The Risks of BYOD
Employees at companies of all sizes, either through their own volition or due to corporate requirements, are engaging in bring your own device (BYOD) programs in ever greater numbers. Many of these employees continue to work at home, beyond the traditional workday, on personal laptops, tablets and smartphones as the work and personal life divide continues to blur. Companies, once resistant to BYOD programs and their inherent risks, now embrace the increased collaboration, productivity and cost savings that BYOD allows.
According to a recent survey of global CIOs, half will require employees to supply their own devices by 2017.¹ Companies that do not take a proactive approach to managing the use of personal devices face growing risks, as costs associated with data losses, privacy breaches and other cyber threats continue to rise.
Yet, only 39% of companies have a BYOD policy in place, according to another recent study.² One in five employees surveyed reported that they were not aware whether or not their company had a formal policy in place, suggesting a need for increased training and communication.
Establish a Formal BYOD Policy
- Determine what and how devices are used. Your policy can specify the type of devices that are allowed to be used, how employees may use the devices to connect to corporate networks (e.g., through a secured wi-fi connection), and what applications are approved for use, including downloadable apps and cloud-based tools.
- Set expectations. Your policy can specify that the company has no responsibility for lost or damaged personal devices or employee injury from misuse of a personal device. The policy can also restrict the type of data that can be transferred to personal devices, and establish protocols for data synchronization and backup.
- Establish requirements. The policy can require employees to install the latest operating system updates, corporate-designated anti-virus software, encryption software and remote data-wiping capability.
Conduct Regular Employee Training
- Share best practices for data security. Employees should understand all of the elements of the corporate BYOD policy and also realize the exposure to risk and consequences of failing to follow the required precautions.
- Set training goals. After training, employees should know how to access appropriate corporate data from their personal devices, understand which applications are risky and which are safe to use, know how to separate work and private data on their devices, and know which type of work activities are appropriate for BYOD.
Manage BYOD Risks
- Vet personal devices and applications. Companies should review devices and apps for potential risks, with an eye toward striking a balance between restrictions to protect the corporate network and flexibility that will allow employee productivity.
- Update corporate network protection for personal devices. Steps include requiring a two-step process for authentication to access the corporate system that recognizes both the device and the person using it. Put software tools in place to allow remote wiping of data, scanning for malware and data leakage and archiving of corporate data.
Another important tool to protect your business is cyber security insurance, specialized policies that offer coverages such as errors and omissions, network and information security and medial liability to address cyber exposures.