Why Every Business Needs a BYOD Policy

Over the past decade, the number of employees who use their own laptops, smartphones, tablets?and other devices for work has steadily increased. This ability to bring your own device (BYOD) to work is now possible at nearly 80% of companies in the United States, according to some studies.

Smartphones are nearly ubiquitous. A majority of employees are now using their personal smartphones and other mobile devices for work, at least part of the time.

And with the COVID-19 pandemic triggering a sudden, rapid growth in remote work, the number of employees using smartphones, laptops and other mobile devices has surged even higher.

Benefits — but also substantial risks

There are clear benefits to allowing employees to use their own devices for work. But there are substantial risks as well.

Mobile devices are vulnerable to cyber criminals and cyber risks that can lead to data breaches with far-reaching impact, from significant financial losses to reputational damage. Because employees are now connecting to corporate networks and accessing and downloading company data to their smartphones and other personal devices, BYOD has brought a systemic risk to the networks and information systems of organizations and businesses of all sizes.

The use of a remote workforce may be permanent for many companies, so establishing protocols for device use and security is an immediate concern.

Allowing employees to use their own devices may cut down on your company’s need to provide hardware to workers, as well as your need to insure equipment. But make sure that your written policies on these matters are clear so that employees don’t assume you have any liability for their personal technology. Additionally, having a personal device double for work may lead to employees migrating their work hours outside of established paid time. If your company hasn’t been clear about its expectations and mandates for work hours, you could find yourself facing a wage and hour dispute. You also may have other exposures from family members of employees using the device and accidental transmissions of personal communications, data or photos. Depending on the recipient of such information and that recipient’s response, your business could be named on a complaint. Having a clear, comprehensive BYOD policy can help keep your company out of trouble.

Along with all these considerations, there are also employee privacy issues involved when employers want access to their employees' personal devices, even if those devices are used for business purposes. Some companies have employees sign a document that stipulates the employer will have access to any device used to connect to its networks or containing its proprietary data. Discuss your rights as an employer with your legal counsel.

Cyber threats and devices

When making policy for personal, internet-connected devices, we often think of smartphones, laptops?and tablets. But even coffee pots can connect to an organization’s networks. Whether they’re being used for work activities or not, other smart devices such as smart watches, medical devices, vehicles?and appliances are vulnerable to attacks from hackers. When connected to enterprise networks, they can put the entire network at risk, so it’s important to control use of your system’s wireless entryways.

Many of the holes in mobile device security are tied to specific weaknesses and threats, including:

• Connections to nonsecure or rogue Wi-Fi:?This includes risks from using open public Wi-Fi found in coffee shops and restaurants or inadvertently connecting a device to a rogue hotspot that is meant to mimic a legitimate access point.
• Data leakage:?An employee may make an intentional or unauthorized transfer of information to an external or unauthorized source.
• Out-of-date operating systems:?Like desktop computers, mobile devices require system and software updates due to bugs and errors. Failing to update an operating system, or using a device that can no longer be updated, can leave mobile devices open to cyber attacks.
• Password-related issues:?This can include anything from disabling passwords, using weak or easy-to-guess passwords, or using the same password for every account.
• Risky mobile applications:?Mobile apps for everything from messaging and social media to banking and shopping have been connected with data breaches and malware attacks.
• Malware, spyware and ransomware:?These can be transferred to a device via emails, bogus websites, spreadsheets and documents with embedded macros, and apps. Once infected, a device can spread trouble wherever it connects.
• Lost devices:?Lost phones, tablets and laptops, and their data, can fall into the hands of bad actors. Also, companies may be unable to wipe data from devices they don’t own, creating another risk of data breach.

Verizon's 2020 Mobile Security Index reports that 39% of the companies studied experienced a security breach involving mobile devices over the past year. Of those incidents, 66% were considered to be major. Despite these grave security threats, more than 50% of companies in the survey did not have a device use policy in place.

BYOD policies and considerations

Information technology (IT) and human resources (HR) can collaborate on creating acceptable-use and BYOD policies.

A company’s IT and HR leadership?and outside IT security consultants can work together to create BYOD policies that protect systems, devices and data. Here are some best practices:

• Create a written policy that?clearly details what devices employees may use, how and where they may use them, what apps are authorized to be downloaded and what company information is authorized for download.
• Communicate the written device policy to?all employees and verify that they have received it.
• Educate employees on device security to make sure they understand how any device can be compromised.
• Ensure that employees follow basic security protocols, such as updating operating systems and using strong, secure passwords and two-factor authentication.
• Prohibit use of devices that are not password-secured.

Companies in many industries that handle sensitive information, from health care and financial data to trade secrets, often restrict employees from using personal devices for work and instead provide their employees with devices. If data security is a top priority for your company, it might be best to prohibit the use of personal devices for work.

Cyber liability insurance protection

Purchasing cyber liability insurance is another way that businesses can limit the financial risks associated with cyber threats and vulnerabilities. Cyber liability insurance covers many of the risks from cyber attacks, ransomware?and other system compromises. Stand-alone cyber liability policies can cover business losses, including lost or corrupted data, business interruption, identity theft, multiple types of liability?and reputation recovery.

Cyber liability insurance policies should be reviewed to determine whether coverage extends to devices owned by employees. Some carriers may offer extended coverage for employee-owned devices being used for business purposes or for a breach that occurs with a business app on employee devices.

If you are allowing employees to use their personal devices for work, review your HR policies and look at your employment practices liability insurance and your workers' compensation insurance to make sure you are not opening yourself up to uncovered claims against your business. With expanded flexibility for employees, you may also find more employees working outside office hours, working while driving (a big no-no)?and working under conditions that could cause injury. A BYOD policy can help protect your company against all of these risks.

Blue Ridge Risk Partners is a top 75 independent insurance agency in the United States. With 22 offices and counting throughout Maryland, Pennsylvania, and West Virginia and access to hundreds of carriers, we are able to meet your unique insurance needs.