With many IT devices, there is no clear separation between how you work with them at home and in the office. Work e-mails are quickly checked on the private smartphone. The big presentation moves from the office to home on a USB stick to be edited there and then back to the office. Generally, while working remotely due to the pandemic, the private laptop has replaced the company desktop computer.
In short, many private devices are finding their way into the workplace. Acknowledging this is the first step toward minimizing the security risks they pose.
The key concept: BYOD – Bring Your Own Device
Bring Your Own Device refers to the use of private end devices at work. Usually, this means smartphones, tablets and laptops.
However, many other private devices are now Internet-enabled or are quickly connected to the company’s IT system in the course of day-to-day work. For example, the smartwatch may access the internal wifi. Fitness trackers and e-readers are charged via USB on the company computer. The more complex these devices are, the more important it is for companies to consider their use.
What BYOD means for IT security and data protection
Mixing private and professional usage can mean additional cyber risks for the company in question. Just one example: The privately used devices may not be updated as quickly as the company IT. As a result, security vulnerabilities that have been identified on the private devices remain in place for longer and can be exploited by malware. This malware can then spread throughout the company via e-mail or the next time the user logs into the company network. The consequences are unpredictable. It can be ransomware that encrypts all data. Or spyware that specifically spies out valuable company secrets.
The issue of data protection – more precisely: the protection of personal data – must also be taken into account with BYOD. For example, a private smartphone on which work e-mails are also kept can be lost, stolen or briefly given to another person. In all these cases, unauthorized third parties potentially have access to the work e-mails and the personal data they contain.
What should companies do regarding BYOD?
Basically, every company should establish clear guidelines for BYOD. In other words, how the company itself deals with the issue and how its employees should handle it. The more precise the guidelines are, the easier it is for everyone involved to adhere to them.
Some typical aspects of a BYOD policy:
- Access control to devices through screen locks, passwords, PIN and co.
- Controlled access to the company wifi, e.g. through VPN
- Handling of company data
- Handling backups
- Use of virus scanners
- Update practice to keep devices up to date at all times
- Setting up separate work and private areas on the devices
- Possible remote deletion of data on the devices
- Encryption of e-mails and data, for example
- Procedure when employees leave the company
- Process when new employees join the company
Establish these policies in consultation with your IT department, your third-party IT services company, or a specialized IT security firm like Perseus.
What should employees do regarding BYOD?
No question: If your company already has BYOD policies in place, of course you follow them. But in many companies, devices used for work and private purposes are not yet an issue.
Don’t let that stop you from acting cautiously.
Follow the basic rules to increase cybersecurity:
- Always activate the screen lock when you are not working on the device
- Protect each device with password, PIN, fingerprint, facial recognition or similar
- Install updates promptly
- Ensure password security
- Create backups
- Pay meticulous attention to new software and new apps to ensure their reputable origin
- Use virus scanners, e.g. to check USB sticks before use.
- Be wary of phishing attacks in your professional and private life and be critical of e-mails, attachments and links.
Also feel free to contact Perseus on the topic of BYOD.