Do your staff ever respond to work emails on their smartphones? If an employee suddenly comes down ill, do you encourage them to stay at home and work from their personal laptop? When a crisis strikes outside of regular working hours, do you expect your staff to try and resolve the problem, or simply ignore it until they’re back at their desk?
If you answered “yes” to any of the above, then you have a “Bring Your Own Device” (BYOD) policy, and it could be putting your business in serious danger.
In this article, we’ll be exploring why something as simple as an employee responding to a work email on their smartphone is such a huge security risk, and then cover the steps you can take to help keep your business safe.
Can’t I just ban BYOD?
Before we dive into the major dangers associated with BYOD, let’s look at why it’s not a good idea to simply ban your employees from using personal devices for work purposes.
As an employer, BYOD can slash your hardware costs, as you don’t necessarily have to equip every single new employee with a company-issued smartphone, tablet, laptop and desktop computer. BYOD also gives your employees a way to perform work tasks outside of regular working hours and outside of the work environment, including responding to any disasters that may strike your business during the evenings and weekends.
For employees, a BYOD policy lets them use the devices they’re already familiar with, and gives them some flexibility in when and where they work. In particular, your employees will appreciate having the option to work from home when other commitments or illness makes it difficult for them to make it into the office. By keeping your employees happy, they’re more likely to work harder and stick around for longer.
BYOD has also become deeply ingrained in the way we work, particularly for millennials. Chances are your new millennial hire has already added their work email to their smartphone before the end of their first shift! BYOD feels completely normal to many employees, so even if you do try to enforce a ban, you might experience limited success.
Despite the security risks, banning BYOD will put your business at a significant competitive disadvantage, while also reducing your staff’s productivity and their overall job satisfaction. Since it’s a bad idea to ban BYOD completely, we’ll be sharing some advice on how you can implement a safer, more secure BYOD policy, towards the end of this article.
BYOD: the biggest security threat facing your business
There’s several major reasons why BYOD is such a huge threat to businesses of all shapes and sizes:
1. Mobile devices are easily stolen – and contain a tonne of data
Unlike traditional laptops and desktops, mobile devices can be easily lost, misplaced or stolen, which can result in an unauthorized third party gaining access to all the corporate data stored on that device.
But how much data is that, really?
If you use your personal smartphone or tablet for work purposes, then now’s the perfect time to grab your mobile device and take stock of just how much damage someone could do if they gained access to your device right now.
Most of us are guilty of checking our work email on our personal smartphones or tablets, and we may occasionally download documents and email attachments that contain sensitive corporate data. However, it’s also not uncommon to remain logged into a range of business accounts on our personal mobile devices, such as Microsoft Teams, Flow for mobile, and your company’s corporate social media accounts.
The simple act of leaving your smartphone at your local coffee shop, could result in a third party gaining access to huge amounts of confidential data. In the worst case scenario, this third party may even decide to hijack your accounts and perform damaging actions such as sending emails to your clients, or flooding your company’s social media with offensive posts.
A single lost, misplaced or stolen device could inflict irreparable damage on your business, and with phone thefts rising by 25% on the London Underground alone, this represents a very real and growing threat.
2. Personal devices may have zero security
When it comes to company-owned devices, you’re in a strong position to impose strict security policies and restrictions, but personal devices are much more difficult to police.
A good employee should have no objection to following company-mandated policies for company-owned devices. However, that same employee probably isn’t going to appreciate being told how to use a smartphone or tablet that they own, even if that device contains lots of company-owned data.
It’s almost impossible to gauge how security conscious your workforce will be when it comes to securing their personal property. Even the most tech-savvy employee may be surprisingly lax when it comes to securing their own smartphone or tablet. In the worst case scenario, one of your employees might be walking around with a tonne of corporate data stored on a mobile device that isn’t even protected by a basic “1234” PIN or password!
Even if an employee does protect their personal device with a security mechanism such as a PIN or password, they might not be so proactive when it comes to keeping their device’s software up-to-date.
We can all be guilty of falling behind with our updates from time to time, but new releases often contain fixes, patches and other security-focused features that can help keep your device safe. By delaying these updates or even ignoring them completely, your employees are leaving their devices vulnerable to a whole host of digital attacks – and by extension, leaving your corporate data vulnerable to hackers.
Your IT department may be able to control when company-owned devices get updated, but they’ll have little sway over when (or even if) an employee chooses to update their personal smartphone or tablet.
This combination of outdated software, limited corporate control, and a lack of simple security mechanisms such as PINs and passwords, can make personal smartphones and tablets an easy target for anyone who wants to get their hands on your company’s data.
3. There isn’t always a clear distinction between personal and corporate data
When you perform personal and work-related tasks on the same device, you run the risk of blurring the lines between personal and company-owned data.
