BYOD Requires Continued Revisiting to Keep Up with Tech
We have all heard of BYOB, but what about BYOD? Bring Your Own Device (BYOD) is a permanent fixture in the workforce. With the proliferation of smartphones, tablets, and laptops, many employees work on personal devices. According to a study by Cybersecurity Insiders, 82% of organisations allow BYOD to some extent. However, in the rush to adapt to this new normal, companies frequently overlook red flags associated with allowing employees to use their personal devices when working remotely or in the workplace.
BYOD: Risks and Rewards
BYOD policies, while convenient, can pose significant risks for employers. For example, these devices can connect to an organisation’s network, access work systems, and compromise sensitive data. While most employees would never dream of compromising or stealing corporate data, they may not be careful with the information they are privy to. Savvy hackers are highly aware that employee-owned devices are easy targets for a security breach. Personal apps that employees use often have less stringent security, giving cybercriminals a backstage pass to corporate data.
The risk of theft is another concern. Over 10% of users have their smartphones stolen, and of those, 68% are never recovered. Without a strong BYOD policy on board, anyone who has the device in hand may have access to the employee’s company data.
Other risks of BYOD policies are the potential legal issues business leaders face if they search an employee’s device for suspected corporate data theft or loss. Erosion of trust between employer and employee would ensue, and legal issues could also arise, possibly opening a company up to a lawsuit.
In addition, many companies, such as those in the healthcare field, hold extremely sensitive customer data. A breach in one of these companies would erode customer trust and could also result in significant penalties for the company responsible for the breach. But, not to fear - these risks can be substantially minimised by developing an effective and individualised BYOD policy.
Minimisation of risk is not the only factor to consider in revisiting BYOD policies. A company can benefit greatly from allowing and even encouraging employees to bring their own devices. Giving the green light for employees to use their favourite personal devices for work purposes eliminates the need for companies to invest in expensive devices for every employee, leading to massive cost savings. It also promotes employee satisfaction, work-life balance, and flexibility, all of which lead to higher job retention rates and improved employee morale.
Creating Your BYOD Policy
This all sounds well and good, but just how does a company go about allowing BYODs and minimising its associated risks?
The first step in creating a BYOD policy is defining the scope of control the organisation expects to maintain over employee-owned devices. Companies can take different approaches in establishing or updating their policy. From the more extreme stance of treating personal devices like corporate assets in return for allowing their employees to access IT resources from their own devices to assuming little to no control over the devices and focusing instead on intensive risk training, business leaders can be flexible in the creation and upkeep of their personal device policy. However, the optimal BYOD policy for most businesses lies somewhere between the two extremes.
Another component of an effective BYOD policy is a confidentiality clause. This clause helps mitigate the risk of sensitive data winding up in the wrong hands.
Although not all theft and loss can be prevented, a strong, enforceable confidentiality agreement can be highly effective in preventing the sticky situation of employees uploading company information onto their personal devices or sharing information if they leave the company.
A strong BYOD policy should also clearly outline the ownership of apps and data, applications that are permitted or prohibited, reimbursement, and security requirements for the use of personal devices for work purposes.
Maintaining a BYOD Policy
To maintain the integrity of its BYOD policy, a company must continually revisit it, especially the security measures that are currently in place. These security measures should include a risk assessment of each personal device, a mobile device security policy, an appropriate endpoint security solution, and security awareness training.
Additionally, clear employee communications will significantly improve compliance and understanding of updated BYOD company policies. As StrongDM explains, “Because the lines of employee privacy can get blurry when enforcing controls and expectations on personal devices, good communication is key.”
Ultimately, instituting and maintaining a solid BYOD policy, one that encompasses security, accountability, and flexibility, will enable businesses to keep company data safe.