Is a ‘Bring Your Own Device’ policy threatening the security of your SME?

Small and medium businesses are at increased risk of cyber attack through the use of personal devices for work-related activities. Anthony Green, below, cyber security expert and CTO of cybersecurity consultancy firm FoxTech, discusses how to stay cyber secure when you have a BYOD policy.

With remote and hybrid working rapidly becoming the norm for many businesses across the UK, ‘Bring your own device’ (BYOD) policies have surged in popularity. It’s easy to see why; BYOD enables employees to transition easily between home and office working by utilising personal smartphones, tablets, and laptops. For start-ups and small to medium firms, this arrangement also has the benefit of reducing business expenses. However, what many firms don’t realise is that there’s also a significant disadvantage: BYOD policies make businesses more vulnerable to cyber attacks. According to the 2022 UK Cyber Security Breaches Survey, small and medium businesses are more likely than large firms to have a BYOD policy. In fact, over 40% of micro, small and medium firms said that their staff regularly used personal devices to carry out work-related tasks, so SMEs need to be particularly aware of the risks associated with using personal devices in their business.

If your business has a BYOD policy, then you are more vulnerable to attack. The reason for this is essentially because your endpoints (that’s any device that connects to the company network) are not centrally managed or checked. When your company data is being accessed and stored on a myriad of potentially insecure devices – which are also used for other purposes out of work hours – there is a greater chance that one of these endpoints will be compromised by hackers.

A compromised device becomes an open door for hackers to access your company’s network, databases and sensitive files. It doesn’t take much for a device to be compromised – especially if it doesn’t have adequate security controls in the first place. It could happen by an employee clicking on a scam link, visiting an insecure website, using outdated software with security flaws, connecting to an untrusted public WiFi network, or even device loss or theft.

Should businesses ban the use of personal devices?

Businesses don’t need to stop using personal devices altogether. As cyber security experts, it’s not about telling businesses that they can’t have a BYOD policy. For firms that don’t have their own office space, or the budget to install thousands of pounds worth of IT equipment, having staff use their personal devices not only makes practical sense, but is essential to their day-to-day running and long-term growth.

What can businesses to do make their BYOD policy more secure?

It’s not realistic to expect businesses, and especially SMEs, to revert to using only office-based devices. With that in mind, there are actions you can take to boost your endpoint security and minimise the risks inherent in using personal devices for work.

Here, FoxTech provides their guide to making your BYOD policy cyber security friendly:

Step 1: Be aware of what can go wrong

SME owners need to educate themselves, and their employees, on the specific risks of using personal devices at work. This is the first step in starting to use your devices in a more secure way. The National Cyber Security centre (NCSC) has a useful online resource on the risks of BYOD policies, but the main issues include:

• The potential for data to be accidentally shared or lost, such as work data being shared in device backups, or personal devices being shared with family
• Users unknowingly allowing malicious applications to access data
• The higher likelihood of devices being unsupported, or running on out-of-date software, which no longer receive security updates
• Users being less willing to report security incidents because they are worried that their personal data will be intruded upon
• Increased risk of device theft and loss, especially when users travel with their devices

Step 2: Create a written BYOD policy

The UK Cyber Security Breaches Survey 2022 found that small firms are 20% less likely than large firms to have any written cyber security strategy. Just as you should develop written policies around the use of company devices, you need to create rules and obligations around your BYOD scheme. The NCSC has an excellent guide to creating a bring your own device policy.

Step 3: Communicate with your employees

One of the biggest challenges of securing your employees’ personal devices is the conflicting interests between the company and the device owners. As personal devices are not company property, employees have the right to refuse device monitoring and the installation of security features.

Your staff might worry that the installation of security packages could slow down their device and affect its usability. They may also be concerned that too much company monitoring will infringe on the privacy of their personal data.

SMEs that have the budget can offer staff the alternative option of a company device. This means that if employees still choose to use their personal device, they may be more inclined to agree to security measures, as they won’t feel as if they are being forced upon them.

If staff refuse monitoring, and the installation of security packages, there are still a number of things that all employees can do to protect the security of their device:

• Promptly install software updates on their device, and on all applications, or set their device to update automatically.
• Be wary of scam emails, texts and phone calls – take advantage of the NCSC’s free cyber security training which has a module on spotting and reporting phishing scams.
• Encourage employees to never connect to free, open WiFi networks. This could mean discouraging certain practices such as working while travelling.
• Turn off WiFi and Bluetooth when they’re not being used, as these are common entry points for hackers looking to access a device.

Step 4: Only give staff access to the data they need

Don’t give anyone more data access than is required for their job role. When you are planning your BYOD policy, you should conduct an audit of each employee and department to establish who can access what data on their personal devices.

There are some aspects of your data, such as an employee’s financial information, that it would be wise to keep within a fully managed environment. Don’t be afraid to extend access to some departments and not others – the key is to communicate why you have made each decision.

Step 5: Invest in cyber security monitoring and checks

According to the IBM Cost of a Data Breach Report, it took companies an average of 212 days to identify a breach, and a further 75 days to contain it. The faster a breach is identified and contained, the lower the overall cost of the damage will be. Investing in network monitoring means that if a malicious source has managed to infiltrate your system through a personal device, you will spot it early, and have time to prevent a full-scale attack. This doesn’t need to infringe on employees’ privacy as it is your network that is being monitored, rather than your employees’ devices.