Managing how employees use their own devices for work

The switch to remote working due to the COVID pandemic, and subsequently, means even more employees now use their own devices to access work emails, systems and files. This can make practical sense for many organisations, but the use of personal devices can pose a serious security risk if appropriate measures are not in place. A risk to personal information, as well as other confidential or commercially sensitive information.

Some organisations (particularly those handling sensitive data) might take the step of banning the use of any personal devices for work purposes. But for others there are good reasons for allowing personal devices to be used. The key is making sure security risks have been considered and appropriate measures are in place to protect the organisation and those whose personal data is held.

It’s essential for any organisation which allows employees to use their own devices for work purposes, to have robust security measures in place to address security risks, along with appropriate measures to protect personal data. Furthermore, employees need to know what’s expected of them and this is where having a Bring Your Own Device (BYOD) Policy is crucial.

What are the risks, what key security measures should be in place, and what should a BYOD Policy cover?

Key BYOD risks

1. Loss or theft of devices – we’re all human, and I suspect many of us have lost a mobile before, or perhaps even left a laptop somewhere. There’s a clear risk if it’s possible for someone else to access valuable or sensitive information on the device.

2. Use of public wi-fi services – connecting to open public wi-fi when employees are out and about can leave personal devices vulnerable to hackers. There’s also a risk if home networks aren’t secure.

3. Malware and viruses – employees can view any website and download any app on their own device, raising the risk these could contain damaging malware or viruses.

4. Former employees – failing to remove access and data from devices when people leave the organisation could come back to haunt the organisation. I know of cases where this has caused a data breach.

Key steps to mitigate BYOD risks

Here are some methods to reduce or eliminate the risks. This is by no means an exhaustive list, but will hopefully give you some useful pointers.

• Require employees to use appropriate authentications settings when accessing their devices. For example, access via a passcode or fingerprint.
• Restrict which business applications and data employees can access via their own device.
• Implement enhanced user authentication for business apps – multi-factor authentication (MFA). That includes access to their business email account (e.g. via Outlook) which may include personal information in the content or in attachments.
• Consider measures to make sure personal data from business apps can’t be downloaded, stored or shared via personal devices. Don’t allow staff to share data or screenshots from any business app they use with any other app they may have on their device (e.g. social media or file sharing apps).
• Put clear procedures in place for lost or stolen devices. For example, reporting the loss and the capability to remotely delete data from a lost or stolen device.
• Make sure clear procedures are in place to update access controls when people leave the business. or change roles.
• Prohibit the use of public wi-fi services, which may be insecure.
• Provide advice on making sure your home wi-fi is secure.
• Ask employees to update apps regularly to make sure any security vulnerabilities are ‘patched’.
• Ask them to run antivirus / malware checks regularly.

Creating a Bring Your Own Device Policy

A BYOD Policy sets out the rules for employees when using their personal devices – be it laptops, smartphones or tablets in for work purposes. It should set out the organisations expectations and the security measures required. When employees are accessing the organisation’s information, it’s okay to insist employees comply with a BYOD Policy.

Such a policy would cover all the measures in place to mitigate the risks above, making sure employees’ responsibilities are clearly laid out. You’d also want it to include, or point to, clear onboarding, leavers and procedures for lost or stolen devices.

In addition, a BYOD Policy is also likely to cover;

• Types of device permitted.
• Establishment of company rights on devices (this can be a tricky area and may be worth seeking legal advice.
• List of company systems / apps allowed to be accessed via personal devices.
• An explanation of acceptable use and behaviours. For example, what employees are not permitted to do may include;
  – Allowing others (e.g. family members) to access work systems and apps
  – Storing or transferring copies of organisation’s information onto their own devices
  – Using private email accounts for work purposes
  – Uses which may be illegal or bring the organisation into disrepute
• Details of the IT support available to employees.
• Any necessary sanctions should employees fail to follow the policy.

By the way, whilst we refer to employees above, you should bear in mind you may also have contractors who access the organisation’s systems / apps via their own devices. If so, the Policy should apply to contractors too.

Recently the Information Commissioner’s Office took action against a company following a data breach. It’s worth noting one of the key failings found was the lack of a BYOD policy. We’ve written more about this here: Information Security Tips