The BYOD risks you need to know about

In an increasingly mobile work environment, BYOD (bring your own device) policies are becoming popular for many businesses. However, while allowing your staff to bring their own devices to work can have many benefits, there are BYOD security risks that your business needs to be aware of. These are the five risks to consider when implementing a BYOD policy and how to mitigate them from occurring.

1. The loss or theft of a device

Even the most careful and trustworthy staff are subject to losing or getting their device stolen. Stolen laptops and phones can easily be opened by taking them to unofficial shops; this can leave your company’s data at risk of falling into the wrong hands.

How to prevent: installing tracking systems in your staff’s devices can lead to a much faster recovery of the item in cases where they misplaced the device. In cases where the device has been stolen, having pre-installed mobile data management solutions that can wipe the contents of the device will prevent any loss of sensitive data.

Note: if you install a tracking system in your employees’ devices, they must be aware of this.

2. Using devices for both personal and business use

However strict you set out your BYOD guidelines, you can’t fully prevent your employees from using their devices for personal use. Shopping online on a compromised website or connecting to public WiFi in a common area presents risks to compromised data on that device.

How to prevent: require employees to access certain services via a VPN (secure network). This will mitigate the risks of data breaches even if your employees are accessing WiFi in a cafe or concert hall.

3. Malware infecting the device

Most people who are carrying a smartphone infected with malware are unaware that there is any problem at all. We are more than happy to tick the ‘I have read the terms and conditions’ box when we haven’t even so much as clicked the link to open the document. Many apps require certain permissions before continuing; we are often happy to oblige. Malicious software can encrypt, steal, or delete your data, so it is important that you prevent it from infecting your device.

How to prevent: keeping your mobile operating system up to date is one way to avoid malware infecting your device. Be wary of domain names that end in something other than .com, .co.uk, or .edu; these can be red flags or suspicious websites. You should encourage staff to download an anti-malware programme that will run a scan and remove any malware it finds.

4. Cloud-based storage

Cloud services are becoming an increasingly popular method of storage for many organisations. However, their reason for the popularity is that many users can access a range of documents anywhere, but this also presents a major security threat. BYOD programmes can leave a way for hackers to penetrate insecure cloud storage systems and access sensitive data.

How to prevent: implement authentication controls to put stricter regulations on user access. You can also deploy client-side encryption gateways to mitigate the risk of sensitive information reaching an insecure cloud.

5. Poor policies

Not implementing a BYOD approach is a risky game to play. If your business is required to comply with certain regulatory requirements such as PCI, you might be fined if you don’t have an effective BYOD policy in place.

Solution: Ensure your employees sign a written policy; you can find templates online to adapt to your company. You should make sure you have included the following within your policy:

• Use of a VPN
• Device location tracking
• Network connectivity
• Company-owned resources that they are and aren’t allowed to access from the device
• In what circumstances may the device be wiped of all information

Don’t let security risks scare you from implementing a BYOD programme. If prepared and with plans in place to mitigate any breach, a BYOD scheme is a great way to help your business grow.

You can align your BYOD security policies with controls outlined in the ISO 27001 standard. This will ensure your data is as secure as possible and leave you confident in your data security system.

I’m interested in ISO 27001

You can arrange a free consultation with one of our knowledgeable advisors if ISO 27001 interests you. We work to make the process as simple as possible by providing a set charge and flexible approach to achieving ISO certification.

Do you already have ISO 27001? You can become trained to conduct internal audits as an ISO 27001 internal auditor. We offer ISO 27001 internal auditor training courses for those interested.