Using a personal phone, computer, tablet for work is called Bring Your Own Device (BYOD). Most of us are no stranger to the concept, in fact, 64% of all employees report using a personal smartphone for work.
Companies allow personal devices because it’s convenient for the employee and, on the surface, seems to save money. But BYOD can be BYODangerous, so it’s important to closely consider the potential hazards.
Without taking proper steps you can’t easily control how employees use their personal devices. They could visit malicious websites, connect to public Wi-Fi, or install risky applications.
Since the device is owned by the employee, many organizations don’t install the same security controls on the device even though it is being used for company activity. So while company-owned devices have security tools and policy controls installed on them, employee-owned devices are left to be protected at the employees’ discretion—something that doesn’t always happen, and even when it does, often isn’t at the same level as the company requires.
Not to mention, if a personal device is lost or stolen, it can be harder to track or lock down remotely. This is bad news if sensitive company and/or customer data is stored or accessible on the device. In the end, it’s a lot to think about and can be a tricky conversation as the lines of company versus personal property start to blur. But it makes for a dangerous situation as organizations just don’t have enough controls on employee-owned devices to protect the sensitive data that continues to be transmitted.
When deciding whether to allow BYOD, ask yourself:
Why not provide employees with company-owned devices to conduct company-related activity? Having control of your devices and data is vitally important to your security posture.
What data is being stored or accessed by employee-owned devices? And if you needed to restrict access or delete the data stored on the device, do you have the ability to do so?
Are you really saving money when you consider the training and software costs required to safely deploy a BYOD policy?
If it’s an option, the best bet is to ditch BYOD altogether. While it will take getting used to, you’ll likely find that cutting out the personal device isn’t as tough as you might think, and might even give your important employees some work-life balance benefits.
There are times your employees may want to be provided internet for their personal phones, but they still shouldn’t connect to the company network – keep them on the guest Wi-Fi, segmented from the company network.
If you do decide to allow BYOD at your organization, include a written BYOD Policy in your Technology & Data Use Policy. Any employee who uses a personal device should read and sign the policy, which should detail:
Restrictions on public Wi-Fi, risky websites, and downloads.
Which apps, programs and data are allowed.
Steps to take if a device has been compromised.
The data destruction process after termination or loss of device.
And be sure to consider company-deployed mobile device protection which helps to protect against malware, allows for added security features (e.g. passcode requirements), and provides that ability to wipe, lock, or locate a device if it’s lost or stolen. It can also allow you to containerize the company data on the device, separate from the employees’ personal data.
As with most elections, BYOD isn’t an easy choice. But it’s important, needs to be considered, and every vote matters.
Your Friends @ Defendify