Personal device use - a red flag for cybersecurity

01 May 2024 ,  Dr Damian ViviersMark le Riche 180
With Covid-19 having fast-tracked the remote and hybrid working model in many businesses, these flexible methods of work have also increased the scope for employees to use their personal devices to work and remain engaged with their clients and employer. As beneficial as this is for employees and employers, it is not without risk. In this article, we look at personal device use and the potential impact this may have on the cybersecurity environment of a business.

Bring Your Own Device (BYOD) is a widely recognised practice in terms of which employers permit their staff to utilise their personal devices such as smartphones, laptops, or tablets for work-related activities, including accessing the business’ data, network, services and systems. The upside for employees and employers exists in the fact that employees are comfortable and proficient with their own devices, and this makes it easier to remain in touch with work communications and responsibilities. 

But therein also lies the rub. These are personal devices of employees and therefore potentially outside the domain of regulation by an employer, with such devices having access to client information and business networks and systems. But how safe and up-to-date are these devices and their software? Who has access to or shares these devices? What happens to data on a device that is stolen? These are all risks that accompany the use of personal devices, even if only used for accessing work email.

For many employers, the benefits drive the concession to enable employees to use personal devices, often with little thought to the risks that accompany such access or a clear policy framework that sets conditions for access, requirements and acceptable use terms for a BYOD environment within the organisation. This poses a huge cybersecurity and data leakage risk for a business and should be a red flag for any business when assessing its vulnerability to attack or data leakage. 

Imagine an employee phone that contains potentially sensitive client information being sold by the employee to someone else without removing old emails or even access control to business email or networks. Think of an employee tablet that has access to a business network and even financial systems. The employee doesn’t run regular operating and security updates resulting in malware or spyware being installed through a website or vulnerable app on the tablet or even a phishing attack, enabling hackers to not only gain access to the tablet but potentially also the business network and systems to which the employee had access. If these scenarios leave you cold, you are right to be concerned as they are very real scenarios that accompany BYOD.

And what happens if an employee planning to leave the business downloads client information and confidential data onto a personal laptop with the intent to share that for commercial gain or other malicious purposes? The laptop may not have endpoint security in place preventing the employee from copying or sharing the data anywhere in the world. A very real data leakage nightmare for any business and reputational suicide if client trust is breached as a result.

So how does an employer curb and manage these risks? The most obvious one is to not allow BYOD! But, if this is not an option, the use of personal devices must both be regulated by a clearly defined policy and enforced through the business’s IT security policies.

From a cybersecurity perspective, it is vital that your business work with your IT service provider or engage a cybersecurity specialist to ensure that your security environment is secure and that personal device access is controlled and managed. This may require your company to require certain conditions to be met before a personal device will be allowed to connect to the business network, such as that it must be encrypted, password protected and also have the latest operating system software installed. Additionally, it may be policy that up-to-date anti-virus software and even endpoint security software be installed that may limit the ability of the user to copy or transmit data from the device. The business may even wish to monitor certain traffic via the device, provide for conditional access, or require two-factor authentication to be in place before allowing the personal device to have access.

Given the impact this has on the freedom to use a personal device, it will require that the user is aware of these conditions and requirements and consents to the business enforcing its security requirements on the device. The alternative however is, no connection to the business network.

Accordingly, a BYOD policy is vitally important to regulate the requirements and use by employees of personal devices that are connected to the business network environment. It will need to regulate conditions and restrictions, as well as requirements such as authorising new personal devices and removing old devices that may no longer be used, the type of devices that may or may not be provided access, acceptable software that may be installed on personal devices, type of access, password and access control procedures, incident notifications, regular awareness training etc.

Such a BYOD policy is vital to not only regulate the framework for personal device use but also to evidence the compliance by the business with the Protection of Personal Information Act 4 of 2013 (POPIA) which requires a business to safeguard all personal data it processes or stored whether onsite, offsite or on business or personal devices of employees. A failure therefore to regulate a BYOD environment could also constitute a failure by the business to comply with POPIA where personal devices are used to process and store client personal information. 

The above should make a sufficiently strong case for immediately evaluating your current cybersecurity environment should your employees use personal devices to connect to your business network and systems. 

For assistance with developing a tailored BYOD policy for your business, feel free to contact our Compliance Team. 

Visit our Compliance Team page.

Disclaimer: This article is the personal opinion/view of the author(s) and is not necessarily that of the firm. The content is provided for information only and should not be seen as an exact or complete exposition of the law. Accordingly, no reliance should be placed on the content for any reason whatsoever and no action should be taken on the basis thereof unless its application and accuracy have been confirmed by a legal advisor. The firm and author(s) cannot be held liable for any prejudice or damage resulting from action taken on the basis of this content without further written confirmation by the author(s).
Related Sectors: Media, Security, Technology