This article is part of our collection on Tech and Innovation
Adopting a BYOD policy can reduce costs, increase productivity and offer greater agility – but it can also introduce significant security challenges.
Last updated: 21 Jul 2020 7 min read
A bring-your-own-device (BYOD) policy makes business sense for SMEs. The increase in the use of smartphones, tablets and laptops presents an opportunity for smaller organisations to build a workforce that is mobile, flexible and more productive.
“BYOD and mobile working tend to go hand in hand,” says Susan Hall, partner/head of technology at law firm Clarke Willmott. “It saves money and can improve morale because people like to work with the IT they’re used to.”
James Hampshire, a senior cyber-security manager at PwC, agrees: “People often want to carry the latest technology but it can be hard for organisations to keep up with the newest devices. In a BYOD scenario, the cost of the device is borne by the employee.”
A BYOD approach can also help enhance your company’s image. Chris Hovenden, employment lawyer at legal firm Cripps, says: “It promotes a forward-thinking and tech-savvy image, which may be attractive to creative talent and helps to accommodate family-friendly working.”
IT support company Octagon Technology has embraced BYOD. Clive Catton, Octagon’s technical director, says: “We’ve found that team members are happier when they only have a single smartphone to carry, rather than a personal and a company phone. Happier people make for a better company. It also helps with work/life balance, particularly in a small organisation.
While the benefits are manifold, it’s vital to approach BYOD with a sensible amount of caution and planning.
In 2016 cyber-security provider Trustlook Mobile Security surveyed 320 users to discover BYOD trends and practices. It found that while 70% of employees use a personal device for work, only 39% of employers had a formal BYOD policy in place.
The lack of such a policy can expose a company to a whole raft of risks. “The rapid spread of the use of smartphones and tablets has brought with it an increase in cyber attacks targeted at these devices,” says Oreste Maspes, SME growth consultant at national network Business Doctors.
“In recent years, the phenomenon of mobile malware has been in constant growth, both through distributed denial of service (DDoS) attacks, ransomware and hacking, and in the form of mobile applications that can be downloaded from app stores where criminals deliberately insert malicious codes.”
He adds that SMEs are potentially more vulnerable than larger counterparts, given the generally higher merging of professional and personal life in the use of mobile devices and the lack of sophistication of these companies’ cyber-security investments.
Besides issues of cyber security, there are legal data protection issues around allowing employees to use their own devices for work.
Hall warns that if sensitive data is stored outside the work environment, your organisation could risk breaching its confidentiality or data protection obligations; under the EU General Data Protection Regulation (GDPR), organisations must put in place appropriate security measures for the data they handle.
“Team members are happier when they only have a single smartphone to carry, rather than a personal and a company phone. Happier people make for a better company”Clive Catton, technical director, Octagon Technology
“If the information is on a private device, there are also issues around how far it is legitimate to track it,” says Hall. “It can be quite an expensive issue if a former employee who is now in dispute with the company refuses to let you wipe their computer.”
Hovenden notes that the lack of control over devices makes it difficult to determine what data is stored where, in order to comply with data protection obligations. A poorly defined approach to BYOD can lead to costly repercussions. The Information Commissioner’s Office (ICO) takes action against organisations or individuals that fail to comply with data protection law – for example, by failing to put appropriate security measures in place to protect that data.
If you allow your employees to use their own devices for work, you need to educate them about the importance of reporting the loss of a device, and the dangers of cyber attack.
“Lost devices are one of the biggest causes of IP data protection breach, and the risk is increased if it’s a personal device because the employer isn’t double-checking it often and it’s easier for the employee to conceal if they’ve lost it,” says Hall.
The expert recommendation is to have a clear policy for staff to report all lost devices promptly.
Elliot Fry, associate at law firm Cripps, says: “Very often, cyber criminals don’t use particularly sophisticated technological systems: they exploit aspects of human behaviour. Just think about the phishing or the increasingly widespread ransomware attacks that lead the user to click on a malicious link, enter personal data or download an infected attachment.”
To strengthen cyber security, Fry advises reviewing the risks in advance to identify appropriate security measures – both technical and training and awareness. Staff need to know how to spot malicious emails – for example, ones that ask for money, sensitive information or contain suspicious links. Meanwhile, Catton recommends that anti-virus software be installed on all BYOD devices.
“Your BYOD policy should also set out what staff can and can’t do with their devices, including potentially what software they can use,” he adds.
Catton agrees, saying that a BYOD policy should include a statement that the data belongs to the company and should not be shared with anyone who is not authorised, and a requirement that all devices must have a security code, face and fingerprint recognition security and must lock immediately.
Maspes says it’s also important that staff know they will be required to delete all company data on the device, including back-ups or copies.
To iron out any potential grey areas, Fry recommends imposing a practice of mobile device management (MDM) and/or sandboxing.
“MDM technology can allow an employer to remotely manage and monitor an employee’s personal device – such as remote wiping and location tracking. Meanwhile, sandboxing creates a secure section on the device to be used exclusively for company matters – which can limit remote wiping just to company data,” he says.
This requires a certain amount of give and take from employees because they will be giving their employer an element of control over their devices.
“Users have to accept a certain amount of organisation intrusion on their personal device if they want the benefit of using that,” Hampshire says.
Another option is to use the cloud, whereby minimal data is stored on the device and computing is most often done remotely. Employees simply log in to carry out company work and store it in the cloud rather than on the device.
Secure business communications can be made via a GDPR-compliant employee communications platform such as Beekeeper, an app that’s installed on employees’ personal devices and can be wiped remotely the instant an employee leaves the company. Other providers offering mobile BYOD solutions include MobileIron and VMware.
Hampshire agrees that whatever BYOD approach you choose, involving every level of the company in the process is vital to its success.
“Make sure employees engage with your BYOD policy, carry out staff consultations and awareness briefings and involve staff in that journey,” he says.
“Plan for what happens when devices are lost or infected with malware so the risk can be mitigated. Go into it with your eyes open, be cognisant of the risks as well as the business benefits, and make sure you balance that equation.”
Tech and Innovation, Cyber Security