top of page

What are the risks of using personal devices for work?

The growing trend of remote work and mobile technology is blurring the lines between personal and professional lives for many of us. Using personal devices for work is undoubtedly more convenient, but it also presents a number of security risks.



In this blog, originally posted by our colleagues at the West Midlands Cyber Resilience Centre, we'll look at the risks of using personal devices for work and offer some advice on how you can help to mitigate them.


The growing trend of BYOD (Bring Your Own Device)


BYOD, or Bring Your Own Device, has grown in popularity. Employees value the flexibility and familiarity of using their own devices, and employers find it more cost-effective than providing all of their employees with brand new devices. However, this trend poses several risks, particularly in industries that handle sensitive information, such as healthcare and home care services.


Security challenges of using personal devices


Data breaches and unauthorised access


Personal devices are more vulnerable to data breaches than company-issued devices, owing to inconsistent security measures. If an employee's device is lost or stolen, sensitive information can easily end up in the wrong hands.


Lack of security updates


Not everyone updates their devices with the most recent security patches on a regular basis; we've all hit the "postpone update" button. Manufacturers must provide regular security updates and bug reporting mechanisms, but it is the user's responsibility to keep their device updated. Failure to do so puts your device and data at risk.


Inadequate encryption


Personal devices may not have proper encryption, making it easier for cybercriminals to intercept and access sensitive information. Encryption ensures that data, even if intercepted, is unreadable without the correct decryption key.


Malware and Phishing attacks


Personal devices are used for both personal and professional purposes, which increases the likelihood of malware infection. Employees may unknowingly download malicious software or fall victim to phishing attacks, compromising the security of sensitive work data.


File Sharing and Data Leakage


Sharing files between personal and professional domains may result in data leakage. Employees may accidentally share sensitive files via insecure channels or with unauthorised parties.


Lack of centralised management


Employees may handle sensitive information using unauthorised or insecure apps in the absence of centralised app management. Centralised management ensures that only approved and secure applications are used, which reduces the risk of data breaches.


The significance of rules and regulations


A lack of clear rules and regulations governing the use of personal devices for work can exacerbate security concerns. Companies should establish BYOD policies that address:


Device Security Standards


Make sure to set minimum security standards for personal devices, such as mandatory encryption, multi-factor authentication, regular security updates, and strong password policies.


Acceptable Use Policies


Clearly define acceptable use of personal devices for work purposes, including what activities are and are not permitted.


Access control and monitoring


Implement access controls to ensure that only authorised personnel have access to sensitive information. It's a good idea to set aside some time to ensure that these are regularly monitored so that security incidents can be detected and addressed as soon as possible.



Strategies for reducing risks


Centrally managed applications


Using centrally managed apps improves security by limiting access to sensitive data to specific locations and context. For example, home care apps can be configured to only allow data entry when carers are present with patients, preventing unauthorised access outside of working hours.


Two-factor authentication (2FA)


One of the most effective ways to improve the security of personal devices used for work is to use two-factor authentication (2FA) or multi-factor authentication. This increases security by requiring two or more forms of verification before granting access to sensitive data. It's also quick and easy to set up!


Remote Access Control


The ability to remotely revoke access to work apps and data is critical. If an employee's device is lost or stolen, or if they leave the company, their access to sensitive information can be terminated immediately, preventing unauthorised access.


Regular security training


Employees should be educated on best practices for security. Regular training sessions can raise awareness about the risks of using personal devices for work, provide practical tips for protecting sensitive information, and provide an opportunity for your employees to ask questions and receive clarification on issues they are unsure about. For details about the EMCRC's Security Awareness Training and how to book a session, see here.


Asking the Right Questions


To better understand and reduce risks, businesses and employees should ask themselves questions such as:


What are my vulnerabilities?


Identifying potential vulnerabilities in device security and usage patterns can help you focus your cybersecurity efforts where they are most needed.


Are my devices up-to-date?


Ensuring that personal devices have the most recent security updates and patches can significantly reduce the risk of exploitation.


Am I using a secure application?


Using vetted and secure applications for work-related tasks reduces the likelihood of data breaches.


Do I understand how to recognise phishing attempts?


Identifying and avoiding phishing attempts can help prevent unauthorised access to sensitive information.


If you need help with your organisation's cyber security, please contact us to see how we can assist you.


Source: The West Midlands Cyber Resilience Centre

 

 

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).

 

コメント


The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.

 

EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page