More businesses than ever have a Bring Your Own Device (BYOD) culture. BYOD is where employees use their own phones, laptops or tablets within their workplace, instead of company hardware.
The latest research from the Information Commissioner’s Office (ICO) has found that 47% of UK employees now use their own personal devices for work purposes, and it’s getting ever more popular.
Another recent variation of this theme is Bring Your Own Application (BYOA), where employees use their own software at work instead of licenced, approved versions.
Such is the popularity of BYOD, the Government has released its own risk management guidance for the use of personally owned devices for remote working, produced by the Communications-Electronics Security Group, the information security branch of GCHQ.
The fact that the Government has released its own guidance shows the potential threats that BYOD can bring; we’ve provided some of the key things to remember here.
Firstly, it can’t be denied that some businesses can benefit from a Bring Your Own Device (BYOD) culture. Employees who use their own devices can sometimes work more efficiently, as they are more familiar and comfortable with them. What’s more, the devices themselves can often be much more powerful than any hardware that you could provide.
Is it worth the risk?
However, for many, the risks that BYOD can bring, outweigh those benefits. It might seem attractive, but it’s important that your corporate information remains safe. When you don’t own all the hardware used in your business, the responsibilities can become a little blurred. You can potentially lose some control of your own data management.
Keeping data safe is critical
As you’re aware, The Data Protection Act 1998 (DPA) requires that you, as the data controller, must “take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
Remember that breaches of Data Protection law could cause serious financial and reputational issues, resulting in fines of up to £500,000 being imposed by the ICO.
More devices mean more management
You and your IT department could be put under significant pressure in having to ensure that each of your employees’ varied devices are up to the task of keeping your data safe from loss, theft and corruption.
Malware and viruses are hard enough to keep control of within the relative safety of your own company firewalls. If those devices are being connected to networks and other devices at employees’ homes that you can’t control, then the risks are even greater. Any music, games, apps or files downloaded at home could have viruses hidden in them, which could attack your servers when devices are connected to them.
What’s more, mobile devices are often using outdated firmware, leaving critical operating system and applications vulnerable.
Even if your networks do stay safe and virus free, additional devices running numerous applications could crash your networks by putting too much stress on the available bandwidth.
Policies can provide some help
If you need to have a BYOD culture in your business, it’s essential that you put a tight a policy in place to fully explain everyone’s role in keeping data safe.
In the policy, you’ll need to clarify exactly:
- what type of data (especially personal data) can be held;
- what behaviours are allowed (especially if social media is being accessed);
- where data may be stored;
- how data may be transferred;
- the boundaries of personal and business use;
- what security capacities must be used;
- what to do if the device owner leaves your employment; and
- how to deal with the loss, theft, failure and support of a device.
Your policy needs to work within your existing network architecture, which should prevent unauthorised devices accessing sensitive business or personal information and ensure that authorised devices are only able to access data and services that you are willing to share.
Make sure that all software that your employees use for work purposes is fully licensed and official. It’s also a good idea to set up software that can remotely wipe data from a device if it becomes lost or stolen. Training for all this software is extremely important too.