A recent YouGov survey revealed that around 47% of British employees use their personal devices for work. At the same time, it found that less than a quarter of businesses have formal Bring Your Own Device (BYOD) policies in place.
Formal BYOD schemes appear to offer excellent opportunities for businesses to reduce costs on company laptops or mobile phones but it also exposes them to a number of risks.
Whether your business has a formal BYOD scheme in place or not, the proliferation of cloud computing, virtual private networks and smart technology means employees are increasingly likely to access corporate systems on personal devices. Managers should understand the risks.
Company Compliance with the Data Protection Act
Under the Data Protection Act (DPA) a company is responsible for the personal data it holds even when accessed by employees via a personal device. Therefore, it must still offer similar levels of security as it does for its own equipment, for example, by encrypting the organisation's personal data. The DPA also imposes other duties on the data which may be onerous to comply with on personal devices, such as keeping information up to date.
Although there are no cases of individuals or organisations being fined after losing corporate personal data held on personal devices, a recent £150,000 fine handed to the Nursing and Midwifery Council should serve as a warning. It lost three DVDs holding unencrypted personal data; DVD’s can hold far less information than personal devices.
Wider BYOD Issues
If a company is unaware of its employees’ use of personal devices for work, it is likely to be failing various compliance obligations under the DPA.
For formal BYOD schemes, educating employees on the legislative requirements, enforcing compliance with company policy and introducing specialised BYOD software will restrict their use of their own devices and may not be popular. It may also diminish many of the cost gains and staff might be less keen to use their own devices once they are taught and shown the controls that are necessary to keep data safe. The morale and flexibility benefits BYOD schemes offer may well be lost.
Another downside is the threat of cyber-attacks. As BYOD has boomed, cyber criminals have targeted mobile devices. Indeed the The EU’s European Network and Information Security Agency described the rise of BYOD as one of the reasons for the “exponential increase in threats” in mobile computing.
Ignoring the BYOD phenomenon is no longer an option. All businesses need to be aware of BYOD and have a strategy to manage the risks. Any organisation considering a formal BYOD scheme should think carefully about whether the benefits are worth the potential downsides. It should also create and implement strict guidelines which the employees are made aware of and understand, and deploy the necessary software to ensure security. For more information please contact us on 0207 611 4848.