Since Apple launched the first iPhone in 2007, the popularity of smart phones and tablets has sky-rocketed. These devices, with their sleek design, touch screens and easy access to a myriad of entertainment options, have fast become the preferred method of communication for executives.
In recent years, a growing number of companies have allowed employees to forgo the less glamorous and often outdated technology assigned by their IT department and instead access corporate emails and data on their personal devices – a practice known as “bring your own device” to work, or “BYOD”.
There are numerous benefits for companies wishing to adopt BYOD – including significant cost savings on IT equipment and a more efficient, flexible and engaged workforce.
However, mixing business with pleasure in this way can increase the risk of security breaches, data loss and inappropriate use of company information. This is obviously a particular concern for companies whose businesses depend on the protection of valuable intellectual property.
Implementing a clear and enforceable BYOD policy is key to reducing security risks for businesses. A recent survey carried out by the market research firm YouGov shows that, while 47% of adults in the UK use personal electronic devices for work purposes, less than 30% are given guidance on secure use and the risks relating to personal data loss or theft. Where staff and contractors are allowed to use their personal devices at work, it is essential to take pre-emptive measures and educate employees on the appropriate use of BYOD.
A strong BYOD policy should:
- clearly set out the rules for using personal devices at work, including security requirements
- remind employees of their obligations to protect company and personal data
- prohibit downloading data on the device wherever possible
- explain how to report the loss or theft of the device
- clarify who owns the device (where the company contributes to the cost)
- if the company intends to monitor use of the device, explain how, when and why
- require the device and passwords to be given to the company at its request
- obtain consent to remotely delete all data on the device in the event of loss or theft or termination of employment
- explain the consequences if an employee breaches the policy