Employees and management alike enjoy the benefits of “bring your own device” (BYOD) and “work from home” (WFH) policies. In theory, these policies improve productivity, efficiency, and employee satisfaction.
Then again, BYOD and WFH policies substantially increase an organization’s cybersecurity risks. Consider some of the adverse consequences of allowing employees to use their own tablets and smartphones on an organization’s networks:
– Personal devices travel everywhere with an employee. This increases the risk of physical loss or theft of a device. This is problematic as these devices hold valuable corporate information.
– Employees might use free Wi-Fi hotspots to connect to the web. Those hotspots are easily tapped by hackers who can steal information sent through free Wi-Fi routers.
– Employees might download sensitive information. Downloading information onto personal devices could inadvertently violate regulatory data privacy restrictions.
Upon hearing these dangers, some companies ban all use of personal devices for business purposes. They might even restrict network access to only those devices that are in the employer’s physical location. This approach will have an adverse effect on productivity, however, and in some cases, it may be wholly impractical.
Instead, companies should adopt a robust BYOD and WFH policy that reflects the best practices distilled across different industries. Those practices include:
- Extending the BYOD policy to all employees equally and without exception. Management or high-ranking individuals should not be exempt from following the rules.
- Restricting mobile resources and applications with data encryption and password restrictions. Many mobile applications collect data from a smartphone’s camera or microphone and monitor a user’s geographic location and activities. An organization may need to restrict what applications an employee uses on his or her personal device.
- Requiring segregation of personal files and corporate matters. Employees can accomplish this by using different applications for personal and corporate communications. This will also simplify matters if corporate communications are subpoenaed in any litigation.
- Investing in cyber risk insurance to mitigate financial damages linked to data breach. Data breach recovery is an expensive process, especially for small businesses. Insurance providers significantly reduce the harmful effects of data breach by offering financial assistance and advice.
- Enabling remote data wiping if the personal device is lost or stolen. This also requires an employee to report a lost or stolen personal device as soon as possible. Note that physical theft may also affect the employee’s personal data stored on the device.
- Require employees to use enhanced security settings on personal devices. This includes biometric login procedures (e.g. thumbprint or facial recognition logins) and strong passwords. When employees log in to corporate networks through free public Wi-Fi, employ a virtual private network (VPN) to encrypt all communications.
- Procure the employee’s permission to monitor activity on a personal device. Activity monitors will face the greatest privacy concerns. All monitoring must be done in strict compliance with legal rules and restrictions. Employers must be careful not to overreach into an employee’s personal data and communications.
Follow these procedures to, once again, enjoy BYOD policies without the fear of data breach.