Using your own laptop or phone for work? Why it’s a security hazard for businesses

All members of staff, from top executives to junior staff, need to adhere to policies to uphold data security

Next time you’re working in a coffee shop or similar public space, take a moment to look around at your “co-workers” for the day, busy, like you are, with laptops, cellphones and tablets. How many of those devices belong to the organisations that employ them? Or are they — and you — using personal devices to conduct company business?

Many businesses are embracing the convenience of a practice known as “bring your own device”. This allows employees to use their personal or privately owned devices such as smartphones, laptops, USB drives and even personal cloud storage for work purposes. A broader term, “bring your own technology”, encompasses the use of privately owned software for business activities.

According to technology company Cisco’s 2024 Cybersecurity Readiness Index, 85% of the more than 8,000 companies surveyed around the world reported that their employees accessed company platforms using unmanaged devices.

There are undeniable benefits to a “bring your own device” approach. These include lower purchase costs for companies and more flexibility for staff. But the practice is also risky.

Privately owned devices aren’t always well set up for security. They often lack endpoint security controls like anti-virus software and encryption (converting plaintext data into an unreadable format). This leaves them vulnerable to data breaches and other forms of cyberattack.

Such attacks are common and can be costly. Cybersecurity company Kaspersky documented almost 33.8-million mobile cyberattacks worldwide in 2023 — a 50% rise from 2022 figures.

So what can organisations do to reduce the risks associated with “bring your own device”? As a cybersecurity professional who conducts research on and teaches cybersecurity topics, here is my advice for businesses that want to keep their data safe while letting employees use their own technology:

Who should be concerned?

Organisations of all sizes that use internet and communication technology (ICT) for business operations should address the risks that come with “own devices”. This isn’t just a matter for IT departments.

Without collaboration between technical teams and management, it’s impossible to balance operational efficiency and robust data security measures. This should be an immediate priority if:

• your organisation or business has no “bring your own device” policies, standards and guidelines in place;
• you haven’t introduced fundamental technical safeguards for personal devices — these may be virtual private networks, up-to-date anti-virus software, multi-factor authentication, encryption and mobile device management tools;
• your business doesn’t have adequate processes for managing user accounts (often the case for entities without dedicated ICT resources);
• your ICT operations are fragmented, with no uniform standards or practices across departments; or
• the organisation hasn’t assessed the risks of “bring your own device” practices.

It’s never too late to strengthen cybersecurity controls for these practices. As cyber-risks evolve, organisations must adapt to protect their information. Assess the financial and reputational risks of a data breach and you’ll almost certainly find that it’s worth spending money upfront to prevent huge losses in future.

Managing the risks

Organisations with the necessary cybersecurity resources can take measures in-house. Others may need to consider outsourcing in critical areas where there are major gaps.

First, you need a comprehensive “bring your own device” strategy that’s tailored to your organisation’s needs. This should align with organisational objectives and set out who has to have which measures in place. It should outline how letting employees use their own devices for work will meet business needs.

Then, the company must create policies to help in the governance of privately owned devices.

But it’s no use merely putting a policy on paper: communicate it to all staff — and make it easily accessible at all times through platforms such as the intranet. Communicate any policy updates to all users through various channels such as emails or workshops. Provide regular, customised training. Not everybody is tech-savvy; employees may need help to install the necessary safeguards.

And remember to update your team about any changes. It’s crucial to perform regular (monthly or quarterly) or continuous risk assessments and make necessary changes.

Critically, the organisation must monitor and enforce compliance. All members of staff, from top executives to junior staff, need to adhere to policies to uphold data security. Cybersecurity is a shared responsibility and it’s important to be vigilant about certain threats, such as whale phishing — when scammers pretend to be senior officials at a company to specifically target other senior and key officials.

These strategies can help companies to prevent “bring your own device” becoming “bring your own disaster”. A well-managed approach isn’t just a safeguard against threats — it’s an investment in your organisation’s growth, stability and credibility.

• Thembekile Olivia Mayayise is a senior lecturer at the University of the Witwatersrand's School of Business Sciences

This article was first published by The Conversation