't just a buzzword or a set of tools—it's a mindset.
Anything unverified can be a threat, whether that's Bob from Accounting's iPad or the CEO's Android phone. Trusting those devices by default is risky.
But with the right strategy, technology, and governance, you don't have to rely on trust—you can verify. When you verify and secure everything from identity to device to app, you're no longer playing defense with one hand tied behind your back. You have 360-degree protection that drastically lowers the odds of a successful breach.
For CIOs, CISOs, and business leaders reading this, the takeaway is empowering: closing the BYOD security gap is achievable.
It requires commitment and coordination across IT, security, leadership, and employees, but the returns are immense. You protect your customers' data and your company's reputation while gaining the freedom to keep reaping the productivity benefits of mobility and flexibility—without constantly looking over your shoulder.
In regulated sectors, you also gain the confidence to tell examiners and partners: "Yes, we have Zero Trust, and we mean it—from our core systems to every device in our orbit."
Zero Trust isn't enough if it excludes devices.
But when devices are brought into the Zero Trust model—when you trust nothing and verify everything, including the phones and laptops we all use every day—then Zero Trust truly delivers on its promise. It becomes more than a buzzword; it becomes a business enabler and a shield against modern threats.
Secure identities, secure apps, secure devices—achieve that triad, and you've closed not just the BYOD gap, but many other gaps as well. You've built an enterprise that's resilient by design, prepared for today's challenges, and free to innovate and operate with confidence.
And that's the ultimate goal of any security initiative: not to constrain the business, but to protect and enable it.
SIDEBAR: Your Complete Path to Zero Trust Maturity with ABT
Closing the BYOD security gap doesn't happen overnight—but ABT makes the journey straightforward with solutions that build on each other to create comprehensive protection.
Here's how ABT's integrated security ecosystem works together:
Step 1: Discover What You Don't Know
Guardian Security Assessment → – Start here to get a comprehensive evaluation of your Microsoft 365 environment. Our expert security team reveals hidden vulnerabilities, unmanaged BYOD devices, policy exceptions, and misconfigurations that your Secure Score misses. You'll receive a personalized Cyber Defense Action Plan with prioritized steps to achieve a robust 90%+ security posture.
Step 2: Move Your Licensing to ABT
Microsoft 365 Guardian → – When you license Microsoft 365 through ABT instead of a bargain reseller, you get the same licenses at competitive rates—plus fully configured MAM and MDM policies, expert implementation support, compliance guidance for GLBA and CFPB, and ongoing monitoring. It's the difference between buying software and building security.
Step 3: Gain Continuous Visibility
Guardian Security Insights → (included with ABT licensing) – This automated monitoring transforms complex security data into weekly executive reports showing MFA enforcement, device compliance, configuration trends, and prioritized action plans. It bridges the gap between "looks good on paper" and "actually works in practice" by flagging critical issues before they become breaches.
Step 4: Strengthen Your Human Firewall
M365 Guardian Attack Simulation & Training → – Technology alone isn't enough. This cutting-edge simulation service immerses your team in realistic mobile phishing attacks, ransomware scenarios, and social engineering tactics designed specifically for the mortgage industry. Track behavioral changes over time and turn your employees from your weakest link into your first line of defense.
Step 5: Add 24/7 Expert Protection (Optional)
Guardian MxDR → – For organizations needing the highest level of security, our Managed Extended Detection and Response service provides 24/7 threat monitoring and response by ABT's cybersecurity team. We leverage Microsoft 365 Defender to detect, investigate, and respond to threats on your behalf—acting as an extension of your IT team.
The ABT Advantage: Everything Works Together
Unlike piecemeal solutions from multiple vendors, ABT's integrated approach ensures your identity verification, device management, application security, and threat detection work in harmony. We've spent years building expertise in regulated industries—particularly mortgage lending—so we already know the compliance tightrope you walk.
The Bottom Line
Whether you start with an assessment to understand your current risks or move your licensing to unlock the full Guardian ecosystem, ABT provides the roadmap and partnership to achieve true Zero Trust maturity.
Ready to close your BYOD security gap?
Contact ABT at (888) 422-3400 or visit myabt.com →
There's an old saying that trust is earned. In cybersecurity, we've learned it's better not to trust at all—at least not until you've verified everything twice.
By eliminating the blind trust we once placed in unchecked personal devices (you know, the "everyone's careful with their phone, right?" approach), organizations take a giant leap toward true cyber maturity. It's the difference between hoping your security holds and knowing it does.
Zero Trust, combined with comprehensive BYOD security, means your data is protected everywhere it goes—whether that's in a loan officer's pocket at Starbucks or on an executive's iPad at 35,000 feet.
And in a world where hybrid work is the new reality and mobility is expected, there's no achievement more worth celebrating than knowing your security perimeter extends to every device that touches your data.
That's not security virtue signaling. That's security that works.