The availability of greater flexible working patterns for more individuals and improved communication networks has seen a boom in “Bring Your Own Device” (BYOD). This is where staff use their own laptops, smartphones and tablets to carry out their work duties. There are undoubtedly positive aspects to BYOD for both employers and employees in that it helps to create a better work/life balance, whilst simultaneously cutting costs when it comes to overheads
However, employers should beware of the possible pitfalls, in particular the security threats. BYOD has created headaches for IT departments which need to control access to organisational data and limit the danger of viruses and malware. Furthermore, the legal responsibility for protecting personal information lies with the data controller; this is likely to be the employer, not the device owner. The last thing you want is to be faced with a potential fine by the Information Commissioner of up to £500K for a breach of the Data Protection Act and the adverse publicity that generates.
To assist organisations, the Government’s Communications-Electronics Security Group has produced guidance on data protection issues and security risks. In line with this guidance, our tips are that all employers should:
1. Consult staff and consider what devices they use. Get input from different levels of seniority to find out their needs. Understand the way in which members of staff use devices for business purposes. You may wish to give staff the chance to choose a device from an approved selection.
2. Draft a BYOD Policy and security procedures. Control network use, encrypting organisational data and reserve the right to shut down or wipe devices that become a security risk or on termination of employment. This could include a remote wipe feature. Procedures should be put in place to ensure that security incidents are responded to quickly.
3. Consider using a cloud-based communications system. This will reduce concerns over security of content accessed on individual devices.
4. Be flexible on whether you introduce a universal BYOD program or have a mix of personal and corporate devices. It may depend on the nature of your data and how sensitive it is.
5. Increase IT Support and train staff. Increased device support should be anticipated so that a greater number of device types can be handled. Train staff on the policies and procedures introduced to create a safe way forward.
6. Get signed agreements from all staff and monitor compliance. This will be valuable to protect the organisation from any data loss, reputation loss and/or legal action resulting from lost or leaked information or to determine rights over the data upon termination of employment. Check with your IT provider to review staff compliance and any data issues.
If your staff use their own devices for work, let us know if you’d like us to draft an appropriate policy which provides you with the security and flexibility that you require.