Using personal devices for business – is it a security risk?

We’re currently all living in a bit of a grey area, somewhere between the old ways, and what will inevitably become our new normal in time – whatever that’s going to look like. This transition period has seen businesses understandably scrabble to make it possible for their staff to work from home by any means possible, but as more and more people are looking to make working from home a permanent fixture in their business, there is a very real issue that needs to be addressed.

The use of personal devices on business networks

When lockdown first happened, there was a shortage of laptops. Businesses didn’t have enough to go around, suppliers struggled to keep up with the demand, and to keep operational, many staff members started to use their own devices to access their business network.

We’re not just talking about PCs and laptops here either, there’s also the issue of mobile phones and tablets.

How can you minimise risk?

Businesses typically have no say or control over what’s being installed on a personal device, which means if your team is using personal devices to access your network, you don’t have control over what’s going through the network – this creates the potential for a serious security breach.

Whilst some businesses have completely mitigated this risk by providing their staff with the devices they need to carry out their role which is under the control of their IT team, we recognise very few business owners included ‘buy everyone laptops so they can work from home’ in their annual budget this year.

There are other solutions like our managed hardware option which has no up-front cost, allows us to have full control over security updates and network access, and gives us the ability to wipe a device remotely at your request – you can learn more about that here. But is there anything you can do if staff using personal devices is necessary at this point?

Creating a policy

Not everyone will understand the security implications of using personal devices on the business network, so creating home working, bring your own device (BYOD) and IT security policies are worth considering to help create very clear expectations and set out best practices of device security.

Here are some things to consider:

At what point can you ask someone to remove company data from a personal device? 

This can be quite difficult. When it comes to specific documents, it’s easy to request their removal. But what about work conversations conducted using a personal messaging service such as WhatsApp?

Are the devices up-to-date and running security software? 

Although you can’t know for sure without seeing the device, you could set up a reminder at regular intervals to check-in with those using their own devices reminding them to search for updates – if you’ve read any of our posts before, you’ll know we’re fierce advocates of keeping things updated, because updates often include important security fixes!

Who else has access to the devices? 

Is the device solely being used by the owner, or is it used by other members of their family? If it’s shared, can they create a user profile only for their use, so they aren’t able, either on purpose or accidentally, to access any sensitive company data?

If you need advice on what to include, or would like us to take a look at your setup and help make sure you’re protected when it comes to security – please get in touch and we’ll be happy to chat with you about what you need.