With remote working and less formal staffing structures on the increase, many businesses are letting employees use their own devices for work purposes, including laptops, tablets and mobile phones. But does this cultural shift expose businesses to new risks and threats? And what can they do to avoid compromising their security?
The Rise and Risks of BYOD
You can tell a new development in the world of business is fast becoming the norm when there’s a snappy way of referring to it. BYOD stands for ‘Bring your own device’ and it is a growing trend among UK businesses. Statistica reports that the share of businesses where employees did exactly that was 45 per cent in 2018.As with many new developments, BYOD provides opportunities and substantial business benefits, but can also come with risks.
An IBM-commissioned report looked at the state of BYOD in the UK and concluded:
• BYOD is a blanket term, rather than a specific way of working. It can involve various devices and ways of working.
• Much early BYOD use saw employees using their own devices alongside company tech. However, there is future potential for businesses to replace their own technology with employee-owned devices.
• Employers adopting BYOD are often seeking to gain the best of both worlds, benefitting the business and its employees.
• BYOD should be properly coordinated involving, where necessary, HR and legal departments.
Using BYOD should help employers free up capital while giving employees greater flexibility, but there are potential cybersecurity risks involved. Employees bringing and using their own devices can expose a business to various aspects of risk, including:
• Leaked or lost information
• Computer viruses
• Concerns about boundaries and employee privacy
• Breaching GDPR rules
GDPR and BYOD
GDPR should bring clarity and visibility to issues around personal data protection. A challenge for BYOD is a potential loss of visibility if employees use devices the employer cannot easily monitor. On one hand, it is obvious employees are unlikely to want to have their online activity visible to others on their own devices. On the other, if they are handling sensitive information on their own devices then there is a risk data security is weakened. Under GDPR regulations a business is responsible for ANY device that can retrieve customer data.
If there is not full network visibility of employee devices used for this purpose, then it could end up breaching GDPR regulations.
Creating a BYOD Policy to Manage Risk
There are clear steps businesses can take to make sure employees’ use of their own devices is as secure as possible. The very notion of BYOD may suggest a degree of randomness or informality.
Therefore, it is vital to ensure there are clear procedures to follow:
• Set clear parameters. What type of information can, or cannot, be made available to employees’ own devices? This means classifying all data, and then matching BYOD requirements to each level of classification. For example, high-risk information might be restricted for BYOD access.
• Be clear about what employees’ own devices are acceptable and for what reason they can use them.
• Configure and set minimum standards for all devices. This should include setting passcodes and activating automated screen-locks. Software must be kept up to date and regular backing up of documents is critical.
• Users should disable automatic connection to any open, unsecured Wi-Fi networks on their devices.
• Configure devices to allow for wiping information remotely in the event of loss or theft.
• Apply fundamental IT security measures as standard across all devices being used. That should include anti-virus and malware protection, firewalls, encryption, patch management and updates of operating systems.
• Establish a clear incident reporting process. Anyone using their own device needs to know who to report any incidents to, including when they’re lost or stolen.
Is BYOD the Right Fit for Your Business?
Before putting any kind of BYOD policy in place you must first decide whether allowing employees to use their own devices is right for your business in the first place. We’ve already mentioned how some businesses are looking to make savings and boost efficiency through adopting this approach. However what suits one organisation may not suit another. It comes down to the nature of your business, the sensitivity of your data, your workplace culture, and whether you are confident you can put the right measures in place to protect yourself.
For more information about preparing your IT security for BYOD, please complete our online contact form, call us on 0161 826 2220, or email [email protected]