David Webb: Bring Your Own Device - worth the risk?

In BYOD investigations we've worked on, if BYOD is not regulated properly, it can threaten IT security and compromise valuable company data. Photo / Getty Images

As we move into a more flexible technological working age, it's now common practice for workplaces to allow employees to Bring Your Own Device (dubbed BYOD) to work.

BYOD allows employees to work on the device they choose, providing key benefits including cost savings, increased employee satisfaction (due to mobility and flexibility) and increased productivity levels.

However, despite the clear advantages of a BYOD workplace, there are potential costs and risks to an organisation in allowing corporate data to be accessed on personal devices.

In BYOD investigations we've worked on, if BYOD is not regulated properly, it can threaten IT security and compromise valuable company data.

Employers should ask themselves what security measures are in place if the device gets lost or stolen. Do other people (i.e. children or family members) have access to the device?

And whilst an employee can 'wipe' a device clean (if they are disposing the device), have all the files been deleted? In some cases, sensitive data can be recovered.

For employers who are intent on taking this seriously, they should implement a BYOD policy and adopt a system that works best for an organisations own circumstances. An effective BYOD solution will enable you to secure the data, not just the device.

Implementing a BYOD policy

David Webb is the NZ Managing Partner of PPB Advisory. Photo / Dean Purcell.

• Allow employees to choose their own device - Provide the employee with their choice of device for enhanced efficiency and morale, but allow IT departments to maintain control over the device and rights to access work-related information, if necessary.

• Increase IT controls - Network security is paramount. Implementing mobile application management (MAM) to personal devices allows management of critical work-related applications and the ability to remotely lock or wipe that content. Particularly in the case of sophisticated malware and mobile Trojan attacks. Other policies could include encrypting sensitive data and/or limiting corporate access to sensitive areas.

• Mandatory training for staff using BYOD - Provide training about the associated risks with inadvertently sharing corporate information to reduce the likelihood of corporate information being leaked (e.g. correct backups, wiping devices prior to disposal)

• Strictly enforce breaches of policy - This will act as a warning to otherwise complacent employees and to help create a compliant environment.

BYOD is about being innovative and helping employees to work better, it's part of a growing trend that helps empower workforces.

But it's important that employers do their due diligence to evaluate the opportunities versus the risks of employees using personal devices at work - because one of the most potentially catastrophic risks is not having any sort of BYOD policy in place at all.

David Webb is the NZ Managing Partner of PPB Advisory