It is estimated that over 90% of hybrid and remote employees use a personal device for work every day. But as more people use their smartphones or laptops to access company resources the security risks for organisations increase dramatically making it unsurprising that more than half of UK businesses experienced some form of cybersecurity breach or attack last year alone.
Simple admin tasks such as sending a work email from a personal device can create vulnerabilities in an organisation’s network. Whether instituted as a formal policy or as an adaptation to the pandemic, bringing your own device (‘BYOD’ ) opens a company’s systems and platforms up to hacking, data loss, and insider threat. With 82% of employers having a BYOD policy in place, employers need to be aware of these concerns, as well as implement best practices to mitigate the risks.
Conor O’Neill, CEO and Co-Founder of leading online pen test vendor OnSecurity, shares more about BYOD security and how organisations and employees can make sure their devices are protected.
BYOD security: What are the risks of using personal devices at work?
Unsecured wifi networks
When employees connect their personal devices to public Wi-Fi networks like cafes and hotels, these networks are usually not secure or well protected against attacks. Mobile devices are at risk of having information accessed by an attacker if they communicate with a public network, and the data transmitted between the personal device and corporate systems can be captured.
Organisations can use VPN (or virtual private network) technology to protect themselves from risks related to unsecured Wi-Fi networks. This way, the VPN creates a tunnel between their personal device and corporate network so all data is sent over public Wi-Fi responsibly.
Data security breaches
Employees’ devices often lack robust and up-to-date antivirus protection which is normally present in company-issued laptops, leaving them vulnerable to malware and virus infections. These infections can spread to company networks, compromising critical systems and potentially leading to data loss or disruption of operations. Common threats include viruses that spread through email attachments and downloads, spyware that steals sensitive data and ransomware that encrypts files and demands payment for their release.
Research from the Anti-Phishing Working Group (APWG) revealed common threats and scams most often include a sense of urgency so look out for phrases like ‘update password now’ and ‘action required’.
Lost or stolen devices
Lost or stolen devices are potentially the biggest threat to BYOD security with 40% of data breaches caused by lost or stolen devices. When the wrong person finds a device, it can easily be infiltrated and mined for personal, internal and financial information.
The loss or theft of these devices poses a high risk of exposing confidential company data if adequate measures, such as encryption and remote wipe capabilities, aren’t implemented.
If an employee loses or has their device stolen it’s important to act immediately and report the loss. Companies should have measures in place to ensure you can wipe data from a laptop, tablet or phone remotely.
Mixing personal and business use
Bringing your own device to work means mixing business with personal use is inevitable. You can’t control whether your employees decide to shop online at compromised websites or whether they will misplace a device. While you can educate heavily on security best practices, you can’t guarantee that your employees won’t loan their devices to a friend or use public wireless connections to save data.
45% use the same password for work and personal accounts – reusing passwords exposes a user’s accounts to cybercriminals, which increases the risk of identity theft as well as sensitive data theft from their organisation. Employers must encourage employees to have strong and different passwords across their work accounts.
5 BYOD security strategies for the workplace:
-
Implement a clear BYOD policy
A clear BYOD policy is essential for managing the risks associated with personal device use. This policy must outline the acceptable use of personal devices and guide security practices such as password protocols, approved apps and procedures in the event of device loss or theft.
-
Multi-factor authentication (MFA) codes
Make sure you use strong passwords on smartphones, laptops, tablets, email accounts and any other devices or accounts where personal information is stored. Where possible, you should consider using multi-factor authentication. Multi-factor authentication is a security measure to make sure the right person is accessing the data. It requires at least two separate forms of identification before access is granted. For example, you use a password and a one-time code which is sent by text message.
-
Enforce access control and monitoring
The implementation of strict access control measures and conducting regular audits ensures that only authorised individuals can access sensitive data, reducing the risk of data breaches. Monitoring access logs also enables the timely detection of suspicious activities or unauthorised access attempts, allowing for prompt response and mitigation.
-
Regular training
A significant element of overall BYOD security is ensuring that employees are properly educated on the most common security threats and risks and given the knowledge of best practices for avoiding them. It also concerns knowledge about up-to-date practices for securely surfing the web and regularly updating the software. At the same time, employees must be trained on how to recognise and report potential security incidents affecting the organisation such as phishing attempts.
- Mobile device management
In case of loss or theft, a mobile device management program can enable IT departments to remotely “wipe” a device to ensure sensitive information is not exposed.
As the lines between personal and professional device use continue to blur, companies must proactively address the security challenges that come with BYOD environments. While personal devices offer flexibility and convenience, they also introduce vulnerabilities that can put sensitive company data at risk. By implementing clear policies, enforcing robust security measures and investing in regular employee training, businesses can reduce these risks. Ultimately, creating a secure, digital space is a shared responsibility—one that requires both employers and employees to stay vigilant and informed.
