February 22, 2018
Two-thirds of respondents in recent Gartner research reported using one or more personally-owned devices on the job – which could increase the chances of a data breach occurring.
Smartphones and ‘phablets’ are the most popular personally-owned devices being used in the workplace with 39% of employees using them compared to 10% who use corporate-issued devices.
While using a personally-owned device has been shown to increase productivity and employee satisfaction and reduce device costs for the company, the mobile security challenges are significant.
Being able to store and access company data and systems on mobile devices increases the risk of a data breach. An official BYOD Policy (2016 research showed that only 39% of companies have one) and Mobile Device Management (MDM) software are critical. Device safeguards should include anti-virus software, data encryption, password management, application controls, and keeping devices patched. Some experts recommend employee agreements for the removal of company data from personally-owned devices upon resignation or dismissal.
Not all devices are recommended for BYOD. For example, ‘jail-broken’ phones are risky – jail-breaking refers to removing restrictions from a device so that the device owner can run unauthorized software and make tweaks to the operating system. Companies should provide a list of devices that are approved. In the case of theft or loss, encryption will help protect data, and a device-wiping function would allow confidential data to be wiped using a remote computer (however, wiping doesn’t guarantee data is 100% deleted).
There are countless apps to choose from today – but apps, in general, are known for lax security. Without a policy that specifies which apps can and can't be installed, BYOD devices are open to potential attacks from malware. The company should provide a list of ‘risky’ apps. If corporate credit card information is on a device, there should also be software that restricts using the card to purchase apps that are not related to work.
Mobile devices are so functional because they allow users to work and connect with the office 24/7. For security purposes, it’s important to avoid using free Wi-Fi to connect. Also, register devices before connecting to the company network, and set up strong authentication procedures for users.
Theft and loss of devices are always a concern. Also, sharing devices with family, friends, or work colleagues can be risky because, with just a few taps, a non-employee could be accessing the company’s confidential information. Other risky user habits include sharing too much personal or company information on social media and downloading unsafe data (falling for phishing and other scams). While device safeguards will help, all employees should receive on-going security awareness training. Embedding information security processes in the workplace help teach best practices too. For example, partner with a document destruction company that provides secure destruction services for paper and hard drives.