Bring Your Own Device (BYOD) culture continues to permeate the office environment, as more and more companies allow staff to use their own smartphones, laptops and tablets for work purposes—85% of employers, according to recent research. And although BYOD policies have a number of benefits, from boosting employee productivity to cutting company costs, there are also some clear drawbacks, particularly around data and privacy concerns. To help companies decide whether this approach to technology is something they should consider, we’ve put together an in-depth look at the pros and cons of a BYOD policy.
Statistics show that a BYOD policy can markedly improve employee productivity, which is partially due to the fact their personal devices are often superior models to the ones handed out by businesses. Indeed, 61% of millennial employees and 50% of workers over 30 feel that their own tech tools are more effective and productive than those of their employers. The second major reason is that employees can use their devices wherever they are, with remote workers doing 1.4 more days’ worth of work per month than their office-based colleagues.
With 40% of workers stating that workplace flexibility is among their top three considerations when making career decisions, a BYOD policy can help fulfil this desire and bolster job satisfaction. This is because it gives them greater opportunity to decide how they work, and makes it easier for them to work remotely. Considering that two-thirds of employees would consider changing jobs if the tech they’re using isn’t good enough, letting them use their own is a surefire way to keep them satisfied.
Reduced company costs
Research has shown that businesses can save around $3,150 per employee each year by implementing a BYOD policy. These savings manifest themselves in several ways, from the simple fact that companies no longer have to buy or upgrade employee devices, to the money gained from increased productivity.
Risks to corporate data
Research shows that BYOD practices are a cybersecurity risk, with six out of ten SMEs experiencing a security incident since introducing the policy. This is because personal devices may not be up to company security policy requirements, with issues like outdated operating systems, risky apps and jailbroken devices all rendering these devices vulnerable to cybercrime. If the individual’s username and password is saved on a device, this could provide cybercriminals with access to company systems. It’s also possible that employees could lose their devices between the office and their homes, which also puts sensitive information at risk.
The Do’s and Don’ts of a BYOD Policy
Do: Introduce a Zero Trust model
A Zero Trust security model takes a holistic approach to network security in an effort to reduce the risks to corporate data posed by BYOD policies. With Zero Trust, those attempting to access company resources aren’t implicitly trusted under the tenet ‘never trust, always verify’, as there’s always a chance they may not necessarily be who they claim to be. If a cybercriminal does manage to breach the first barrier to entering a company’s IT systems, an additional series of security measures will ensure they will be stopped from accessing resources and attacking the network.
Don’t: Forget about MFA and RBAC
Both multi-factor authentication (MFA) and role-based access control (RBAC) are essential to protecting company data. MFA requires multiple means of identity verification before an individual can access corporate resources, making it harder for hackers to gain control. Meanwhile, RBAC ensures that users can only access the tools and information required by their specific roles, something which reduces the potential attack surface—in other words, limit the number of entry points available to untrusted individuals.
Do: Run regular security awareness training sessions
Informed users are more likely to be responsible and not take risks with valuable company data, making them less susceptible to cybercrime. This makes security awareness training essential, which not only educates employees but places responsibility for corporate security on their shoulders. A security policy requiring full participation and attention is a lot more valuable to the business and the users. These security awareness training sessions should include everything from teaching employees how to reduce risks to corporate data to what to do in the event of a breach.
Don’t: Fail to have an exit plan
When an employee leaves your company, or simply loses their device, you need to have protocols in place to ensure no company data is lost, including the ability to remote-wipe corporate data from staff devices. However, this must be outlined in the BYOD policy, including specifying what data and apps will be remote wiped. Only workers who consent to this should be able to bring their own devices to work.