8 BYOD rules that every SME should follow

The initialism BYO might more commonly be seen with another B – and associated with casual social gatherings – but with a D at the end, it’s increasingly becoming a workplace term that relates to mobile devices.

More and more SMEs are inviting staff to use their own laptops, phones and tablets to conduct business, with the rapid growth of remote and flexible working accelerating this. A BYOD approach can work well for everyone involved – but there are potential problems too, so you need to know what they are in order to guard against them.

Based on clear guidance from the National Cyber Security Centre – part of GCHQ – here are eight rules and considerations to help you maximise the benefits and minimise the risks of BYOD working:

1. Put it in a policy 

   Any SME operating a BYOD system needs a policy so that staff are clear on what they can and cannot do with their personally-owned devices, as well as what business data can be accessed. You’ll need to think carefully about the information and services you want to make available to employees and make sure your network is designed accordingly. 

   For example, it’s likely you’ll want to prevent unauthorised devices from accessing sensitive business data or personal information. Beware, though, of being so restrictive that staff cannot operate effectively on their devices – otherwise they may be tempted to start looking for workarounds that might increase security risks.

2. Spread the word 

   A policy is no good to anyone if it’s written up, filed away and forgotten. Organise training sessions or briefings so that everyone understands their responsibilities in this area. 

   Employees’ approach to security will differ when using their own devices. They might let family members use the device or give passwords out – to someone doing repair or maintenance work, for example – so they will need to know your guidelines around this.

3. Plan for incidents 

   If something happens that could compromise security, have you thought about what you’ll do? What if a device is lost or stolen? Could you wipe sensitive data remotely and if so, how quickly? 

   Staff need to know the procedure for reporting loss, theft or other problems. It’s a good idea for businesses to rehearse these scenarios, so that everyone can be confident in how to act if they need to.

4. Think about technical controls 

   Applications and technical services can help you to remotely manage personally-owned devices – though they can affect the usability of that device. A good option is to provide staff with a ‘presentation’ of information rather than storing it locally. Security solutions, such as encryption, can be circumvented if malware is present on the device. 

   Usernames and passwords should not be shared between personally-owned devices and the business desktop environment, as duplication increases the likelihood of a breach. Similarly, when someone leaves your SME, it’s important to make sure company information is removed from their device and all system access is revoked.

5. Consider other ownership options 

   In some circumstances, use of personal devices might need to be restricted for security reasons and some staff may not want to use their own tablets, phones or laptops for work at all. However, this lack of flexibility and access can make it harder for employees to do their job. 

   So, it’s worth thinking about other options such as devices – or better still, a choice of devices – that are bought and controlled by your business, which can also be used by staff for personal purposes.

6. Get ready to offer more IT support 

   If your workforce are using their own devices, it’s unlikely that they will all be the same type, make and model. Can your IT support manage this? Do they have the capability and expertise? This is an important consideration.

7. Limit the information shared by devices 

   Automatic backup of device data to cloud-based accounts can lead to business information being divulged, especially when staff are accustomed to sharing it with other users. You can reduce this risk by limiting the amount of data being passed between employees. 

   Think about how security problems with social media could affect you too – for example, users could mistakenly send social networking posts from their corporate identity instead of their personal profile if both are configured on a device, or inadvertently reveal the location of where they are working from.

8. Understand the legal issues 

   It’s your legal responsibility as a business to protect other people’s personal information – not the owner of the device. And this will only become more critical once the General Data Protection Regulation (GDPR) is implemented in May.Failure to adequately protect personal data could result in significant fines for your company under the new legislation, so getting clued up on the requirements – and ensuring your device procedures are compliant – is essential.

Want to talk to our experts about your BYOD approach? Get in touch!