BYOB may be a good policy at the restaurant, but should you be for BYOD at the office? According to business consultants, not so much, unless you are extra careful.
The premise is simple enough, allow your employees to use their personal smartphones, tablets and computers for work, logging the devices onto your business databases. It might seem like a smart way to save money, not having to pay for a work phone or computer for your employees. But along with the money in your pocket comes some extra risks.
Brian McGinley, senior vice president of Data Risk Management for Identity Theft 911, said the trend is growing for both small companies and large corporations due to the need for more productivity and connectivity before and after work.
“We have become entirely reliant on this in terms of immediate access,” McGinley said. “This is a mega-trend from that standpoint. But, it’s important to go in there with your eyes wide open, because without the appropriate tools and planning this can introduce significant vulnerabilities to your business.”
Scott Laliberte, managing director of Protiviti, said BYOD is becoming more popular because it also saves small companies money.
“If you allow people to bring their own device, you don’t have to pay for it and give it to them,” he said.
One of the biggest risks is that all of these different devices have their own operating systems, McGinley said. If hackers go after these specific systems and applications, your data—client contact information, personally identifiable information, email lists and directories—are all at risk. If these things leak, the ramifications for your reputation and bottom line can be major.
“When information is lost or stolen, even with a small data breach, it can cost your company literally hundreds of thousands of dollars to remediate,” he said.
Hackers may also find it easier to introduce malware onto your employees’ device, because it’s so hard to enforce anti-malware security software on their property, Laliberte said. Patching software should also be of concern, because it’s unclear whether or not your workers are downloading the latest upgrades for the programs they are using on these devices.
If you do decide to go the BYOD route, the experts said there are ways to proactively protect your business from potential disasters.
One way to have an across-the-board procedure for your business is to have a control server application layer, or a portal installed on your employees’ devices that they must log into before accessing company data. One example of this is Citrix, Laliberte said, which enforces at the very least, minimum standards for your employees and has security controls and patch levels that must be met.
“The cost to do this depends on the size of the [network] environment,” Laliberte said. “It can cost anywhere from tens of thousands to hundreds of thousands to do. It can be fairly expensive.”
McGinley said company-wide there should be a policy about password protecting and also enabling the ability to remotely wipe out the device if it is lost or stolen. Set up the devices with geolocation technology, so they can hopefully be found if misplaced.
Also have your workers set their device to wipe out after ten incorrect password attempts, he said. Even if you have to sit down and physically watch them activate these security settings, it will be worth it, Laliberte said, because just having a policy isn’t enough.
“If you have a policy but no way to enforce it, it is not in effect,” he said. ”You have no control.”
Click here for more articles on “Protecting Your Small Business.”