A growing number of forward-thinking small businesses are implementing Bring Your Own Device (BYOD) policies.
It’s an exciting development, which is why we’ve decided to take a closer look.
What are the pros and cons of BYOD? What are BYOD best practices? And do the advantages outweigh the disadvantages?
Allowing employees to access business data on a personally-owned device is a risky strategy, so the decision to adopt a BYOD policy shouldn’t be taken lightly if cyber security is a priority for your business. Before you implement a BYOD policy in your organisation, planning for the potential hurdles is crucial. But first…
Advantages of BYOD
Is your business ready to realise the advantages of BYOD in the workplace?
Reduced IT costs: With staff using their own devices to complete projects, IT costs for employers go down.
Remote working: With the flexibility to access work files from anywhere, anytime using their personally-owned devices, employees will have much greater freedom than a traditional office desktop setup can offer.
Familiarity: Getting to grips with new operating systems takes time. BYOD ensures staff members are comfortable and confident with their own devices and reduces the risk of user errors.
Disadvantages of BYOD
Device usability: Some Mobile Device Management tools used to remotely manage personally-owned devices can slow down devices, making employees reluctant to use their own devices.
Security: Steps must be taken to ensure the level of security of personally-owned devices matches the needs of your business. Companies must take steps to prevent staff from losing, stealing, or inadvertently compromising data.
Managing multiple operating systems: Managing multiple devices means monitoring and maintaining several operating systems. Keeping up to date with maintenance often requires additional IT support to be employed.
Don’t be discouraged. BYOD disadvantages can be avoided by following BYOD best practices.
BYOD Best Practices: Dos and Don’ts
In August of 2016 the National Cyber Security Centre (NCSC) released an updated executive summary of the key aspects for organisations to take into account when considering a BYOD approach. Below, we have included an overview of the key points outlined in the summary. You can download the entire document here.
Understand the legal issues
It’s important to be aware that the legal responsibility for protecting personal information doesn’t lie with the device owner, it lies with the data controller. As a result, you must be aware of the laws relating to the safeguarding of your business data, including:
The Data Protection Act (DPA): According to the DPA, “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The Information Commissioner’s Office (ICO) is the UK’s independent authority established to uphold information rights in the public interest, promote openness by public bodies and data privacy for individuals. Their website includes plenty of advice relating to information security and outlines the following basic steps your business will need to take to prevent data being compromised:
- Design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach.
- Be clear about who in your organisation is responsible for ensuring information security.
- Make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
- Be ready to respond to any breach of security swiftly and effectively.
The Employment Practices Code: This code relates to the impact of data protection laws on the employee relationship, and requires that employees are given a certain amount of privacy in the workplace.
The ICO have released a handy quick guide to the employment practices code to help you ensure that your small business stays on the right side of the law.
Commercial agreements and additional legal obligations
Before implementing BYOD, it’s important to consider your business’s legal obligations and consider how your existing commercial agreements or second party agreements will be affected. Always seek professional advice if you are unsure.
Limit the information shared by devices
With BYOD there is a risk of personally owned devices automatically backing up data to Cloud-based accounts. This could lead to sensitive company data being compromised or shared inadvertently. As a result, you should be aware of how devices (and their users) share information and take steps to limit the automated backup of your business data.
Create an effective BYOD policy
How much of your business data do you want to share with your staff? Authorised staff members should only have access to the data you are comfortable with them seeing and sharing. The NCSC recommends that businesses should:
- Prevent any unauthorised devices from accessing sensitive business or personal information.
- Ensure that authorised devices are only able to access the data and services you are willing to share with BYOD employees.
Your company’s BYOD policy should clarify which staff members and devices can access business data. It should also outline the responsibilities of both you and your employees in ensuring the BYOD policy is followed.
Encourage staff agreement
It’s important to get all your staff on board with your BYOD policy. As well as creating and distributing your organisation’s BYOD policy amongst staff, arrange staff training to ensure every member of the team understands their role and responsibilities when using their own devices to access company data.
Consider using technical controls
Mobile Device Management can be used to remotely manage personally owned devices. However, technical control services and applications can sometimes negatively affect functionality.
Anticipate increased device support
Does your business have sufficient IT support to cope with the need to support a greater number of device types? You will need to:
- Consider the additional costs associated with supporting a variety of devices and operating systems.
- Schedule regular updates and maintenance for multiple operating systems.
- Be capable of responding to security issues across a range of devices and operating systems.
Plan for security incidents
It’s important to have a plan in place for what to do in the event of the theft or loss of a personally-owned device containing company data. The NCSC gives the following advice:
- Act immediately to limit losses.
- Prevent the spread of any compromise.
- Learn lessons from the incident.
- Identify who in your organisation is responsible for replacing lost or stolen personally-owned devices.
- Consider the effect any delay in the replacement of devices will have on your organisation’s productivity.
- Ensure that staff know who to contact and what to do if a device is stolen; staff must feel confident that they can quickly report incidents without fear of recriminations, especially if it’s their own device.
- Ensure that staff are aware of your policy in cases where you may need to remotely wipe (or seize) their own devices.
Consider alternative ownership models
The less control you have of a device, the less control you have over keeping your business data safe and secure. The NCSC recommends considering an alternative ownership model to give staff a choice of pre-approved devices that can be controlled by your company. This will give you greater confidence in the safety and security of your sensitive business data.
BYOD with Virtual Desktops
The advantages of BYOD are clear. If your business is ready to implement a BYOD strategy, Green Cloud Hosting can help. Our Hosted Desktop service is the perfect solution for businesses keen to ensure the safety and security of data accessed on personal devices.
Green Cloud Hosting: Rapid. Reliable. Secure
At Green Cloud Hosting, we’re committed to helping keep your data safe, secure and easily accessible to your entire team. The safety of your data is our top priority, which is why all data is 256 bit encrypted and safely stored in our three UK datacentres.
To find out more, don’t hesitate to get in touch. Call 0161 979 0691 or email in**@gr***************.uk.