Bring your own device: tips from the experts - brought to you by NatWest

Thursday, 12 December 2019

Allowing employees to use their own technology for work purposes can help you save a lot of time and money – but relax too much and your business could be vulnerable to cybercrime. Experts and SME owners give their insight on implementing a safe and feasible BYOD policy.

Around half of UK businesses and charities say their employees regularly use personal devices for work purposes. While there are many benefits of implementing a bring your own device (BYOD) policy, doing so securely is key.

Why consider BYOD in the first place?

“Having staff bring their own devices to work can be a real money saver,” says Annabelle Kaye, director of small business support firm KoffeeKlatch. “No more forking out for mobile phones and laptops. If your IT budget is tight, you may even find your team bringing in more up-to-date and capable devices than the ones you normally offer them.”

“BYOD can be a huge boost to employee engagement and productivity,” says business coach Sherry Bevan. “Given that so many of us now own mobile devices, doesn't it make good sense to allow employees to enjoy the familiarity of using their own equipment? Productivity increases because employees can leave the office ‘on time’ and catch up with important emails on their commute home.”

Reasons to tread carefully

Don’t allow the obvious positives to blind you into carelessness. Of more than 500 UK SMEs polled in a recent Paymentsense survey, 61% said they had experienced a cyber-security incident since introducing a BYOD policy.

“You have no control over who else [other than your employee] accesses the device, or where else it has logged in,” says Kaye. “It may be full of malware, viruses and other problems just waiting to jump onto your network. Say your sales director’s kids use their phone for gaming over the weekend, it could be chock full of undesirable files. And with the device being outside of your control, there’s no guarantee it’ll be kept routinely up to date with security patches.”

Making BYOD safe

Only 57% of businesses surveyed in a recent government poll said they’ve covered the business use of personal devices in their cyber-security policies, which goes some way to explaining Paymentsense’s slightly alarming figure.

“BYOD can offer substantial cost savings but don’t scrimp on the necessary policies and security to protect access to your network and to your employees’ devices,” says Bevan. “BYOD requires a strong framework to implement, with input from your IT, finance, data protection and HR teams. It’s well worth getting advice from a reputable IT security consultant,” she says.

What makes a solid BYOD policy?

“The fundamentals of cyber security in BYOD are the same as they are in corporate-owned environments, it’s just that the implementation is different,” says Chris Wallis, whose cyber-security platform Intruder is used by small businesses across the UK. “While you may have less ability to enforce and monitor technically, at a bare minimum you should have a policy that everyone must sign off on after they’ve completed the steps to secure their device.”

So what should you include in your policy?

Antivirus and strong passwords

Wallis suggests starting with the obvious: “It almost goes without saying, but everyone should be running anti-virus on their devices; this will stop the vast majority of known malware in its tracks.

“Then make sure passwords are enabled on all BYOD devices, that they’re not easy to guess, and they’re not reused across online accounts. There’s plenty of guidance out there for choosing secure passwords, in particular from the NCSC [National Cyber Security Centre].”

Regular security updates

Regular updates are another important inclusion, Wallis says: “While antivirus protects you from known malware, many breaches are caused by new malware exploiting unpatched software, so keeping software up to date is essential to avoid a breach. Automatic updates should be enabled wherever possible, and updates applied regularly for everything else.”

Remote control

Even if someone outside the business gets their hand on an employee’s device, not all has to be lost. “Businesses should make sure that if an employee-owned device is lost or stolen, all business calls, texts, instant messages and group chats can be immediately and remotely disabled,” says Steve Haworth, CEO of business communications firm TeleWare.

Full-disk encryption

Passwords and remote deletion will help but won’t always be enough. “A good password will protect you from the average thief but any company serious about their data should mandate that full-disk encryption is applied to every BYOD device where possible,” Wallis says. “Full-disk encryption will make the data on your devices unreadable to unauthorised users – and in situations where it’s not possible, I’d advise not allowing personal devices at all.”

A final word: keep your policies updated

A BYOD policy that works now might not be quite as effective next year or in five years’ time, so be sure to revisit the details regularly. “As new platforms, software and devices are developed you will find it pays to review what’s working well and what is not,” says Kaye. “Ultimately you want your team to be able to work efficiently and freely but you have to secure the data flow for GDPR [general data protection regulation] and commercial confidentiality.”

Don’t be afraid to rule out personal devices altogether if you have to. “Sometimes you’ll have no alternative but to say no to BYOD if the technology is not there to help you monitor and enforce,” Kaye says.

Five tips for BYOD safety

1. Get the basics – such as antivirus and strong passwords – right.
2. Keep employees’ devices updated with the latest security patches.
3. Make sure you have the ability to delete sensitive data remotely.
4. Encrypt your data to minimise the impact of devices being lost or stolen.
5. Revisit your BYOD policy regularly for maximum protection.