Viewpoint: Bring your own device to work – is it always a good idea?

A “bring your own device” policy in the workplace can cause chaos when things get out of hand. Since the start of the pandemic, cyberattackers have taken advantage of our changing “work from home” models, resulting in a huge wave of cyberattacks in 2020, a trend we have yet to see reverse. . Since organizations have reopened their offices and implemented new hybrid working policies, “bring your own device” has become a popular arrangement that makes it easier for employees to transition from working from home to the office using their smartphones, tablets and personal laptops.

However, most organizations are beginning to scrutinize their IT ecosystem for vulnerabilities, and BYOD policies are one of the key areas where many companies are compromising their cybersecurity. Anthony Green, CTO of cybersecurity consultancy firm FoxTech, explains:

“External and personal devices are a major chink in the armor of many companies when it comes to protecting against cyberattacks. BYOD means that employees access and store company-owned data on devices that do not are not owned by the company. In the IT professions, any device that connects to your network is known as an endpoint. A study by the Ponemon Institute found that 68% of organizations experienced one or more endpoint attacks in 2020 , coinciding with the rise of working from home.This means that unsecured and unprotected personal devices could pose a real threat to the security of your data.

“It would be better not to have a BYOD arrangement at all, but that’s not always realistic as personal devices become more integrated into office life. With that in mind, you can take steps to minimize the inherent risks of using personal devices for work.”

Here, FoxTech provides its tips for making your BYOD policy cybersecurity-friendly:

Know the risks

Educating yourself about the specific risks of BYOD is extremely important and will save you from sleepwalking into a cybersecurity crisis. The main risks include:

  • Easier malicious takedown of data, e.g. users allowing malicious apps to access data
  • Higher risk of accidental data loss, e.g. work data is shared in device backups, personal devices are shared with family
  • Higher likelihood of unsupported or outdated devices
  • Users are less willing to report security incidents because they fear their personal data will be hacked
  • Increased risk of theft and loss of devices

think about it

Don’t make it up as you go along. Just as you should develop written policies regarding the use of company devices, you should create rules and obligations around your BYOD program. The National Cyber ​​Security Center (NCSC) has a great guide to creating a Bring Your Own Device policy. here.

Work with your employees

One of the biggest challenges in securing your employees’ personal devices is the conflict of interest between the company and the owners of the devices. Because personal devices are not company property, the employee has the right to opt out of device monitoring and installation of security features.

Users will generally worry that installing security packages may slow down their device and affect its usability. They may also fear that too much corporate surveillance will compromise the privacy of their personal data.

For these reasons, it’s important to involve your employees when it comes to securing their devices. One way to do this is to offer the alternative option of an enterprise device. This means that if employees always choose to use their personal device, they may be more willing to agree to security measures because they won’t feel pressured.

Communication of BYOD risks and mutual responsibilities between the organization and the employee will also be crucial in encouraging the safe use of personal devices.

Be careful with your data

Don’t give anyone more access to your data on personal devices than is required for their job. There are certain aspects of your data, such as an employee’s financial information, that would be wise to keep in a fully managed environment. When planning your BYOD policy, you should audit each employee and department to determine where it may not be appropriate. Don’t be afraid to extend the policy to some departments and not others – the key is to communicate why you made each decision.

Invest in cybersecurity monitoring

The Ponemon Institute’s annual report on the cost of data breaches found that in 2021, it took companies an average of 212 days to identify a breach, and an additional 75 days to contain it. The faster a breach is identified and contained, the lower the overall damage cost will be. This means that if a malicious actor has managed to infiltrate your system through a personal device, there is still time to prevent a full-scale attack if you are able to identify a breach quickly.

The best way to monitor your system for possible breaches is to invest in cybersecurity monitoring by an expert cybersecurity consulting firm.


Anthony Green is a CREST practitioner and recognized thought leader in cybersecurity.

He has designed and implemented some of the UK’s most secure systems, including global corporations, the UK government and various SMEs.

His career spanned software development, infrastructure, technical leadership and security. He is the founder and CTO of Fox Tech.