When data ownership isn’t immediately clear, your employees could accidentally delete or even share your company’s data, as if it were their own. For example, if an employee automatically backs up their smartphone’s contents to a third party cloud provider, then your corporate information could wind up copied to a third party server, without your permission and potentially even without your knowledge.
It should be noted that this blurring can be equally dangerous for the employee. If your business is inadvertently exposed to the employee’s private information, then it could result in an accidental but serious breach of that employee’s privacy.
4. Personal devices are often connected to unsecured public networks
Many of us regularly connect to free public Wi-Fi networks when we’re out and about, to the point where there’s even mobile apps dedicated to helping people find new, free public networks.
However, when you’re connected to a public network, you could be transmitting data from your device without any encryption. Unsecured data can be intercepted by hackers, which is why it’s
considered such a bad idea to check your online banking when you’re connected to an unsecured public network.
There have even been instances where cyber-criminals have setup wireless access points, known as Wi-Fi “honeypoints,” specifically to intercept unencrypted data. Connecting to personal area networks, such as Bluetooth, can pose similar security risks.
Unsecured networks aren’t typically a problem for company-owned devices that rarely leave the office, such as desktop computers. For company-owned smartphones and tablets, you’re still in a strong position to set some regulations about the kind of networks that employees can connect to, since these devices are clearly company property.
However, there’s no guarantee that an employee will be similarly vigilant about connecting to unsecured networks on their personal devices, potentially exposing all of the company data that’s stored on that device. Checking your Microsoft Teams messages or logging into your work email while you’re connected to a free public network may seem innocent, but it can result in a third party intercepting your data as it’s been transmitted, or even sniffing out your login credentials and gaining access to your business accounts.
5. They’re susceptible to malicious apps, malware and viruses
There’s plenty of steps you can take to help prevent employees from installing malicious apps and software on company-owned devices, for example you might:
- Install security software before handing company-owned devices over to your employees.
- Schedule regular security audits, where your IT department analyze each device, and install any missing fixes, patches or software updates.
- Ensure your network is adequately protected, and automatically block any suspicious software that an employee attempts to download.
- Set strict regulations about the kind of programs your employees can download.
- Blacklist suspicious websites.
It’s difficult to impose any of the above restrictions on devices that are owned by your employees. Demanding that an employee hands over their personal smartphone for a security audit, is unlikely to go down well!
In the worst case scenario, your employees may be guilty of frequenting insecure websites, such as file sharing sites, or even websites that allow them to download proprietary software or multimedia for free, which are notorious for spreading malware. While most employees would recognize this as unacceptable behaviour on a company-owned device, it’s nearly impossible to restrict what an employee does in their own time, on their own device – even if it puts your company’s data at significant risk.
BYOD: How do I keep my organization safe?
Despite the danger, there are steps you can take to ensure you’re getting all the benefits of BYOD, while minimizing the risk:
1. Train your staff
The major reason why BYOD poses such a threat, is that many employees are completely unaware of the dangers – checking your work emails on your personal smartphone, isn’t an activity that strikes many people as inherently dangerous!
The first step to protecting your business, is to educate your staff – forwarding them this blog might be a good place to start! You could also create your own materials, such as a user manual or a presentation, or arrange company-wide training sessions.
Once your employees have the correct information, you need to ensure they’re putting it into practice. Creating an official BYOD policy that all employees must agree to, and potentially even sign, will encourage them to see this as a serious issue, rather than yet another company policy that doesn’t really apply to them.
2. Give employees the tools they need
Once your employees are aware of the dangers, you should provide them with the tools they need to keep all of their devices safe. You might provide them with complimentary licenses for security tools, such as virus scanners, antivirus software and password managers, or ensure they have access to software that focuses on preserving their privacy, such as VPN apps.
3. Make sure you can remotely wipe a lost, missing or stolen device
Imagine one of your employee’s personal devices has gone missing, and that device contains a tonne of corporate data. You could wait to see if this information is leaked or sold to your competitors – or if you’re an Office 365 user then you could wipe the missing device remotely.
Office 365 admins can use the built-in Mobile Device Management feature to remotely remove organizational information from a missing device, or restore the device to its factory settings.
You could even take a proactive approach, and create a policy that automatically wipes the device after three failed sign-in attempts. With this policy in place, a stolen device could be wiped clean before the owner even realises it’s missing!
With proper precautions in place, a lost, missing or stolen device can become a frustrating inconvenience, rather than a complete disaster.
Check out our Top 7 Ways to Secure Microsoft 365 article, where we cover Multi-Factor Authentication,Mobile Device Management, and more.
Interested in learning more about Office’s 365’s suite of mobile-focused security features?
Why not schedule a complimentary call with one of our specialist engineers today.
Share this article on social media
If you found this article useful, please share it on social media.
Subscribe to our blog…
We will only use your email to send you new blog posts.