How to mitigate the risks of using personal devices in the workplace

Brian Thomas, partner, IT advisory services, Weaver
Brian Thomas, partner, IT advisory services, Weaver

Over the past few years, employees have been trading in company-issued phones and bringing their own personal devices — phones and tablets — to connect to work servers. They want to carry a single device to access both work and personal material.
“Many companies have said there are enough people doing this that they no longer need to issue phones. They can just allow everyone to bring their own phones and connect them into the environment,” says Brian Thomas, partner in IT advisory services at Weaver.
However, the bring your own device (BYOD) trend comes with risks that companies need to recognize.
Smart Business spoke with Thomas about BYOD and practical steps to lessen risks.
How is the BYOD trend developing?
This is a strong trend among midsize businesses. As for the Fortune 500 organizations, it depends on the nature of the business. If a company has a lot of sensitive information, it will not necessarily adopt a pure BYOD strategy or will do so with an abundance of caution. Large corporations have information security departments that have been quick to identify the risks. In midsize organizations, there are simply not as many people to force a discussion about risk. Regardless, this is a broad trend that affects many businesses.
What are some of the risks?
The two primary areas of concern are physical access and the users themselves.
The No. 1 risk with mobile devices is that it’s not a matter of if they get lost, but when. If companies enable these devices to connect and receive company data, some of which will stay on the phone, then how do they protect that data when the device is lost and presumed to be in the hands of someone else? The primary methods for mitigating this risk are encrypting the phone’s contents, setting passwords to prevent unauthorized access and remote-wipe features that enable the company to delete the phone’s contents once lost. However, this is complicated in a BYOD scenario because users can connect a multitude of devices to the network, some of which will not support all of these features.
The reason users are a concern with BYOD is because they are often unaware of the risks associated with their mobile device activities. Because they own the phone, they may feel entitled to do with it as they please, including removing security features.
Do certain devices make companies more vulnerable to these risks?
In some ways, yes. The iPhone, for example, is a phone manufactured by one company with one operating system. There are multiple versions, but the uniformity of the product makes it simpler to manage and secure. In the Android world, vulnerabilities are more case-by-case. Similar to Windows PCs, anybody can manufacture the Android phones, and the operating system has to be reconfigured to work with different devices. As a result, updates to address vulnerabilities cannot always quickly be distributed by manufacturers and carriers.
What can be done to manage the risks?
A combination of training and technology can be used to reduce the risks associated with BYOD.
Companies must educate employees about the responsibility they bear when accessing company data on their personal devices. Employees must also be educated about the risks associated with disabling security features, jailbreaking their phone, downloading apps from unknown sources, using open wireless connections and other activities that can compromise security. Employees need to understand that using their personal devices for work purposes requires them to give up a certain amount of freedom. Companies can have employees sign a contract that outlines the rules and consequences for violations, along with the company’s right to remove company data from the phone at any time.
Companies should use technology to enforce a central policy that applies minimum security standards on devices. Many companies implement mobile device management solutions, which assist with enforcing security polices to address the risks associated with lost or stolen phones.
Finally, this is a fast-changing technology area, so companies should always keep an eye on what’s new and assess how it affects their organizations.
Brian Thomas is a partner in IT advisory services at Weaver. Reach him at (713) 800-1050 or [email protected].
Blog: To stay current on audit, tax and advisory issues that may impact your business, visit Weaver’s blog.
Insights Accounting is brought to you by Weaver