Bring your own device (BYOD) policies have become an established business practice, with over half of the respondents in a recent survey reporting they are permitted to access corporate information and services with their personal smartphone, tablet or laptop. At the same time, 95% of respondents reportedly experienced information security issues stemming from BYOD issues in the past year. Despite such reports, many businesses continue to ignore the inherent security risks of BYOD, by either not implementing adequate BYOD policies or failing to address the issue at all. BYOD security issues arise from—
Work-related documents leaving the security of a company network and being transferred to private devices;
Lost or stolen devices;
Monitoring and controlling which devices are accessing a company’s network;
Managing devices containing both company and personal information; and
Securing data on a large variety of devices with different system requirements.
In addition to logistical and technical issues, the biggest risks related to BYOD often come from employees, particularly those who ignore basic security guidelines when using personal devices. According to an August 2014 study by research and marketing company Millward Brown, almost 40% of 1,045 internet users had nothing in place — such as a PIN or encrypted password —to prevent unauthorized access to their mobile device. Employees who fail to apply software security updates to their devices or who use mobile cloud storage apps/services to store work-related data also expose corporate data to unnecessary risks.
Yet, banning BYOD altogether won't prevent these issues; half the employees in the Millward Brown study reported storing work-related data on their personal mobile device even though their employer did not permit it. With mobile devices so embedded in people's daily lives, the boundaries between personal and work-related use are often blurred. Prohibiting BYOD often risks encouraging employees to work around restrictions to use their own devices or turn to unsafe alternatives for the flexibility and access they desire and expect from mobile devices.
The reality is that it is very difficult for employers to physically prevent employees from using their personal mobile devices for work-related tasks. They can, however, seek to control such use with a strictly-enforced formal BYOD policy. The lack of such policies often leads to those security issues outlined above. For example, in a study by information technology research and advisory company Gartner, only 27% of those who experienced a security issue with their private device in 2013 felt obligated to report it to their employer. Yet, the study also found that 59% of respondents were not required to sign a formal agreement with their employer regarding BYOD use. Had such formal agreements been in place, those employees who failed to speak up about security incidents may have been more likely to do so.
It is vital that managers and employees understand the importance of protecting business information and the very real security risks that exist in today's world in order to effectively implement BYOD policies.
Thomson Reuters' online training courses on U.S. Data Privacy and Security, Business Identity Theft and Information Security educate employees on the importance of safeguarding electronic information, with useful tips for keeping it secure.