The practice of employees, contractors and other people working in your organisation using their own laptop computers, mobile devices and portable storage in their work is known as ‘Bring Your Own Device’ or BYoD. It is a practice which can have both positive and negative implications for both the organisation and the employee – whether the device is brought into the workplace or used remotely.

However much you trust the people who work for or with you, personal devices pose one of the highest risks to any organisation’s information security.

In terms of data ownership, allowing employees to put company data on a personal device, means a degree of loss of control over that data, compared with retaining it safely within the company … be it a network, in the cloud or on a company-owned portable device.

An employee’s device can be difficult to monitor effectively; it can be difficult to know what data is stored on the device if lost or stolen; and when the employee leaves it could be impossible to retrieve the data. It can be difficult to encrypt personal data on an employee device … potentially contravening data protection regulations. In addition, if a personal device which is used for work purposes, there is a grey area around who provides and pays for technical support.

The risks

  • Theft of company data by an employee.
  • Loss or theft of company data if the device is lost or stolen.
  • Malicious or inadvertent introduction of malware on to company systems.
  • Loss of compliance with your industry regulations or standards.
  • Spiralling costs for technical support for ‘unknown’ devices.
  • Data limits being exceeded through employees downloading large files (such as movies) via the company network.
  • Employee timewasting through visiting websites / using applications on personal devices.
  • Incompatibility of software products or versions.

Advice on personal devices at work

  • Decide whether it is necessary to allow the use of personal devices in the workplace: does the business benefit outweigh the costs and risks?
  • If so, decide to what extent should the use of personal devices should be permitted (types of device, for what purpose and by whom).
  • Carry out a risk assessment and ensure that adequate controls are in place to reduce risks to the business.
  • Consider the implications of data protection regulations.
  • Ensure that personal devices usage is included in your acceptable use policy – for example in employee contracts and staff handbooks.
  • Consider implementing one of the many available mobile device management solutions on the market today.