Bring-your-own-device (BYOD) policies are designed to promote flexibility and collaboration for employees, help companies cut hardware and service costs, and are quickly becoming standard in today’s workforce. In fact, over half of U.S. companies recently reported that they allow the use of personal devices for work purposes. While there are many benefits to BYOD, it’s important to note that such policies invite potential security risks for businesses. Though the popularity of BYOD is increasing, 78 percent of executives cite security as their number one hesitation towards adopting a BYOD policy.
Despite a high level of concern for security, many businesses are not taking the necessary steps to thwart the risks introduced by such policies. Below are five mistakes many companies make when implementing BYOD:
Failure to Prioritize Employee Education
BYOD policies can introduce several new avenues of risk, so proper education for employees at all levels is paramount. It’s a mistake to assume every employee will understand the guidelines laid out in your policy. Conduct regular trainings to go over the different parts of the plan in detail. This will ensure everyone is on the same page and better positioned to detect threats, such as phishing emails or social media messages. These trainings should also make sure employees are keeping devices updated, using long and unique passwords, and installing standard anti-virus protection.
Offering One-Size-Fits-All Training for Employees
According to a 2016 Experian and Ponemon Institute study of more than 16,000 individuals in companies that have a data protection and privacy training program, only half of respondents agreed that their current employee training actually reduces non-compliant behavior. With a BYOD policy, employees of all levels will have access to company information. Training is important for all employees, but a C-level executive will need to know different information than an entry-level employee. By offering unique trainings catered to the needs of each role, your employees will not only improve their security knowledge of their own devices, they can quickly communicate potential threats to other departments.
In addition to creating consistent anti-virus and anti-malware protection for devices, provide employees with access to a Virtual Private Network (VPN) or hotspot they can access while on the go. These alternatives are more secure than a public Wi-Fi network. For companies that reuse devices from former employees, completely scrub the device before giving it to its next user. There could potentially be sensitive information or a virus of which the previous user wasn’t aware. Educate your employees on the dangers of visiting websites or downloading apps that aren’t secure. Finally, require multi-layered password protection on all company devices to add an additional layer of data security.
Not Holding Employees Accountable
One of the biggest threats to any company is a malicious insider. Employees know this, too – 62 percent of employees say they have access to company data that they probably shouldn’t see. Furthermore, in the 2016 Experian and Ponemon Institute study mentioned above, only 40 percent of executives believed employees were held accountable for putting sensitive and confidential data at risk.
Employees must be held accountable for properly accessing and handling company files, no matter the device. Consider creating different levels of access on files so that only those that absolutely must see them can do so. Require employees to report a lost or stolen device immediately. While they may be fearful of the consequences, emphasize that sensitive company information falling into the wrong hands is a much bigger concern. To that point, when an employee leaves the company, deactivate their ability to access devices or servers as soon as possible. By acting quickly, you can reduce the extent of possible damage.
Not Utilizing Monitoring Services
Consider enlisting the help of a proactive monitoring service. These services monitor for employee credentials and alert businesses if a match is found on the dark web so that they can act quickly. Without a monitoring service, that type of threat might go undetected, which can result in a potential security incident for the company.