A hybrid work model and the abundance of smartphones, tablets, and laptops in the consumer market are prompting many businesses to allow “Bring Your Own Device” (BYOD) in the workplace. While there are clear productivity benefits, businesses must be well prepared to counter BYOD’s potential cybersecurity risks.
The risks became evident in a recent Impero survey of UK employees about their cybersecurity experiences and behaviours. It revealed that one in five respondents had been involved in a security breach or a loss of sensitive data while conducting work. Nearly all (91%) of the employees involved in a security incident use their personal devices to access business applications and data.
To reduce or eliminate the risk, many business owners would instinctively ban the use of personal devices at work in their entirety. Yet, such a knee-jerk reaction could be detrimental to the business since one-third (34%) of the survey respondents stated that they consider the practice of BYOD as a key requirement when job-hunting.
So, instead of undermining employee expectations, it would be more sensible for employers to put proper guidelines and safeguards in place. Implementing cybersecurity policies and encouraging risk-mitigating behaviours will enable them to benefit from the distinct advantages BYOD offers. These include increased productivity, greater employee satisfaction, and organisational flexibility.
The Covid-19 pandemic forced work from home to shift from a luxury to a necessity almost overnight. In many cases, employees needed to collaborate with colleagues and access company networks from their personal devices, creating an environment in which BYOD could thrive.
Hybrid work is a continuing trend, and organisations that do not have a formal BYOD security policy need to implement one without delay. Here are five helpful tips for success.
- Involve all stakeholders
Blindly creating a policy that only serves the company’s interests will likely face resistance. Therefore, obtaining buy-in from all stakeholders and employees is critical to ensure everyone agrees to and supports the proposed policy.
Decision-makers need guarantees that the policy adequately addresses security concerns and that the overall benefits outweigh the drawbacks. They must also see proof of a definitive plan and support for a BYOD policy, especially from IT leaders. Bring Your Own Device security will place additional responsibilities on their departments, and they need to agree on and approve the level of resources and support earmarked for the task.
Moreover, stakeholders from various departments with different interests can contribute to creating a more balanced policy. Build a BYOD project management team with representatives from the HR, Finance, IT, and Security functions to contribute to policy development.
Employee input is equally critical for creating an effective BYOD policy. Building a policy framework that doesn’t cater to their interests or needs may backfire. While it’s necessary to spell out which devices and operating systems are allowed, being too restrictive will lead to a low participation rate by employees. Failing to offer adequate support for the right devices will have the same result, resulting in a waste of resources.
- Increase employee cybersecurity awareness
Human error and ignorance both pose a severe threat to BYOD security. Our survey revealed that almost a quarter (24%) of employees are short of confidence in recognising cybersecurity threats at work. Therefore, regular, mandatory cybersecurity awareness training should be a cornerstone of any security policy in a constantly evolving landscape. It will equip employees with the know-how to recognise and report common threats, such as phishing emails and suspicious links.
Make awareness part of the working culture by sharing best practices on the security elements employees encounter daily, such as password protection and usage. Cybersecurity training must also become part of the onboarding process for new employees, including instructions on how to use essential tools.
- Develop a clear BYOD policy
Perhaps the most critical aspect of managing BYOD security challenges is to have a well-thought-out policy that governs how to use personal devices at work. Yet, in our research survey, 42% of respondents revealed that their place of work does not apply any security policy to control the interaction of personal devices with sensitive information.
Security policies can be complex and detailed, so it’s necessary to formulate an employee-friendly version that employees can easily understand. This version should cover key aspects, such as whether or not they can use their devices for personal communications only, or actually use them for work. Understandably, the latter presents more significant security risks.
However, due diligence is necessary in all cases. Therefore, the policy should clearly stipulate the permitted device types and authorised cybersecurity tools to use alongside the devices. The same goes for business applications. Include a comprehensive list of approved packages and ban the use of unapproved packages. It’s also essential to specify the IT support level available to employees that use personal devices.
- Make cybersecurity tools readily accessible
Our research revealed a surprising lack of ready access to essential cybersecurity tools. For example, only about half (or less) of employees have access to critical tools such as remote access software (57%), virtual private networks (52%), laptop encryption software (50%), and multi-factor authentication (45%).
Yet these tools are no longer the exclusive domain of IT security specialists. All employees must be well-versed in the correct usage of cybersecurity tools if the organisation is serious about reducing risk. Once employees are familiar with and confident in using these tools, the business must introduce measures to ensure they adopt and use them.
- Constantly monitor, review, and refine
This seemingly obvious point is also one of the most important. As with any business strategy, one cannot base most cybersecurity processes on a “set it and forget it” approach. Organisations must frequently evaluate their effectiveness, investigate new capabilities, and make regular updates and improvements. Remember, cybercriminals never sleep and are constantly on the prowl.
Justin Reilly is a former teacher and education leader with 20 years of experience leading EdTech businesses to success. With an early career teaching mathematics and information and communications technologies in UK secondary schools, Reilly understands first-hand the challenges associated with digital learning. He currently serves as CEO of Impero Software, a leader in student safety software. He has also served as the CEO of Mau Group, one of Africa’s leading EdTech businesses, serving schools and ministries of education in some of the most remote and unstable regions, as vice president of technology delivery and strategic partnerships at Pearson Education and as CEO of Fronter AS, a provider of learning management systems. He works at Impero’s UK office in Nottingham.