BYOD – Bring Your Own Device
The term BYOD relates to staff using personal devices such as smart phones and computer tablet devices for business use, as well as personal use. However, the business owner does not have sufficient control over these devices. Connecting these devices to the corporate IT systems can introduce a range of security vulnerabilities and other data protection concerns if not correctly managed.
BYOD raises a number of data protection concerns due to the fact that the device is owned by the employee rather than the business. An alternative is to issue key employees with devices that are owned by the business, but enabled for company use. This is called COPE – Corporately Owned and Personally Enabled.
Protecting data in the event of loss or theft of the device will need to be considered. This is the main problem area, and can lead to a sticky situation for both the employer and the employee. For example, if an employee uses a personal smart phone for business email and the device is stolen or lost, corporate data could be at risk. The employee will be more concerned about obtaining a replacement phone, but the business owners now have a real security headache, as a major security breach could have occurred.
The Information Commissioners Office website has some really well written information regarding BYOD.
My recommendation is to write a short but comprehensive BYOD policy, backed up with a procedure on applying security settings, and what to do if the device is lost or stolen. Many devices have a ‘remote wipe’ facility, and business owners and their employees need to be competent at doing this, as one day it may needed.
