Many companies permit the use of personal devices for business purposes – from business calls made on personal phones to corporate network connections on home laptops. Such a state of affairs is generally beneficial, however, especially in small companies: The employee is already familiar with the device, and the company saves money. The downside, however, is that the practice creates additional cyberrisks for the business.
Personal devices at work — the new normal
The number of organizations with a Bring Your Own Device (BYOD) policy has been steadily rising over the past few years. A study last year by Oxford Economics for Samsung found that mobile devices form an integral part of the business processes of 75% of companies. Moreover, only 17% of employers prefer to supply their entire staff with corporate phones. The others all allow the use of personal devices at work to some extent.
Should the protection of personal devices be entrusted to their owners?
Whereas corporate servers and workstations are, on the whole, reliably protected, the personal laptops, smartphones, and tablets of managers and employees do not always fall within the remit of the IT security department. Instead, it is assumed that owners are responsible for the security of their personal devices.
But such an approach plays right into the hands of cybercriminals. This is not mere hearsay or speculation: Incidents involving the theft or hacking of personal gadgets are happening all the time. Here are just a couple of glaring examples.
In June of last year, Michigan Medicine reported a possible leak of about 870 patients’ data after an employee’s personal laptop was stolen. The data stored on the laptop was for research purposes and varied depending on the project, but the records potentially included names, birth dates, gender, diagnoses, and other confidential, treatment-related information.
Hacking a home computer
Whether that thief used the data from the stolen laptop is not known, but clients of the cryptocurrency exchange Bithumb were left in little doubt following a separate incident. Cybercriminals broke into the home computer of an employee and siphoned off information about the wallets of 32,000 users of the service. As a result, the miscreants were able to withdraw hundreds of thousands of dollars from Bithumb client accounts.
The exchange promised to compensate the victims out of its own pocket, but clients still filed a class action lawsuit against Bithumb for disclosure of personal information and related financial losses.
BYOD and security policy
It is not enough simply to allow employees to use their own devices and think your company now has a BYOD policy. By allowing the use of personal phones or laptops to store and use work-related information, you accept certain risks. To reduce the chances of suffering financial or reputational damage, or both, we recommend following a few tips:
- Hold regular security awareness courses on the latest cyberthreats. Employees need to understand the risks involved when using personal devices at and for work.
- Ensure all gadgets with access to corporate networks and data have a security solution installed — ideally, one managed by a corporate administrator. If that is not possible, advise employees to install a home security solution at the very least. Do not grant access to unprotected devices.
- Ensure all confidential information on such smartphones, tablets, and laptops is stored in encrypted form. Modern mobile operating systems let users encrypt the entire phone or tablet. For reliable data encryption, use Kaspersky Small Office Security. That way, even if the device gets lost or stolen, the solution will prevent outsiders from gaining access to important data.
Kaspersky Small Office Security is tailored to meet the needs of small companies. For one thing, the solution requires no special skills or training on the part of administrators. Anyone can manage the Web-based control panel. At the same time, the security suite provides robust protection for both computers and mobile devices.