This post was originally published on February 18, 2016 and has been updated for accuracy and comprehensiveness.
With more employees working from home than ever before, the likelihood that personal devices are being used for work-related tasks is at an all-time high.
This means employees may be hosting critical company information on their personal devices, which could be detrimental to your business if those devices are hacked.
This post overviews security risks associated with BYOD (bring your own device) in the digital workplace and how to avoid potential threats.
Understand the Critical Risk Factors
Technology provides your company with the infrastructure to conduct business conveniently, efficiently and with enhanced communication. IoT devices such as smartphones, tablets and laptops make accessing company resources via the cloud even more accessible.
However, when you allow employees to utilize their own devices for company-related projects, you run a greater risk of critical data being compromised for several reasons:
- Device incompatibility with company equipment or security devices due to manufacturer, model, make or year.
- Unclear responsibilities and regulations in relation to "data breach and recovery."
- Frequent use of devices outside of the workplace.
- Lack of technology, infrastructure or application customization.
- Use of public or unsecured Wi-Fi when employees work remotely or outside of your business network.
- Lack of password or passcode usage.
- Applications, such as email or company software, left unprotected.
- Failure to install/update malware and antivirus software on a regular basis.
- Potential access to company data if devices are lost, stolen or unattended.
Educate Your Employees on BYOD Security
For some companies, your policy might be to completely prohibit BYOD, as it introduces a new layer of complexity when managing IT, security and privacy.
For other companies, the employee convenience and cost-savings might outweigh the risks. If you do allow BYOD, then you should have guidelines in place around use. Consider the following:
- Create a list of approved devices or criteria a device must meet to house company information. For example, you may specify that equipment be less than three years old or to meet specific base-line technical requirements.
- Define what information/applications employees are allowed access on personal devices. For example, perhaps you allow a company calendar and email account, but prohibit employees from accessing your server/VPN.
- Plan for employees eventually leaving your company. Create policies that help ensure proprietary or confidential company data is removed from employee personal devices upon their departure.
- Require password protection. If storing company information on devices, require use of unique passwords or passcodes. Depending on the device, you may also require additional protections, such as the device locking if not touched within a certain time period, or multi-factor authentication, which requires at least two credentials to unlock the device.
- Require anti-virus and malware software. Have employees install anti-virus and/or malware software on their devices for an extra layer of protection.
- Create guidelines related to lost devices. Outline who to contact and steps to follow if devices are lost or stolen.
- Educate employees. Help employees understand the importance of security by bringing to light the damages they could cause if precautions are not taken. For example, if employee devices are connected to security equipment, such as surveillance cameras or access control, unprotected devices could provide intruders with easy business access and valuable insight.
- Be aware of fraudulent or phishing emails that can cause damage to your company’s security through the use of harmful attachments, links or direct requests. Phishing emails often contain “obfuscated” links that appear known or safe to the user, but once clicked, may allow cyber hackers access to devices and data. Educate employees on red flags to look for:
- Popular companies with misspelled names or deceptive URLs (i.e. www.disneywor1d.com),
- Suspicious or unrequested downloads or attachments,
- “Too good to be true” offers and promotions,
- Unwarranted tech support.
To effectively train your employees on BYOD safety, work with your IT team and security vendor to uncover all risks that need to be addressed.