It’s common for employees to use their personal phones at work — even more so since the rise of remote work. Many companies even have formal BYOD, Bring Your Own Device, policies that allow employees to access their company email, work documents, and internal networks on their own laptops, mobile phones, or tablets.
However, these personal devices represent a security issue for small businesses. One study reported that 50% of companies that allowed employees to use their personal devices experienced a data breach via one of those devices.
Sanctioned (and unsanctioned) use of personal phones at work can create a host of problems for IT security teams. Banning personal devices simply isn’t feasible for most small businesses, but there are steps you can take to ensure employees are using their devices as securely as possible.
Create a formal personal device policy
Many employees prefer using their personal tech for work; it’s easier and more convenient. Plus, many small businesses don’t provide guidance on BYOD limitations.
A simple way to mitigate the risk of a data leak from a personal device is to create a formal personal device security policy. This policy should clarify which devices are approved for professional use, how to use devices appropriately, and the steps to take to ensure devices are secure and compliant with any regulations governing your specific industry.
More specifically, use your policy to address the following concerns:
- What devices are permitted for company use? Detail whether employees can use laptops, tablets, mobile phones, or all of the above. Specify whether Android, Apple, or both operating systems are permitted and whether your workspace will support devices released before a specific year.
- What apps are permitted? For devices with access to company data, detail what social media channels, email applications, and other apps are allowed. Likewise, establish whether employees can install and use applications on devices that connect to your company network.
- What actions are considered high risk? Help your team understand what qualifies as “acceptable use” for their company-connected personal devices. CIO suggests answering questions such as, “If you set up a VPN tunnel on an iPhone and then your employees post to Facebook, is this a violation?”
Work with an IT expert and get feedback from your team to develop this policy in a way that makes sense for your company and your employees.
[Read more: 8 Best Practices for Keeping Customer Data Secure]
Forty-one percent of all data breaches are due to lost or stolen devices.
Install some basic security measures
A few user-friendly security measures can help protect company data on personal mobile devices.
“[Require] strong passwords, time-out locking, certain company-provided antivirus and protective software, and setting up protocols for reporting a lost or stolen device right away,” wrote Inc.
Employees should update their operating software regularly to enable the latest security patches. Likewise, every device should be equipped with a virtual private network, or VPN, to create a secure connection no matter where the employee is working.
“You can also offer a data package that allows employees to tether, or hotspot, their laptop’s internet connection to a mobile device. These options offer a more secure way to get connected,” wrote Nightfall AI.
Other security measures to consider include encryption, anti-malware, and device tracking so you can locate an employee’s phone if it goes missing.
Provide regular employee training
“Your data security plan may look great on paper, but it’s only as strong as the employees who implement it,” wrote the Federal Trade Commission. “Take time to explain the rules to your staff, and train them to spot security vulnerabilities.”
Employee training is vital to device security. Forty-one percent of all data breaches are due to lost or stolen devices. Reminding your team regularly to be vigilant about their environment and phone security can help lower this risk.
You should also help employees proactively spot threats such as social engineering attempts or malware posing as fake apps. For instance, during the Pokemon Go craze, malware resembling the popular app infected the devices of thousands of users. These threats are becoming more and more sophisticated. Regularly remind your team to download apps from only reputable sources.
[Read more: Social Engineering: What It Is and How to Spot an Attack]
CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.
CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.
