BYOD: 3 Rules for Keeping Your Business Cyber-Secure

A “bring your own device” (BYOD) policy is about more than just convenience—it can improve your company’s performance: Letting employees use their own devices at work boosts productivity and morale, research shows.

It may also increase your bottom line. Businesses can save more than $3,000 per person annually when employees use their personal smartphones and laptops for work.

It’s worth considering that most employees already use their personal devices at work—even if not technically for work—and check their work email on them.

That said, allowing employees to use personal devices for work can also open the floodgates to cybersecurity risks. Hackers often see personal mobile devices as an easy portal for stealing a company’s information—and small businesses are prime targets. In fact, a 2017 report from the Ponemon Institute found that nearly two-thirds (61 percent) of all cyberattacks target small and midsize businesses.

So how do you protect your data in a BYOD world? Follow these three rules:

1. Draft a Cybersecurity Policy

“Without a well-structured cybersecurity policy, BYOD can quickly turn into BYODB—bring your own data breach,” says James Goepel, CEO and general counsel of Fathom Cyber, a cybersecurity consulting firm. Start by defining the scope of your business, the types of data you collect and store, who needs access to that data, and the risks to the company and to your customers if your data is breached.

Using that analysis, create a cybersecurity plan that addresses:

• The installation and use of antivirus software
• The types of devices allowed to access company data
• Security protocols for users
• Your company’s password policy
• The ability to purge data remotely in the event the device is lost or stolen
• Regular scanning of all devices for malware or vulnerabilities
• The ability to compartmentalize company data on an employee’s device

“These can be touchy subjects for employees, because some perceive it as the business trying to gain access into their personal information and private lives,” Goepel says. “But if these fundamental aspects of cybersecurity aren’t addressed on the employees’ devices, they will leave gaping holes that will be exploited by attackers.”

2. Secure Your Data and Their Devices

Your first line of defense is state-of-the-art encryption software that protects your data in transit—as it moves from your client into your network and from your network to a remote device—and at rest inside your database, says Grant Bourzikas, CISO at cybersecurity provider McAfee. He recommends setting up a virtual private network, or VPN, to create a secure conduit into and out of your business. “If employees work from a coffee shop or any place with free Wi-Fi, connecting through a VPN is critical,” he says.

For the devices themselves, first make sure that all personal devices are up to date with the most current security software, then scan each device for malware before allowing it into your network. Of course, access into your network should always be password protected, but for even tighter security, consider using MDM (mobile device management) software, says Craig Riegelhaupt, director of product marketing for mobile solutions at Tangoe, a global enterprise software company.

MDMs let you configure your network so that only “known” devices are allowed in, and they give you access to those remote devices. You can track locations, compartmentalize corporate data from personal information, push through updates, scan devices for malware or suspicious apps, and purge company data from a device.

3. Plan for the Worst

Every network is only as secure as its most recent update, so ideally your system will scan for security updates automatically and push patches out into every device connected to the system. But patches aren’t enough, says Tracy Hernandez, vice president of product marketing at Kaseya, an IT management software provider. You should also have a recovery plan in case your data is breached. That includes regular backups that are stored outside of the network, and a recovery time objective (RTO) plan in place so you know how long you can afford to be offline before a data breach becomes a fatal attack on your business.

Before you instate a BYOD policy at your business, make sure to consider the cybersecurity issues it could present. It’s far better to prevent security problems rather than fixing them after they happen.