Is “Bring Your Own Device” Presenting New Threats to Cyber Security?

Featured article by Helen Wallis, Independent Technology Writer

In recent years there has been an increase in the number of companies allowing employees to use their own devices at work including mobiles, tablets and laptops. In fact more than just allowing it, some businesses actually encourage ‘bring your own device’ in their quest to reduce their IT overheads.

Companies are also offering this option because they feel their employees enjoy working on their own devices, which they know well, and which may be of a higher spec than company provided ones. There is also the additional perk for the business that if employees use their own laptops and phones they may be more likely to answer calls and e-mails after working hours. While it does offer benefits, including the main one of company cost cutting, ‘bring your own device’ still holds inherent risks.

Security Risks

One of the key risks with allowing everyone to use their own device is that staff will have differing levels of anti-virus protection installed and thus every time they connect to your business network there is the very real risk of malware infection. Combined with a robust firewall, anti-virus software should be an integral part of your security campaign. It’s not enough just to install anti-virus software. You also need to ensure it is updated regularly, as malware is continually evolving, and require staff to run regular scans on their devices. This is more complex to do if you are trying to protect hardware not owned and controlled by the company.

Data Protection

Another key issue with ‘bring your own device’ is data protection as your business remains responsible for corporate personal data even when the information is on hardware owned by your employees. You will probably find yourself in the uncomfortable position where confidential company documents are being stored on devices which you hold little control over. For example, do you know whether your employees’ own equipment is adequately password protected; do they have apps on their mobiles which can wipe them of all data should they be lost or stolen; and who can access the devices when they are at your employees’ homes or while your staff member is on business travel or holiday? While any device, whether business or personal, can be lost or stolen, the key question mark here over personal devices is that you enjoy much less say about what can be done with that hardware or how it is secured.

In fact there are such severe concerns over the potential risk of ‘Bring Your Own Device’ in terms of the Data Protection Act, that the Information Commissioner has published guidelines about the risks and what you can do to mitigate your potential exposure.

Cloud Storage Security

When companies implement a policy of allowing staff to bring their own devices to work, they usually do so with the intention of backing up the data to the cloud. This in itself brings a further level of risk and there are two key components to that risk. First, is the question of the security of the cloud storage itself and second, is the issue of accessing the cloud through non secure connections. The first has a solution if you ensure that your cloud host encrypts all your data. That way, even if there is a breach, your confidential information, and that of your employees, vendors and clients, should remain secure. Second, if you want your staff to access the cloud and your network from non-secure connections your best option is to set up a Virtual Private Network, or VPN, so your data remains secure.

While there are advantages to allowing your staff to use their own devices at work, chief among them the company’s reduced outlay on IT hardware, it should still be something which is weighed up carefully. The risk of falling foul of the Data Protection Act; potential hacking exposure; and the increased costs of your IT department having to support such a diverse range of devices, may not outweigh the savings you make. In addition, you need to ask yourself this question. If you were one of your own clients would you want your data, which could include personal and financial details, on someone’s personal laptop or mobile? The answer to this may well influence your decision as to whether ‘bring your own device’ is a good choice for your business.

Helen has a passion for technology and business and enjoys sharing her knowledge and expertise with others. She has worked in the IT industry for over fifteen years and likes to spend her spare time writing and blogging about new developments in the industry.