Our phones are with most of us most of the time these days. And their capabilities surpass the humble moniker of “phone”. We use them for mail, social media, searching the internet, playing games and much, much, more. However, it occurred to me the other day that I was using my personal phone for work as well as my private life. And I wondered whether that was a problem or not.
Large companies have had Bring Your Own Device (BYOD) policies for a while now. As part of that policy they have control of the data on the BYOD device, whether it’s a phone or a laptop, and the policies especially cover emails and database access. They will also have password/access control policies such that if an employee changes companies their access terminates immediately and the data removed from those devices. You get the idea. Large companies can afford experts to worry about these things and afford to deploy the necessary infrastructure.
A lot of smaller companies however can expect employees to bring their own devices because it is a huge cost saving to the business. This is especially so if your staff are not full-time e.g. volunteers, part-timers, interns etc. The problem here is that they have access to your systems. Now this doesn’t mean that you should treat your employees as though they are criminals; but what it does mean is that you should think about what data you hold, who has access and where that data is. Simple data privacy problems? Maybe.
Just suppose you have a data breach. How would you know who did it, how they did it and where they did it? Were they a “hacker” or was it an inside job? In the UK, the ICO (in specific circumstances) have fined a person who downloaded sensitive work files to their home machine (so that they could work from home) and on another occasion fined a person that continued to use IT systems of a previous employer (the person was also imprisoned). By not having policies in place and expecting your employees to use their own equipment you can lay your company wide-open to potential breaches. Risk minimisation.
Going back to my phone predicament…I ended up having to buy a second phone, even though my phone was dual-SIM. That’s because there was no way of keeping my personal and my work data apart on my dual-SIM phone. Similar problems for laptops too.
Our company has no BYOD policy and that’s because we don’t “do” BYOD. We really do believe that under the new data privacy laws that BYOD has the potential to mean Breach Your Own Data.