With a remote workforce, there is always the increased risk of staff using personal devices instead of company ones, especially as the concept of having two phones, two laptops or two desktops may seem cumbersome. Therefore, some organisations introduce a Bring Your Own Device (BYOD) policy which has a number of benefits for the business including:
· Familiarity – People are familiar with their own devices.
· Productivity – Less time is spent trying to learn new hardware or software and staff are more likely to work at irregular times.
· Financial savings – Organisations can save money on buying equipment.
But if adopting a BYOD policy there are some security risks to consider.
· Data Loss – Transferring data from personal to work devices can result in deliberate or accidental data loss. Additionally, some personal devices (e.g. laptops or tablets) could be used by other family members which could also result in accidental data loss.
· GDPR Risks – With personal devices potentially being used by other members of the family there could be issues with GDPR compliance if sensitive data is stored on the device.
· Outdated Software – Individuals are unlikely to follow the same software update protocol on their personal devices as a company IT department. Therefore, they could be running out of date software and operating systems, leaving the device open to cyber-attacks.
· Weak Security – Security on personal devices may not be as robust as company security policy which will include firewalls, anti-malware software, multi-factor authentication and regular updates.
· Employee separation – If an employee leaves the business it is more difficult to ensure company data has been removed from the device.
Creating a BYOD policy
In order to address these security issues, it is important to create a BYOD policy to which all members of staff using their own devices must follow.
The first thing that users need to be aware of, is that if they are using their own devices for business purposes they have to be comfortable with the organisation carrying out device management on their machines as if they were company owned. This will include:
· Acceptable use – Identifying what tasks are permitted from personal devices such as annual leave requests, expenses submissions, emails or client calls, what company resources they are able to access from their devices as well as how much personal use they are permitted throughout the working day.
· Prohibitions – Identifying what staff are not permitted to do through personal devices, such as transfer client data or bank details, what data they are not permitted to store as well as which apps are not allowed. Blocks could also be put onto the device to prevent copying from business apps to personal apps.
· Minimum standards – Identifying minimum accepted standards in regard to OS versions and particular software used.
· Multi-factor authentication – Ensuring personal devices used for business purposes have multi-factor authentication for accessing business data.
· Access - Identifying what access the organisation needs to have over the personal devices. The less access the IT department has the less secure the device potentially is. Additionally, it is important to make it clear which personal devices can connect to the company network and which ones can’t.
· Reimbursement - Agreeing whether the company will reimburse any of the costs of purchasing the device as well as how much (if any) of the data costs will be covered.
· Enforcement – Enforcing the BYOD policy, which relies on the cooperation of the staff member can be tricky. If they don’t adhere to the policy the devices are open to security risks and they could potentially be held liable should there be a data breach.
Introducing a robust BYOD policy can be complex but it is an essential part of keeping business data secure as well as being GDPR compliant. If you would like some help with the implementation of a policy, as well as procedures to keep personal devices safegive SupportWise a call today.