Bring Your Own Device: benefits and risks
Bring Your Own Device (BYOD) is a practice of allowing employees to use their own personal laptops, smartphones, tablets or other devices for work. It has become increasingly popular in recent years, and especially during the COVID-19 pandemic, as a way of enabling employees to work remotely, accessing their business' network and data from home or on the go.
The practice of BYOD offers many benefits but it is not without risk, especially when it comes to security and data protection.
Advantages of BYOD
For some businesses, a successful, well-controlled BYOD environment can:
- offer greater flexibility
- increase workforce mobility
- increase efficiency and productivity
- raise employee satisfaction
- allow greater choice in device type
- cut hardware spend and software licencing costs
- cut down on device management for business-owned devices
With proper use and safety precautions, allowing employees to use their own devices for work can be an ideal workplace policy for some businesses.
However, where BYOD is not completely understood and adequately regulated, it can seriously threaten the security of business data and systems.
BYOD issues around security and privacy
BYOD raises a number of data protection concerns and can lead to vulnerabilities in information security. For example:
- Intentionally or accidentally, private information could leak from unprotected and unmanaged devices.
- Personal devices may lack data encryption capabilities or can be lost or stolen, increasing the risks of data loss or exposure.
- Personal devices may contain malicious apps or malware or be more vulnerable to attack from online threats.
- Responsibility to manage passwords, anti-virus and anti-malware protection, security patches and other safety measures, falls onto the device owner, meaning you have little to no control over safeguarding the device.
- Storage of business and personal data on the same device may be challenging. You must also consider the security of data once it is stored on the device.
- You may need to modify your current IT infrastructure and tech support to make it BYOD compliant, across the whole range of devices and applications your employees will be using.
From a legal perspective, the responsibility for protecting personal information rests with the data controller (ie the organisation), not the device owner. Read the Information Commissioner's Office guidelines on BYOD and data protection and be aware of your duties under the data protection laws, including the UK General Data Protection Regulation (UK GDPR).
BYOD and home working best practices
If your staff are working from home and using their own devices to access company software, you should:
- consider using multi-factor authentication for remote access
- ensure that the device owner's data and the organisation's data are kept separate
- ensure that staff cannot inadvertently or deliberately move the organisation's data into their personal storage on the device or onto separate personally-owned devices
- be aware that the device's security may be compromised and plan accordingly, eg update out-of-date and unpatched operating systems or software
If your staff are using their own devices and their own software to access your business applications and data, bear in mind the increased potential for your systems and data to be compromised. For example:
- out-of-date software or operating systems, weak passwords or insecure methods of communications, such as personal email accounts, may be vulnerable to exploitation
- devices are likely to be shared between family members, so unauthorised people may be able to access personal data
- personal devices are unlikely to encrypt data, making it vulnerable in the event of loss or theft of the device
- data can easily be moved to other insecure storage, including personally-owned USB sticks and external hard drives, which can increase the potential for loss
Consider these security risks and put in place measures to mitigate them to avoid potential data breaches.
Create a Bring Your Own Device (BYOD) policy
Rolling out a BYOD programme in your organisation requires three critical components:
- a software application for managing the devices that are connecting to the network
- a written policy outlining both the employer's and the user's responsibilities
- a user agreement, acknowledging that they have read and understood the policy
A BYOD policy should aim to protect the security and integrity of your company data and technology infrastructure. It should cover things like:
- acceptable use - which activities are allowed/not allowed for business or personal use
- devices - which devices are permitted/not permitted
- apps - which apps are permitted/not permitted, including download of new apps
- ownership of apps and data and their management
- support and service - how to deal with connectivity issues, configuration of apps, etc
- security - what measures will be put in place to prevent unauthorised access to company's data and system, enable remote management of device, etc
- liabilities - eg for costs associated with the device or for the loss of data or device
- termination of access - eg for non-compliance with policy, or an employee exit
As well as a policy, you should at the very least provide your employees with clear guidance on:
- how to secure their device by keeping software up to date
- how to use strong passwords
- how to minimise the storage of personal data on their devices
It is important that staff understand when and how they should report potential data breaches if these occur on their personal devices.
The National Cyber Security Centre (NCSC) has detailed guidance for organisations considering integrating BYOD into their practices.