Bring your own device or BYOD has become the norm in companies across the world and is almost becoming a necessity if you want to attract and retain younger workers. But there are real reasons why small business owners may want to reconsider the perk.
“Less security comes when employees bring their own devices,” says Tim Francis, Travelers Cyber Lead. “Small, medium and large business owners should seriously consider not doing it.”
High profile data breaches from Target and Neiman Marcus have put consumer security issues in the spotlight. If the same level of data breach happened to a small business, it could kill the company. Because of that, security experts say it is risky business to let employees use their own smartphones, laptops or tablets.
“When someone is using their own device they are far more likely to be a little bit more cavalier with security,” says Francis. “There’s often a legitimate conflict between the security needs and requirements in the employment setting and the ability for the employee to use the device for their own personal stuff.”
Employees who are using their own devices may not want to put a lengthy password on their phone. They may also access company data via a public Wi-Fi hot spot, which puts the data at risk from a hacker trying to capture password and login credentials.
“The biggest risk is data leakage,” says Joe Schumacher, security consultant for Neohapsis, a security firm. “The most common use for BYOD is email.” According to Schumacher, employees may be sending sensitive communications via email on their device with no protection like encryption in place, which prevents other people from seeing that data.
Many employees who have children may let them use their device, which could also pose risks if the child downloads a bad app or inadvertently shares company information on social media.
While employee behavior is what allows data to be compromised, some of the blame does fall on the small business owner. That’s because a lot of companies will embrace BYOD, but won’t do anything to set up rules or policies governing how these devices can be used.
”A lot of companies say they support bring your own device but don’t do anything with that,” says Schumacher. “They don’t say, ‘here’s the strategy, here’s the framework.’”
According to security experts, if a company is going to let employees work off their own devices they need to set ground rules and educate workers on those rules. If employees aren’t allowed to download apps, that rule should be in writing. If the employee has to put a password on the device and change it every three months, they better know that’s a requirement.
One area that can be tricky, and one that small business owners have to address, is who owns the data on the phone. If a phone gets lost or stolen a lot of companies will do an automatic wipe so no one can see sensitive data. But if it’s an employee’s personal phone, chances are they will have family photos, videos and apps stored on that device as well.
“You have to have rules,” says Francis. “In a lot of ways the security issues are sometimes less about the IT department and more about the HR department.”
Small business owners should also limit the amount of data employees can access via their mobile device. For example, senior executives may be able to see sensitive customer data on their device, but that same level of access shouldn’t be given to the receptionist. Schumacher also says it’s a good idea to dedicate one employee to educating the rest of the workforce on how to securely use their phones or tablets.
“They can download apps and not understand how it works and the next thing you know you are getting spams at your business,” he says. “Education is one of the biggest things a small business can do.”