...
What is Bring Your Own Device?
Bring Your Own Device (BYOD) is a widespread term for when an organisation allows staff to use their own laptops, tablets or phones for work purposes.
...
Although there may be significant financial savings to be had by allowing staff to use personal computers and phones for work, there are also some serious risks to an organisation’s security and privacy.
If your employees, contractors or volunteers use their own devices for work, what are the risks to your organisation?
By allowing remote access to your organisation by devices that you do not control ( non-organisation-owned computers and phones), you increase the risk of material being used by someone for purposes you may not authorise or agree. Company information could be copied, modified, transferred to your competitors or just made public.
...
Your employee who owns the computer may leave their device lying around unsecured (after all, they are probably working from home). They may allow friends and family to use it. Other issues include controlling the content and access of a private device if your employee leaves your company or sells their device, and erasing your organisational information if the device is lost or stolen.
Take back control and protect your information
The easiest thing you can do is write and enforce a Bring Your Own Device (BYOD) policy. This might be in addition or incorporate other key policies like IT Acceptable Use Policy, IT Security Policy, and Mobile Working Policy.
...
It's important to note that an organisation cannot use a written policy to substitute applying controls to a BYOD device; technical measures also need to be in place.
Here are some suggestions that could be included in the policy:
The Operating System and apps must be fully supported by the manufacturer and receive security updates
Software based firewalls are activated and configured correctly
Security updates must be installed within 14 days
Cyber Essentials password controls are applied to users own devices (BYODs)
Users logging in on computers and tablets have a day-to-day account, and this is separate to the administrator account
The device automatically locks when not in use and requires a 6 digit or more pin/pass code to unlock, (use a biometric if available)
Anti-malware software is installed on devices and kept updated or, for a mobile device, only apps from the manufacture’s respective store are allowed to be installed
Unused apps should be uninstalled
If lost or stolen, it must be reported to the business promptly
Rooting or jailbreaking is not permitted
A remote erase and tracking app must be installed and activated so you can track a lost device, lock access and erase data. Obtain written consent in advance from the device owner to remote wipe the device in the event of loss, theft or termination of employment
Clarify how, when and why monitoring will take place and require the device and passwords to be delivered up on reasonable request
For further risk reduction
Container Apps or Managed Apps are types of software that separate the organisation’s data and personal data on the device and would enable the organisation to limit monitoring and remote wiping to company data only.
...