Next time you’re working in a coffee shop, take a moment to look around at your “co-workers” for the day, busy, like you are, with laptops, cellphones and tablets. How many of those devices belong to the organisations that employ them? Or are they – and you – using personal devices to conduct company business?
Many businesses are embracing the convenience of a practice known as “bring your own device”. This allows employees to use their personal or privately owned devices such as smartphones, laptops, USB drives and even personal cloud storage for work purposes. A broader term, “bring your own technology”, encompasses the use of privately owned software for business activities.
According to Cisco’s 2024 Cybersecurity Readiness Index, 85% of the more than 8 000 companies surveyed around the world reported that their employees accessed company platforms using unmanaged devices.
There are undeniable benefits to a “bring your own device” approach. These include lower purchase costs for companies and more flexibility for staff. But the practice is also risky.
Privately owned devices aren’t always well set up for security. They often lack endpoint security controls like antivirus software and encryption (converting plaintext data into an unreadable format). This leaves them vulnerable to data breaches and other forms of cyberattack. Such attacks are common and can be costly. Cybersecurity company Kaspersky documented almost 33.8 million mobile cyberattacks worldwide in 2023 – a 50% rise from 2022 figures.
So, what can organisations do to reduce the risks associated with “bring your own device”? As a cybersecurity professional who conducts research on and teaches cybersecurity topics, here is my advice for businesses that want to keep their data safe while letting employees use their own technology.
Who should be concerned?
Organisations of all sizes that use ICT for business operations should address the risks that come with “own devices”. This isn’t just a matter for IT departments. Without collaboration between technical teams and management, it’s impossible to balance operational efficiency and robust data security measures.
This should be an immediate priority if:
- Your organisation or business has no “bring your own device” policies, standards and guidelines in place;
- You haven’t introduced fundamental technical safeguards for personal devices. These may be virtual private networks, up-to-date antivirus software, multifactor authentication, encryption and mobile device management tools;
- Your business doesn’t have adequate processes for managing user accounts (often the case for entities without dedicated ICT resources);
- Your ICT operations are fragmented, with no uniform standards or practices across departments; or
- The organisation hasn’t assessed the risks of “bring your own device” practices.
It’s never too late to strengthen cybersecurity controls for these practices. As cyber risks evolve, organisations must adapt to protect their information. Assess the financial and reputational risks of a data breach and you’ll almost certainly find that it’s worth spending money upfront to prevent huge losses in future.
Managing the risks
Organisations with the necessary cybersecurity resources can take measures in-house. Others may need to consider outsourcing in critical areas where there are major gaps.
First, you need a comprehensive “bring your own device” strategy that’s tailored to your organisation’s needs. This should align with organisational objectives and set out who has to have which measures in place. It should outline how letting employees use their own devices for work will meet business needs.
Then, the company must create policies to help in the governance of privately owned devices.
But it’s no use merely putting a policy on paper: communicate it to all staff and always make it easily accessible through platforms such as the intranet. Communicate any policy updates to all users through various channels such as e-mails or workshops. Provide regular, customised training. Not everybody is tech-savvy; employees may need help to install the necessary safeguards.
And remember to update your team about any changes. It’s crucial to perform regular (monthly or quarterly) or continuous risk assessments and make necessary changes.
Critically, the organisation must monitor and enforce compliance. All members of staff, from top executives to junior staff, need to adhere to policies to uphold data security. Cybersecurity is a shared responsibility, and it’s important to be vigilant about certain threats, such as whale phishing – when scammers pretend to be senior officials at a company to specifically target other senior and key officials.
Avoid disaster
These strategies can help companies to prevent “bring your own device” from becoming “bring your own disaster”. A well-managed approach isn’t just a safeguard against threats – it’s an investment in your organisation’s growth, stability and credibility.
- The author, Thembekile Olivia Mayayise, is senior lecturer, University of the Witwatersrand
- This article is republished from The Conversation under a Creative Commons licence. Read the original article
Get breaking news from TechCentral on WhatsApp. Sign up here.