How to allow ‘Bring your own device’ at work – without compromising security.
The proliferation of smartphones and tablets in the consumer market has fueled the rising trend of businesses embracing ‘Bring Your Own Device’ (BYOD) in the workplace. At the same time, it can create a significant cybersecurity risk for businesses that aren’t adequately prepared.
In a survey we conducted among 2,000 UK employees about their cybersecurity behaviors and experiences, we found that one in five have been directly involved in a security breach or loss of sensitive data. The results also show that 91% of the employees who have been involved in a security incident use personal devices to access sensitive systems and data while at work.
An instinctive response from many business owners to reduce the risk would be to prohibit the use of personal devices entirely. However, a third (34%) of the employees surveyed said that the ability to BYOD is a principal consideration when choosing a job.
So, rather than swimming against the tide of employee expectations, it makes sense for employers to find a way to make BYOD work. They can capitalize on the benefits it offers, such as increased productivity and greater employee satisfaction while implementing cybersecurity policies and encouraging the right behaviors to mitigate the risks involved.
Not only did the Covid-19 pandemic accelerate the work-from-home culture, but in many cases it made it necessary for employees to access company networks from their personal devices. Therefore, for organizations who do not have a formal BYOD policy yet, there has never been a better time to implement one – and here are my five key tips.
1. Get stakeholder buy-in
Jumping straightaway to policy creation is often met with resistance. The first step, therefore, is to gain both stakeholder and employee buy-in.
Senior business leaders need assurances that the benefits of BYOD outweigh the possible security risks and require proof of a concrete plan and support for the implementation of a BYOD policy. IT leaders in particular need to be aware of and agree on the level of resource and support that will be committed to BYOD security. Stakeholders can provide diverse perspectives from various departments and interests within the organization. Functions like HR, Finance, IT operations, and the security team should form part of a BYOD project management team to contribute to policy development.
In addition to these stakeholders, employee input is critical for creating an effective BYOD policy. Creating a policy framework with only the business’ interests at heart may result in backlash. Equally, excessively restrictive policies or failing to offer support for the right devices will possibly lead to lower employee engagement and productivity.
2. Develop a clear policy for BYOD
In our research survey, 42% of respondents indicated that their organization does not enforce a security policy to control how personal devices can interact with sensitive information. Yet, this is perhaps the most critical aspect of managing BYOD security challenges. Security policies can be rather complex and detailed, so it’s essential to have a simplified version that’s easy to communicate to employees. The policy should cover key elements such as whether employees can use their personal devices at work or use them for work. The most substantial security risks are associated with the latter.
Although due diligence is necessary in all cases, the policy should also clarify the permitted device types and mandated cybersecurity tools to use in tandem with the devices. The same applies to business applications – include a clear list of approved programs and forbid the use of unapproved programs. Furthermore, it’s important to specify the extent to which employees can request IT support for personal devices.
3. Improve employee cybersecurity awareness
Our survey revealed that nearly a quarter (24%) of employees lack confidence in recognizing cybersecurity threats at work. And since human error is one of the biggest BYOD risks, regular mandatory cybersecurity awareness training must be at the heart of any security policy. This will help employees recognize common threats such as phishing emails and suspicious links. Knowledge of these threats is critical in a constantly evolving landscape.
Awareness must also become part of the working culture. Share best practices on the security elements employees are constantly exposed to, like password protection and usage. Make cybersecurity training part of the onboarding process for new employees, including how to use any necessary tools.
4. Ensure access to critical cybersecurity tools
Our research exposed a startling lack of ready access to critical cyber security tools. Only around half (or less) of employees have access to crucial tools such as multi-factor authentication (45%), web filtering (47%), laptop encryption software (50%), and virtual private networks (52%).
It’s no good simply making these tools available since not everyone is naturally tech-savvy. The business needs to implement a strategy to ensure employees actually adopt and use them. They’re no longer the exclusive domain of IT security specialists. All employees must be well-educated in how to correctly use cybersecurity tools if the organization wishes to steer clear of risk.
5. Monitor and review regularly
Although this point may seem obvious, it’s one of the most important. Remember that most cybersecurity processes are not based on a ‘set it and forget it’ approach. Businesses need to constantly track their effectiveness and make regular updates and improvements – especially as the cybercriminals never stand still.