Bring Your Own Device (BYOD) is now used by over 80% of all businesses. Despite how common it is, however, few small business owners are aware of its risks and rewards.
BYOD refers to members of staff using their own devices for work purposes. This includes accessing business email accounts from smartphones, editing documents on a laptop or connecting to the company network while working from home or on the road.
With almost everyone now using their own device for work purposes, creating an effective BYOD policy that protects your company’s data is more important than ever. That’s why we’ve created two resources to help you plan your policy and keep your information secure:
Benefits of BYOD
It’s easy to see why BYOD is so popular for small businesses. It’s cheaper as there’s no need to buy nor upgrade employee devices and allows your staff to work on devices they know well, so they can get on with their work without having to learn how a new device works.
Most importantly, BYOD gives you and your employees the flexibility to work whenever and wherever you want. So even if you’re abroad, you can stay connected and keep your business running.
Limitations of BYOD
When employees use a personal device to access business-related information, they become responsible for that data. From lost devices to emails sent across public WiFi connections, there’s a whole host of risks that you need to be aware of.
Even if your business is small, that doesn’t protect you from cyber crime. In fact, 61% of all data breach victims in 2017 were businesses with under 1,000 employees. Plus, more devices means more ways for hackers to try and steal your data.
Whether you have a BYOD policy in place or not, preventing your employees from using their own devices is almost impossible. According to a Microsoft report, 67% of people use personal devices for business purposes regardless of company policy. Having an effective policy allows you to control usage and ensure your employees are keeping your data safe.
An effective BYOD policy is one that’s tailored to your company, so there’s no one-size-fits all approach. However, there are four main steps that you need to take when drafting your BYOD policy.
Before you begin to draft your BYOD policy, consider the risks that may arise with the use of personal devices. Outlining the risks is an important step that will help guide the rest of your policy.
The main risks of BYOD are:
- Data Leakage: unsecured devices may put your company data at risk from phishing scams, malware and man in the middle (MITM) attacks.
- Lost/Stolen Devices: losing a device could result in your company’s data ending up in the wrong hands.
- Malicious Apps: unsecured apps downloaded onto the device may result in the loss of company data.
- Insecure Use: if personal devices are shared by spouses, friends or family, there’s a chance your company’s sensitive information may also be shared.
- Disruption to Network: several different types of devices means your network may become less secure.
One of the major risks associated with BYOD is lost and stolen devices. In fact, 40% of all data breaches are caused by lost or stolen devices.
If a personal device is lost, sensitive business information may end up in the wrong hands, so make sure that you can remotely wipe the data stored on it. Most manufacturers now have this capability built in, but ensure your employees have it enabled before letting them use their device for work.
You might also want to configure Mobile Device Management (MDM) software. Then, if a phone or laptop is stolen, you can be confident that no one will gain access to business related data.
Remember to delete company data from the device of any employees leaving your company. It’s easy to forget, but you don’t want a sales representative leaving your company to work for a competitor with all of your business-related contacts and information with them.
Lots of devices may leave aspects of your network at risk because different manufacturers provide updates and security patches at different times. Also, some devices are more secure than others, so consider permitting a select number of types of device to limit disruption.
Once you’ve made the decision on which manufacturers are preferred, you can be confident that all of your staff are using similar devices with similar security capabilities.
Once you have considered the risks, draw up a list of what your staff will and won’t be able to do on their devices.
If you’re concerned that productivity will drop with staff getting distracted by social media, consider limiting the time permitted for personal use during work hours. You may also want to think about banning social media sites altogether or blocking certain apps on BYOD devices.
Decide which of your company’s information will be available to your employees. This will depend on the position held by the member of staff, so make it clear who can access what. An accountant and sales staff member will, for example, require access to different files so plan accordingly.
Identify the applications and programmes users are allowed to download on to their personal devices. If there are files or programmes that hold particularly sensitive information, such as revenue and sales figures, consider reserving them for company owned devices.
Apps downloaded from untrusted marketplaces should also be avoided as they may have malware and spyware capabilities, as this study of Fortnite apps showed.
An effective BYOD policy requires everyone in your business to pitch in and work together, so make a clear security protocol document and inform all members of staff of their responsibilities.
Establish a company-wide policy on the creation of strong passwords and two-step authentication for all business-related applications, programmes and devices.
According to Verizon, 80% of hacking-related breaches in 2017 used stolen passwords and/or weak passwords, so use a random password generator and manager application to protect and store passwords.
Ensure users maintain up-to-date software and antivirus protection on all devices. If one member of staff’s phone or laptop has not been updated, your digital security will be at risk so check that all members of staff have automatic updating enabled on their devices.
It’s easy for members of staff to forget to update their device, so enabling automatic updating will help protect even the most forgetful of employees.
Be wary of devices automatically uploading information to the cloud. It might be great for personal files and pictures, but it may also put sensitive company information into an unsecured network which can easily be targeted.
Prevent your employees from using unsecured networks and public WiFi while working. If an unsecured network – like an open WiFi network in a cafe – has to be used, configure an assured data-in-transit encryption method such as a Virtual Private Network (VPN). This will help mitigate the risks of malware, man in the middle (MITM) attacks and spyware intrusions.
That’s not to say public WiFi should never be used, but you need be aware of the risks and steps needed to overcome them first.
There’s lots to consider while drafting your security protocol and, as it outlines your employees responsibilities, it’s the most important part of your BYOD policy. As part of this, ensure that your members of staff know basic cybersecurity best practices.
To make it easier for you, we’ve created this document that you can share with your employees so they know how best to protect their device. We recommend printing it out and passing it around the office so everyone is on the same page:
Safeguarding your company from the risks of BYOD may involve storing or accessing data from employee’s smartphones, tablets or laptops. This may be to determine what company data they have access to, or to monitor what applications and programmes have been downloaded.
Tools to protect BYOD devices may also track its location, use and internet traffic. If this is the case, inform your employees and make every effort to minimise intrusion. To make sure that personal data is not affected, ring-fence personal data and add extra security measures on personal information.
Using a personal device at work is likely to involve storing customers’ information. For example, a sales representative might need to access contact details of customers from their smartphone while on the road. To be compliant with data protection legislation make sure that the data is only stored for as long as necessary and is protected effectively by your BYOD policy.
Determine the costs that may be associated with BYOD early on. Decide who will be responsible for paying for data, repairs and any other cost incurred while using a personal device. This way, there won’t be any surprises or disagreements further down the line.
Ultimately, the effectiveness of your BYOD policy relies on your employees following and respecting the rules. For this reason, communication is essential.
The ability to send and receive emails on-the-go, access files from a device that you’re comfortable with and work remotely are clear advantages of BYOD. However, it also makes your employees responsible for your company’s data which, if they aren’t cybersecure, can put your business’ digital security at risk.
To protect your business, establish an effective BYOD policy that identifies the risks, determines uses and outlines a clear security protocol for your employees. Most importantly, ensure that your employees know BYOD and cybersecurity best practice.