Over the past five years many employers have been exploring letting their employees use their own tablets, phones, and laptops for work-related activities. This approach has many benefits, including reducing hardware cost and flexibility in the workplace, especially today when working from home is the new norm and in higher demand. Many employers may use BYOD to attract potential hires or boost morale in the workplace, but employers need to be aware of the security risks this creates.
The most common workplace activities employees perform on their PC is connecting to the corporate network, checking email, and accessing corporate applications. Since IT cannot fully manage a personal device, it makes it more difficult to protect these assets from hackers, malware, and other malicious actors. Often in the BYOD environment corporate apps and documents live alongside one another, causing data loss or leaks as well. Here’s three scenarios to consider before implementing a BYOD policy:
- In BYOD environments it makes it easier for data to leave the network and into an employee’s Dropbox or other cloud storage. For example, an employee could easily snap a picture of a whiteboard after a meeting or screenshot of an important document and save it in their personal cloud to review later. Their personal cloud isn’t being secured by IT and could more easily be compromised and lead to loss or leaked data.
- Data can easily be compromised through malware. Employees are more likely to download games and other apps on their personal devices. These apps can potentially have malware attached to them and the malware could then be passed onto the company network when the employee next logs in from the infected device.
- We would like to think that an employee would promptly notify their employer if their device was lost or stolen. However, employees have gone weeks before reporting it missing, in hopes it would be recovered and for fear losing their personal data due to a remote wipe. However, it crucial for users to report loss or theft as soon as possible, in order to shrink the time for a bad actor to access the data on the device.
These are all significant scenarios to consider before implementing any BYOD device policy to your organization. Other big considerations include compliance, and if the organization can even legally offer a BYOD policy to its employees. Every company and organizations have different workflows and BYOD definitely offers flexibility, but it’s always important to have a polices and response plans in place before allowing users to access company data, regardless if it's via BYOD or company-owned devices.