Accessing company information on a personal device is the new normal, but do your people know how to mitigate the risks?
Thanks to portable tools like smartphones and tablets, the working world has never been better connected. And that closeness has opened up opportunities for business across the globe. A recent survey found 62 percent of people have traveled to another state for work in the past 12 months. Out of those, 25 percent say they used their own device when traveling, rather than one supplied by their employer.
Technology has allowed workers more freedom, but with that freedom comes risk and a need to better understand how to safeguard sensitive information before it’s compromised.
Bring Your Own Device (BYOD) policies are the best solution companies have to answer this need, and in most cases, employees are happy to comply in exchange for certain perks, like having their bills paid by the company. Nevertheless, many companies are overwhelmed by the prospect of putting such a policy in place. To let that discomfort get in the way of teaching best practices, though, could lead to catastrophic results. That’s why Steve Durbin, managing director of Information Security Forum, argues it’s best to stay ahead of the curve by taking a proactive approach.
The complexities of BYOD
Durbin has spent years helping companies navigate the changing world of information technology and cybersecurity. “When I talk to organizations all around the world about this,” he says, “it is something they’re currently struggling with because we live in an environment where the user is king — you don’t know what I’m doing with my device. And if it’s my device, I feel like I have a right to do whatever I choose with it, whether that’s hopping onto eBay, posting something on Instagram, accessing a corporate system, or taking a photograph of somebody’s business card, who I met at a conference.”
BYOD gets complicated fast because it’s a blend of personal and corporate information. Gone are the days when work stayed at the office. For many employees, opening work emails on their personal device is simply part of the job, and from there, it’s a natural response to download attachments, write back, and take action as usual, all without a thought for security or lack thereof.
“This introduces a form of liability on the employer for the potential loss or leakage of that personal information,” says Durbin. “That needs to be included in a corporate policy, and end users really do need to understand some of the implications of that.”
BYOD liabilities and company best practices
Who’s liable when company information is compromised on a personal device? The short answer? The company.
“Some companies have tried to push liability in the past,” says Durbin, “certainly when BYOD was in its infancy. The bottom line is that if the corporation is allowing an individual employee to use his or her own device to transact business, the company is still responsible for the integrity of the data being used.”
With so much riding on the employee’s ability to safeguard their own devices, it’s no wonder organizations are concerned. Companies need to have a strong strategy in place for keeping data secure, whether it’s being accessed on a personal phone, computer, or another device. Here are a few steps companies can take when building a BYOD policy.
Step 1: Fully outline your company’s BYOD policies
Don’t wait for employees to establish their own habits when it comes to accessing company information on a personal device. Be proactive. “Employers have to have an eyes-open approach to this,” says Durbin. “We all know if we’re working at home and we’ve got multiple machines, we’re going to take whatever one’s most convenient and appropriate, so I think we need to cater to that from an employer standpoint and let our employees know what they can or cannot do.”
Companies should start by creating a corporate policy that outlines where the company stands with regard to BYOD. Within that, the company needs to look at how devices will be used and what services employees will be allowed to access on their devices. These include company services like email or the intranet, or personal services like Facebook and Spotify.
Step 2: Draft an acceptable use agreement
Companies should also have employees sign acceptable use agreements. In order to build these agreements, the employer needs to understand the stakes at play in regard to regulation and legislation. “Unfortunately,” says Durbin, “that could potentially be a minefield because it depends on which jurisdictions your people are going to be visiting and operating.”
Here in the US, for instance, BYOD policies are typically set down by employers or organizations and affect the people within those organizations. In the EU and other parts of the world, however, laws regarding data protection go a lot further — something US companies should be aware of if their employees are working overseas.
Step 3: Emphasize best security practices at home and at work
Once companies have a better idea of how they expect employees to manage their personal devices, they can start looking at security on a larger, more holistic scale. Helping workers secure their information while at home or on the go is one strategy companies often don’t consider.
According to Durbin, many members of the Information Security Forum have found that emphasizing good practice in the home environment has had a significant impact in raising the levels of awareness and security within the corporate environment.
“We all have a vested interest in what we do at home,” says Durbin. “You’re going to be doing things on your device anyway that are really important to you, like accessing mobile banking. You’re personally motivated to keep those things secure. If the employer can help you do that, you’re more inclined to take some of that good practice into the work environment.”
Durbin presents this example: “Maybe I’ve been working in the office, and I’ve decided to go home. When I get there, I throw some spreadsheets up on the TV because the screen is bigger. Have I protected my home network environment? Have I changed the router password? Do I know how to change the router password?”
Knowing how to change the router password is just one piece of the puzzle. Companies have the opportunity to pass on a variety of lessons to help people stay safe when accessing sensitive or confidential information — personal or otherwise. Tips might include shutting the blinds to block outsiders from seeing information on a large screen or being aware of your surroundings in a public space.
“We feel a higher degree of ownership around our own device,” says Durbin. “Employers need to play that to their advantage and emphasize how you can maintain a clean environment on your device and keep malware off.”
Here are a few simple actions companies can take to help employees keep personal and company information safe:
- Teach people how to enable security functionality.
- Make sure they can download and maintain malware protection software that’s up to date.
- Help people set up encryption for data storage on the device.
- Encourage employees to store company information in the cloud, where the employer has more control over what can be downloaded or accessed without authentication.
BYOD policies are worth the work
You don’t need an insecure smartphone to put confidential information at risk — just ask the DHS official who left sensitive national security documents on a plane this past December. But with our ever-growing reliance on technology has come a growing risk of getting hacked. Like it or not, your workers are going to use their own devices to access company information, and even if it’s just emails, we all know how big of a debacle that can be.
But protecting your company’s good name isn’t the only reason it’s important to be proactive in establishing a BYOD policy. Those data leaks are expensive! According to IBM Security and the Ponemon Institute, the average cost of a data breach in 2017 was $3.62 million. And that number is likely to grow.
That’s why it’s important to put a BYOD policy in place. Help your workers keep their devices secure — for their sake and for yours — and enjoy peace of mind, knowing you’ve done everything possible to avoid a preventable security breach.
About the Author
Danielle Higley is a copywriter for TSheets by QuickBooks, a time tracking and scheduling solution. She has a BA in English literature and has spent her career writing and editing marketing materials for small businesses. Last year, she started an editorial consulting company.