THE BLOG

The Risks and Rewards of Bring Your Own Device (BYOD) Policies

20/03/2013 12:16 GMT | Updated 14/05/2013 10:12 BST

Letting your employees use their own mobile device, like an iPad, for work may appear like an easy win for your business if you run a small firm. You don't pay for them, your employees may view using an iPad at work as a perk, and they will tend to spend more time on them away from the office, even if they're checking their work messages before updating their Facebook profile. It is thought employees tend to take better care of them too, as they view them as their own property. However, there are some dangers to allowing your employees to take their work home with them on a smartphone or tablet computer.

  • Although these devices increasingly resemble mini-PCs, their security is almost certainly behind that of an average computer. This doesn't matter much if they simply want to play games on it or keep in contact with their friends. But it is a problem if they use it for work, because these devices can be much more vulnerable to hackers than a laptop.

  • Cybercriminals are increasingly targeting mobile devices in the hope of stealing the owner's banking details. But if they hack into one of your staff's devices they might unwittingly find a wealth of confidential business data stored on it that could be far more valuable on the black market than the user's credit card number.

  • If your staff use these devices for both business and pleasure then that can create problems too. I know of a company where one of its employees downloaded a social media application and as a result agreed inadvertently to transfer sensitive client information from his smartphone onto a social media site. It wasn't a malicious act, he just didn't think about what else was on it, apart from his photos, and so information would get posted on the site for everyone to see.

Therefore, it's important to establish some policies on the use of mobile devices to help you manage the fallout for your business if something goes wrong.

View a mobile device as a company PC or laptop

Whereas every work computer would have a secure login, mobile devices are unlikely to have passwords to authenticate their users and control access to the data stored on them. The devices have the technical capability - it's just their owners rarely bother to use it. So it can be a good idea to encourage your employees to use the same strength login on their mobile device and their work computer. That way, at least you can ensure the password on their device is just as strong as the one on their work PC, and it will be changed regularly.

Encourage all your staff to use the same device

It's much simpler for you to keep on top of security updates on iPhone or Blackberry handsets, for example, rather than several different makers' phones and tablets. If everyone has the same device, you know they will all need the latest security patch. Then you need send out only one email to every staff member with a link to download it.

Act quickly if a device is lost

If one of your devices goes missing, the simplest and most effective method of limiting the security risk to your firm is to wipe the lost device. You can send it a message to delete all the data contained on it, even if it's been stolen. But doing so would also erase all the user's personal files, such as their music and photo collections stored in the cloud. Make sure you tell your staff members that, as a last resort, you will have to wipe their device if they lose it - they might not be happy about it but it might make them take more care of it if they know what would happen should they lose it.

Remember your responsibilities to your clients

It would be highly embarrassing for your firm to admit to your biggest client that an iPad containing some of its confidential data has been lost. But, if you try to keep it quiet you might land yourself in bigger trouble with the information watchdog, whose job it is to make sure people's personal data is kept safe.

One solution, which many US firms have adopted, is to write a protocol explaining when customers will be informed if a device containing their data has gone missing. Most companies will not tell clients if the device was left in a taxi or stolen in a bar. Providing you have a protocol, and follow it if a device is lost, information watchdogs are unlikely to take action against your firm.

I'm not saying you shouldn't let your employees use a mobile device for work. They're great gadgets, which, for a small amount of money, can make your employees feel more positive about working for you, and allow them to work on the go. But it's worth being aware of the potential pitfalls of encouraging your team to use them, so you can prepare for any problems you might encounter.