Bring Your Own Device (BYOD)
Business and private use mix when you and your employees also use your own computer, tablet or smartphone for work purposes. A well-known term for this way of working is Bring Your Own Device (BYOD).
BYOD offers benefits such as increasing productivity, happier employees, and decreasing hardware costs. But only a quarter of employers have made agreements about BYOD. And that is not without risk for you as an employer, as well as for the employee.
What are the risks of BYOD?
As an employer, you have little or no control over the security of your employee's private device. You do not know the personal passwords and you do not know, for example, which apps an employee uses. If your employee loses their tablet on vacation or leaves their mobile device on the train, you run the risk of losing company information such as customer data, patent applications, or expansion plans. As an employer, you also do not want an employee to work via an insecure public wi-fi network. Or that business information is sent to a private email address out of convenience or shared through services such as Google Drive and Dropbox.
Tips for using BYOD safely
Make an inventory of mobile devices in your company
Make sure you are aware of the devices used within your company. This prevents surprises. Make an inventory of which devices are brought in by employees, how they are secured, and what they are used for. Avoid shadow IT (in Dutch); all forms of hardware or software use without the organisation's knowledge.
Set up a BYOD policy
Make clear to your employees what is and is not allowed. A clear BYOD policy prevents problems, builds trust, and increases security. In a BYOD policy, you can include topics such as agreements about device usage, security, liability, and allowed models and support. Enforce this policy. A policy is useless if it is not enforced. So, check the use of devices and take measures if employees do not comply with the rules.
Store company data centrally
Make sure that both you and your employees do not (only) store all company data locally on their own laptop or smartphone, but also store data using the central storage options. There is a danger, due to carelessness or busy times, that an email address, telephone number, or document will be stored on the private device and not in the company network that is structurally backed up.
Educate your employees about the benefits and risks of BYOD
Using a private device for business purposes can have many benefits for your employees. They can work more efficiently with trusted software, increasing their productivity. Your employees are probably not aware of the security risks they face and how these risks can affect your company. Inform employees about the most important safety risks. For example, the risks of apps that transmit private and company data. But also the interception of the device via public wi-fi networks and the use of the camera, microphone, and GPS.
Have employees set a password on their BYOD device
If business data is accessed via a mobile device, you do not want this device to be seen by just anyone. So, make sure that your employees protect their device with at least a password or PIN code.
Require security software and use of secure connections
Just like computers, mobile devices can also bring in viruses and malware. So order your employees to install security software, such as antivirus scanners, to keep your company data and network safe. In addition, it is recommended to use secure connections, such as VPN (Virtual Private Network), for receiving and sending business data.
Set up a separate network for BYOD mobile devices
Think carefully about how you organise the security of your company network. For example, is it necessary for your employee to have access to all company networks with their own mobile device? Or can you set up a separate wireless network for the BYOD devices that has limited access to the corporate network? This prevents malware, viruses, or other dangers from using your employees' mobile devices to gain access to business-critical systems.
Alert employees to the risks of public wi-fi networks
Especially if employees access work email or company data files on their mobile device, it is better to avoid public wi-fi networks (in Dutch). You never know who is watching. Alternatively, you can offer employees a mobile internet subscription. If this is too expensive, or if it makes your employee less flexible, at least provide security software and let employees connect to the corporate network through a VPN connection.
Create a blacklist of disallowed apps, or a whitelist of allowed apps
Many apps have more powers than you might initially think. For example, apps can access the camera or microphone of a smartphone. Business numbers and addresses can also be copied. Draw up a blacklist of apps that pose a risk and explain to your employees why these apps are not allowed. An alternative to a blacklist is a whitelist. A whitelist contains allowed apps and excludes all other apps.
Make sure you have the option to remotely delete business data from the BYOD device
Theft or loss of a mobile device can happen. So, make sure that you can remotely delete company data such as contacts or business files. That will prevent them from falling into the wrong hands. Make clear agreements about this with your employees, because the private data on the device will then also be deleted. Many devices also have a function that allows you to see where the device is located, which your employee can enable themselves.
Provide an incident response plan
If things go wrong, make sure you have a clear plan to respond to the incident, a so called incident response plan. This will limit the negative consequences. For example, establish clear procedures on how to respond to device loss, data breaches, or other security breaches.