Every Cellphone Is a Security Risk, So What’s Your BYOD Policy?

In the space of just a few years, Bring Your Own Device (BYOD) has transformed from an irregular practice to an integral part of the modern workplace. By 2016, 59% of surveyed businesses allowed the use of personal devices for work purposes. Almost certainly, the numbers have grown.

BYOD provides several tangible benefits for a company. These include creating a more mobile workforce, boosting productivity and decreasing company expenditure.

The benefits have helped transform BYOD into a ubiquitous practice. However, it also presents several serious threats. From lost and stolen devices, to employees using unsecured WiFi networks, BYOD can put your company’s data at significant risk.

To counter the risks and create a more comprehensive cybersecurity culture in your workplace, it’s vital that HR are involved in all stages of BYOD policy creation and implementation.

HR should be involved in BYOD

As BYOD is such a widespread practice, and one with dramatic implications for the general data integrity and security of the company, it’s crucial that your company has an effective BYOD policy and that HR is involved from the beginning. The CHRO should, at the very least, be at the table when the BYOD policy is being formulated or amended. That’s because, like all IT policies, it’s a whole-of-business issue that requires education, compliance and enforcement.

In light of the recent GDPR regulation, it’s now a legal duty for most companies to ensure that any data held about the employees is done so in a specific fashion. For that reason, your  company’s Data Protection Officer should be involved in the formulation of BYOD policies to ensure that it’s GDPR compliant.

To keep in line with GDPR, you should also update current employees to inform them on how their data will be used, stored and protected so that they can formally consent. As part of this, outline how your mobile device management (MDM) software or any other endpoint security devices will affect the data of those involved.

Without the inclusion of HR, the emergence of a holistic cybersecurity and data protection culture is unlikely to occur. Plus, with HR representatives on board, the policy is more likely to maintain employee satisfaction.

However, the issue of BYOD is not simply one that affects existing employees. For effective compliance, new employees also require educating.

Onboarding

During the onboarding process, it’s critical that new employees are educated about your company’s BYOD policy. Using a personal device is now an expected part of the modern workplace, so it’s vital that new employees don’t put your cybersecurity at risk with bad habits. It only takes one uneducated or careless employee to leave the whole company’s network at risk. For that reason, comprehensive cybersecurity training is an essential part of the onboarding process.

The company BYOD policy should outline what uses are deemed acceptable on personal devices. If, for example, the BYOD policy categorically bans the use of social media use while at work, employees need to be informed.

It’s also important to clearly outline the security protocol for the use of personal devices. This includes, but is not limited to, outlining strong password policies, the use of two-step authentication processes and mobile management software.

Remote workers

A major risk associated with BYOD is that remote workers often use unsecured networks while working. Unsecured networks, such as public WiFi networks, leave users vulnerable to man in the middle and phishing scams which can result in data leakage and your company’s cybersecurity being compromised.

In fact, a recent report by Spiceworks has suggested that as many as 61% of employees access corporate data over public WiFi. The only way of ensuring that your company’s data remains secure while doing so is by using a trusted VPN which encrypts data.

Lost and stolen devices are another extremely important danger to a company’s cybersecurity. In order to maintain security, many companies retain the ability to remotely wipe the data on the device to help protect company data should the device end up in the wrong hands. However, the ability to remotely wipe the data stored on the device may also result in the loss of personal data, so it’s important that employees are aware of the risks and plan accordingly.

One way of mitigating this is by ring-fencing personal data on the device so even if it needs to be remotely wiped, the personal data will remain unaffected.

During the onboarding process, these risks must be outlined and the relevant enforcement regulations and procedures communicated with new employees. Without doing so, compliance is unlikely to emerge organically. It’s important to note that enforcement and compliance mean very little without adequate education. For this reason, the onboarding period is a critical stage for BYOD and cybersecurity more generally.

Article Continues Below

Offboarding

Creating a cyber secure workplace requires the effort of all members of staff, all of the time. However, even ex-employees can present a risk, particularly if they have been using their own devices. For that reason, adequate offboarding measures must be put in place to mitigate the risks.

It’s imperative that any company data stored on a personal device is removed once an employee terminates their contract. If company data is not wiped from the personal device, then it may be used by competitors or deliberately leaked in a move that could destabilise your whole network. Log in details and access to sensitive information must also be promptly disabled. Without doing so, ex-employees will still have access to, and may benefit from, your company’s data.

As the case of Edward Snowden showed, ensuring that relevant log in details remain secure is vital for company security – whatever your opinion of his actions.

A comprehensive, fair and respectful offboarding procedure will also help ensure that employees leave satisfied and are therefore less likely to

Undoubtedly, Bring Your Own Device is here to stay. To ensure that the cybersecurity and data integrity of your company remains stable, it is vital that HR — and not just IT — is involved at all stages of its development. From creating an effective BYOD policy to educating new employees and removing data from departing employees, HR has a key role if BYOD is to work effectively and safely.